SharePoint Blogs / SharePoint University
SharePoint Blogs and SharePoint University - all in one place!
Ethan's blog » Setting Permissions Through Code
Need SharePoint Training? Attend a SharePoint Bootcamp!

Please delete cookies related to sharepointblogs.com and sharepointu.com to resolve login issues!

Setting Permissions Through Code

I seam to always get asked this question on every project. This will be a very basic post to show you how to assign permissions through the SharePoint API.

When working with permissions through the SharePoint API, there are some key objects to take note of.

  • SPUser - A actual security object in SharePoint (AD User, AD Group or Forms Based User or Group).
  • SPGroup - A SharePoint group defined through SharePoint.
  • SPRoleDefinition - A actual role (permission level) defined in SharePoint (Read, Full Control etc...)
  • SPRoleAssignment - The actual assignment between a SPUser/SPGroup and a SPRoleDefinition

Assign a User to a SharePoint Group

To assign a user to a SharePoint group we need to get the SPGroup object and add a user with the AddUser method. This method has 2 overloads, the first takes a SPUser object and the second takes some specific parameters (login name, email, name, notes). Below is the code in both formats.

// ******************** Adding a SPUser to a SharePoint Group ********************
// Create the site that contains our list
SPSite oSite = new SPSite("<<my site url>>");

// Open the web object
SPWeb oWeb = spSite.OpenWeb();

// Get the group that we want to add the user to
SPGroup oGroup = oWeb.Groups["<<group name>>"];

// Get the user that we want to add to the group
SPUser oUser = oWeb.AllUsers["domain\login"];

// Now we add the user to the groups user collection
oGroup.AddUser(oUser);

// Update the group
oGroup.Update();

// ******************** Adding a User to a SharePoint Group ********************
// Create the site that contains our list
SPSite oSite = new SPSite("<<my site url>>");

// Open the web object
SPWeb oWeb = spSite.OpenWeb();

// Get the group that we want to add the user to
SPGroup oGroup = oWeb.Groups["<<group name>>"];

// Now we add the user to the groups user collection
oGroup.AddUser("login", "email", "name", "notes");

// Update the group
oGroup.Update();

Assigning Roles (Permission Levels) to a User or SharePoint Group

To assign permission to a user (account) or a SharePoint group there are some objects that we need to look at in a certain order. The first thing we need to do is get the the security principal that we want to assign the role to (SPUser or SPGroup). The next thing we need to do it get the actual permission (role) that we want to assign (ex: Read, Full Control etc...). Then we need to create a SPRoleAssignment object and on the constructor pass it in the SPUser or SPGroup (security principal) that we want to assign the permissions to. Now we need to add the role definition to the RoleDefinitionBindings collection of the role assignment object. Then we need to add the actual role assignment to the web (site) and update the web. Below is the full code lisitng.

// Create the site that contains our list
SPSite oSite = new SPSite("<<my site url>>");

// Open the web object
SPWeb oWeb = oSite.OpenWeb();

// Get the group that we want to add the user to
SPGroup oGroup = oWeb.Groups["<<group name>>"];

// Get the role definition we want to assign ex: Full Control
SPRoleDefinition oRole = oWeb.RoleDefinitions["<< role name>>"];

// Create the role assignment object
SPRoleAssignment oRoleAssignment = new SPRoleAssignment(oGroup);

// Add the role definition to the role assignemnt.
// This will assign the specific permission to the security principal for this role assignemnt.
oRoleAssignment.RoleDefinitionBindings.Add(oRole);

// Now we need to add the role assignment to the web
oWeb.RoleAssignments.Add(oRoleAssignment);

// Now update the web
oWeb.Update();

Enjoy!!!

