Roleassignments.Add Power Shell Scripting

There can be cases where you need to make changes to list permissions or list behaviour regarding security from PowerShell. One case may be where a saved site template does not contain all settings for a list, such as Item-level permission settings (found in List Settings → Advanced Settings). Another case may be a list with unique permissions.

This post contains two examples for making changes to these kind of list settings and permissions from Powershell. These are taken from a deployment script I created for a client.

This script will alter the Item-level Permissions for a list called “Questions” so that users can only access and edit list items they themselves created:

Furthermore, it adds Contribute permissions to the Visitors group for the list, providing unique list permissions (breaking inheritance).

# Alter Item-Level Permission settings and assign "Contribute" role definition to the visitors group # (c) 2011 Morgan de Jonge # Specify the name of the visitors SharePoint group $visitorsSPGroupName = "Example Site Visitors" $spSite = Get-SPSite "" # We'll assume the list is in the top-level site in the site collection $spWeb = $spSite | Get-SPWeb # Look up the list named "Questions" $questionsList = $spWeb.Lists["Questions"] # Set the Read access Item-level permissions settings to "Read items that were created by the user" $questionsList.ReadSecurity = 2 # Set the Create and Edit access Item-level permissions to "Create items and edit items that were created by the user $questionsList.WriteSecurity = 2 # Assign the "Contribute" RoleDefition to the site's visitors group $visitorsSPGroup = $spWeb.Groups[$visitorsSPGroupName] $questionsList.BreakRoleInheritance($true) $assignment = New-Object Microsoft.SharePoint.SPRoleAssignment($visitorsSPGroup) # Assuming this is a default site, we'll look for a role definition of the type "Contributer". # This way, the script will also work with SharePoint sites created in languages besides English. $assignment.RoleDefinitionBindings.Add(($spWeb.RoleDefinitions | Where-Object { $_.Type -eq "Contributor" })) $questionsList.RoleAssignments.Add($assignment) $questionsList.Update() $spWeb.Dispose() $spSite.Dispose()
(To copy this code, double-click the anywhere in the code and press CTRL/Cmd+C to copy it)

In line 24, you could’ve also looked up the role using $spWeb.RoleDefinitions[“Contribute”], but selecting it based on type will ensure it also works with SharePoint sites in different languages.

See MSDN for the possible values for a list’s ReadSecurity and WriteSecurity.

This entry was posted in Blog and tagged PowerShell, SharePoint 2010 by Morgan. Bookmark the permalink.

Set Permissions on Multiple Sites using PowerShell

These days I had a request to add an Active Directory group with Contributor rights on a SharePoint Site Collection. Since many sites had broken inheritance, using the UI was not an option so I created a small PowerShell Script that enumerates all Webs and if the Inheritance is broken, it adds the group with the specified Role.


  • The If command uses the $web.Url.Contains directive in order to modify the rights only on a subset of sites. If all Webs have to be crawled, use if ($web.HasUniquePerm -and $web.RequestAccessEnabled) instead.
  • This script modifies permissions only on webs. Lists and Items with unique permission will not be touched.
if ((Get-PSSnapin -Name Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue) -eq $null) { Add-PSSnapin Microsoft.SharePoint.PowerShell } $site = Get-SPSite -Identity "http://spdev/sites/SiteCollection" foreach($web in $site.AllWebs) { if ($web.HasUniquePerm -and $web.RequestAccessEnabled -and ($web.Url.Contains("/SiteCollection/BU1") -or $web.Url.Contains("/SiteCollection/BU2"))) { $account = $web.EnsureUser("Domain\QATeam") $role = $web.RoleDefinitions["Contribute"] $assignment = New-Object Microsoft.SharePoint.SPRoleAssignment($account) $assignment.RoleDefinitionBindings.Add($role) $web.RoleAssignments.Add($assignment) } $web.Dispose() } $site.Dispose()



Leave a Reply

Your email address will not be published. Required fields are marked *