Tuesday, January 17, 2012

Powershell script to modify List Item Create/Edit Permissions

Recently I came across a very interesting requirement in one of our SharePoint 2010 projects.

Requirement: Customer wanted to lock down/prevent Site wide Members/Contributors from creating, modifying/editing and deleting List Items for the first 10 days of every month.

Solution: Here are the options to meet the above requirements:

1. Write a C#.NET utility (.exe) using SP 2010 object model to Revoke and Grant List Item Permissions and schedule it using the Task Scheduler on your SharePoint farm.

2. Program against the SharePoint web service to create a utility (.exe) that Revokes/Grants List item permissions and schedule it using the Task Scheduler in your remote system.

3. Write 2 Powershell scripts to Revoke and Grant List Item Permissions and create batch file to call the .ps1, then schedule it using the Task Scheduler on your SharePoint farm.

We went for option 3, i.e. Creation of Powershell scripts, as this is one of the most preferred and easiest of all the above mentioned solutions. Also we were allowed to copy/paste scripts to our SharePoint 2010 Server Farm, so that helped additionally and we were able to meet the customers requirements without any code/utility deployments in our SharePpint farm.

We will first write the script for Revoking List Item Permissions as it needs to be scheduled on 1st of every month:

1. Copy the powershell script below and modify the variables highlighted in yellow below, save the following as RevokeListIitemEditPermissions.ps1 file:

Add-PsSnapin "Microsoft.SharePoint.PowerShell"

## SharePoint DLL Reference
[void][System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint")
[void][System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Administration")

#Change the Web URL to point to the site/subsite where your List exists and the list name
$web = Get-SPWeb "http://dev-sp-2010:1000/sites/SPFix/"
$listName = "List Security"

#Check If the Web is null
if ($web -ne $null)
{
#Get the list in this site
$list = $web.Lists[$listName]

if($list -ne $null)
{
#Revoke Create and Edit permissions for the Current List
#4 — Users cannot modify any list item.
$list.WriteSecurity = 4

#Update the list
$list.Update()

#Update the web
$web.Update()

echo "Revoked Edit Items Permissions on the list"
}
else
{
echo "List is null. Check the List Name."
}

#Dispose of the site object
$web.Dispose()
}
else
{
echo "Web is null. Check the Web URL."
}

Remove-PsSnapin "Microsoft.SharePoint.PowerShell"

2. To automatically run the above .ps1 script as a batch utility, Copy and paste code below and save it with a .bat file extension

cd /d %~dp0
powershell -noexit -file ".\RevokeListIitemEditPermissions.ps1" "%CD%"
pause

We will now write the Grant List Item Edit Permissions to grant back the List Item Create, Edit and Delete privileges for all Contributors/Members for the List. This needs to be scheduled on 10th of every month.

3. Copy the powershell script below and modify the variables highlighted in yellow below, save the following as GrantListIitemEditPermissions.ps1 file:

Add-PsSnapin "Microsoft.SharePoint.PowerShell"

## SharePoint DLL Reference
[void][System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint")
[void][System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Administration")

#Change the Web URL to point to the site/subsite where your List exists and the list name
$web = Get-SPWeb "http://dev-sp-2010:1000/sites/SPFix/"
$listName = "List Security"

#Check If the Web is null
if ($web -ne $null)
{
#Get the list in this site
$list = $web.Lists[$listName]

if($list -ne $null)
{
#Grant Create and Edit permissions for the Current List
#2 — Users can modify only items that they create.
$list.WriteSecurity = 2

#Update the list
$list.Update()

#Update the web
$web.Update()

echo "Granted Edit Items Permissions on the list"
}
else
{
echo "List is null. Check the List Name."
}

#Dispose of the site object
$web.Dispose()
}
else
{
echo "Web is null. Check the Web URL."
}

Remove-PsSnapin "Microsoft.SharePoint.PowerShell"

4. To automatically run the above .ps1 script as a batch utility, Copy and paste code below and save it with a .bat file extension

cd /d %~dp0
powershell -noexit -file ".\GrantListIitemEditPermissions.ps1" "%CD%"
pause

Last but not the least schedule the 2 batch files by going to the Windows Task Scheduler and Create a Task.

You need to create 2 tasks, first one for Revoking the List Item Edit permissions that Triggers on 1st of every month and 2nd one to Grant List Item Edit Permissions that Triggers on 10th of every month. In the Actions section of the Task scheduler, give reference to the batch files created above one by one. The batch files in-turn calls the .ps1 according to the jobs scheduled every month.

Happy Programming :)

1 comment:

  1. Good script! All your solutions include something client side, though. Why not simply write an event receiver and have it run on OnItemAdding? Or a SharePoint timer job which resets the permissions on a monthly basis. Or even a Site Workflow, given it is SP2010? I generally don't advise to use a server side script - what happens when that server has problems in a multi-server environment.

    So in short, one could also use:
    - SharePoint timer job
    - List Event Receiver
    - Site Workflow

    ReplyDelete