Friday, January 9, 2015

Demystified : Breaking the Role Inheritance of a SecurableObject with CSOM

Managing permissions is a very important aspect of SharePoint. As there are so many techniques to authenticate a user to a SharePoint application, the permissions part takes care of the authorization. There are so many articles that discuss the permissions levels, groups etc to a great extent.



In this post I'm going to discuss the following things.


  • Code snippet to break role inheritance of a Securable Object - In current example a list

  • Analyzing the code with User Interface 



   public static void AssignUniquePermissions(string ctxUrl,string listTitle){
    ClientContext ctx = new ClientContext(ctxUrl);
    List targetList = ctx.Web.Lists.GetByTitle("listTitle");
    ctx.Load(targetList);
    
    // the below line of code breaks the Permission Inheritane
    // The below piece of code is equivalent to...
    targetList.BreakRoleInheritance(true,false);

    /* PermissionKind => is an Enum type that represents
        all the permissions available */
    /* BasePermissions => is a class to which we set the Selected
        Permissions. Later we use 'BasePermissions' object in creating
        the 'RoleDefinition' */
    BasePermissions permissions = new BasePermissions();
    permissions.Set(PermissionKind.ViewListItems);
    permissions.Set(PermissionKind.AddListItems);
    permissions.Set(PermissionKind.EditListItems);
    permissions.Set(PermissionKind.DeleteListItems);


    /* Create a new role definition => Creating a Permission Level
        @ /_layouts/addrole.aspx of site collection. */
        //The below piece of code is equivalent to...
    RoleDefinitionCreationInformation roleDefInfo = new RoleDefinitionCreationInformation();
    // Permission Level Name
    roleDefInfo.Name = "ExampleEditListItems1";
    roleDefInfo.Description = "Allows a user to manage list items";
    roleDefInfo.BasePermissions = permissions;
    /* Adds RoleDefinition => Adds Permission Level
        @ /_layouts/role.aspx */
    RoleDefinition roleDef = ctx.Site.RootWeb.RoleDefinitions.Add(roleDefInfo);

    // Creating another RoleDefinition
    BasePermissions permissions2 = new BasePermissions();
    permissions2.Set(PermissionKind.ApproveItems);
    RoleDefinitionCreationInformation roleDefInfo2 = new RoleDefinitionCreationInformation();
    // Permission Level Name
    roleDefInfo2.Name = "ExampleEditListItems2";
    roleDefInfo2.Description = "Allows a user to Approve Items";
    roleDefInfo2.BasePermissions = permissions2;
    RoleDefinition roleDef2 = ctx.Site.RootWeb.RoleDefinitions.Add(roleDefInfo2);

    /* The permissions we are assigning to the User/Group
    Equivalent to 'Grant User Permissions Directly
        (in this example) by selecting multiple permission
        levels */
        // The below piece of code is equivalent To..
    RoleDefinitionBindingCollection permissionLevelsCollection = new RoleDefinitionBindingCollection(ctx);
    // Add the role to the collection.
    permissionLevelsCollection.Add(roleDef);
    permissionLevelsCollection.Add(roleDef2);

    // User user = ctx.Web.EnsureUser("Domain\\userId"); (or)
    Group group = ctx.Web.SiteGroups.GetById(12);

    /* The page that contains all the Permissions. =>
        @ _layouts/user.aspx of the corresponding securable object */
    RoleAssignmentCollection roleAssignmentCollection = targetList.RoleAssignments;
    RoleAssignment roleAssignment = roleAssignmentCollection.Add(group, permissionLevelsCollection);

    ctx.ExecuteQuery();
    Console.WriteLine("Done!!");
    Console.ReadKey();
}




targetList.BreakRoleInheritance(true,false);

This above line of code is equivalent to clicking on the 'Stop Inheriting Permissions' option in the ribbon


What is the difference between BreakRoleInheritance(true,true/false)?

This function breaks the role inheritance of the SecurableObject on which we are calling the function in both cases.

The second parameter(true/false) acts on the Child objects of the SecurableObject on which we called the function.

true: It makes the children of the current SecurableObject inherit RoleAssignments from the current SecurableObject even though they have UniqueRoleAssignments on them.

false: It allows the children of the current SecurableObject have their own RoleAssignments(UniqueRoleAssignments) if they have any.

Back To Code



Creating a RoleDefinition:

Creating a RoleDefinition is equivalent to creating a new permission level from the SharePoint UI @ 'addrole.aspx' of the root web


// Adds the permission level to the collection of permission levels at the root web levelRoleDefinition roleDef = ctx.Site.RootWeb.RoleDefinitions.Add(roleDefInfo);

Everything I mentioned in the below image happens only after executing the query.

You find this info when you click on the Permission Level created @

~siteCollectionUrl/_layouts/editrole.aspx?role=ExampleEditListItems1

createRoleDef

Back To The Code


Granting Permissions To a User Or Group:

Adding RoleDefinition Objs to RoleDefinitionBindingCollection obj is equivalent to

select the multiple permission checkboxes as shown in the below image.


    permissionLevelsCollection.Add(roleDef);    permissionLevelsCollection.Add(roleDef2);

grantPermissions 




    // if we want to grant permissions to a user    User user = ctx.Web.EnsureUser("Domain\\userId");    (or)
    // if we want to grant permissions to a Group
    // The group id '12' represents 'TestGroup1' as shown in the above image
    Group group = ctx.Web.SiteGroups.GetById(12);
    
    // This line of code grants permissions to the Group
    RoleAssignment roleAssignment = roleAssignmentCollection.Add(group, permissionLevelsCollection);
    // This line of code grants permissions to the User
    RoleAssignment roleAssignment = roleAssignmentCollection.Add(user, permissionLevelsCollection);


Original Post

by Saratchandra Peddinti via Everyone's Blog Posts - SharePoint Community
By at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)