Posted 09-30-2007 5:13 PM by ethan

Comments

Links (9/30/2007) « Steve Pietrek’s SharePoint Stuff wrote Links (9/30/2007) &laquo; Steve Pietrek&#8217;s SharePoint Stuff
on 09-30-2007 7:30 PM

Pingback from  Links (9/30/2007) &laquo; Steve Pietrek&#8217;s SharePoint Stuff

SharePoint 2007 Link love: 10-01-2007 at Virtual Generations wrote SharePoint 2007 Link love: 10-01-2007 at Virtual Generations
on 10-01-2007 12:51 PM

Pingback from  SharePoint 2007 Link love: 10-01-2007 at  Virtual Generations

Mat Symes wrote re: Setting Permissions Through Code
on 11-06-2007 9:49 AM

Any ideas of how to obtain the role from SPGroup object? i.e. ask an SGRoup which role is bound to it EX: Full Control

Farhan Faiz wrote re: Setting Permissions Through Code
on 02-25-2008 4:04 PM

Nice article.

Any idea if one wishes to send the implicit email to the user about the access?

Regards

Farhan

Ned wrote re: Setting Permissions Through Code
on 03-05-2008 1:39 PM

Does anybody know how to change the description of an existing group?

Honzajscz wrote re: Setting Permissions Through Code
on 05-21-2008 2:29 AM

Great article. Thx

arshad wrote re: Setting Permissions Through Code
on 07-31-2008 12:00 PM

Anyone has idea. how to set site permissions from the code.

Req:-

On edit page of a list I need to set permissions for sub sites. How I can achive this do any one have idea.

Regards,

Arshad

Mo wrote re: Setting Permissions Through Code
on 09-21-2008 1:40 AM

Thanks for posting this. This helped.

SteveB wrote re: Setting Permissions Through Code
on 10-15-2008 9:15 AM

Ned asked "Does anybody know how to change the description of an existing group?"

You can do it in the UI, but the object model will not be able to query the new value or set a new value.  It seems to be a bug - despite how it looks, the group's description is not stored in the Description attribute!

Raja wrote re: Setting Permissions Through Code
on 10-21-2008 1:42 AM

Hi all,

I have added the user from Active Directory in Sharepoint People and Group using the below code:

spUser = myweb.EnsureUser(username); //string username is available in active directory  

spGroup = myweb.SiteGroups[sekGroup]; //string sekGroup is the group name in sharepoint site.

spGroup.AddUser(spUser.LoginName, spUser.Email, spUser.Name, "");

spGroup.Update();

The above code is working fine in windows authentication, user is added successfully in sharepoint people and group and the user is able to login. but the user is not able to login in form based authentication when using the same code. I am using FBA with active directory membership provider.

I also tried by modifying the above code:

spUser = myweb.EnsureUser("MyADMembershipProvider" + ":" + username); //added Active Directory membership provider with username

The Error message I am getting is:

Error: Access Denied

Current user

You are currently logged in as [username]

Sign in as a different user

I need your kind support.

Thanks in advance

Raja.

Christian Hemker wrote re: Setting Permissions Through Code
on 12-09-2008 3:49 AM

Hi,

nice work, but a little correction:

SPSite oSite = new SPSite("<<my site url>>");

SPWeb oWeb = spSite.OpenWeb();

I think it should be

SPWeb oWeb = ___sSite___.OpenWeb();

Deepu wrote re: Setting Permissions Through Code
on 03-16-2009 4:44 PM

Hi Ethan,

Thanks for your post..

Can I set permission to a Active Directory Group..

Thanks in Advance

Deepu

deepumi@gmail.com

Terry wrote re: Setting Permissions Through Code
on 04-22-2009 10:20 AM

Can someone help on this question please? I need to know what are the minimum permissions to AD required for SharePoint 2007 to import initial accounts and for incremental imports as well. We are planning a deployment of MOSS 2007 on one of our networks, and since we are a child in their domain, we aren't given full domain admin rights. We will have to work out an MOA with the parent organization.

Add a Comment

(required)  
(optional)
(required)  
Remember Me?
Need SharePoint Training? Attend a SharePoint Bootcamp!
Posts (c) their respective authors. Everything else (c) 2009 SharePoint Experts, Inc.