Microsoft cloud engineer - SharePoint, Office 365, Azure, DotNet, Angular, JavaScript.
Microsoft cloud engineer - SharePoint, Office 365, Azure, DotNet, Angular, JavaScript.

Custom Security Roles

Contributor is often too generic to match business needs.   Below are 4 custom security roles with more granular purpose.   Running the below PowerShell will create the roles (if missing) for a given web URL. 

Enjoy! 

shades_smile

 

  • NoDelete = Contribute without delete
  • AddOnly  = Contribute without delete or edit
  • EditOnly = Contribute without add or delete
  • NoEdit   = Contribute without edit

 

# #############################################################################
# NAME:		AddCustomRoles.ps1
#
# COMMENT:  This script creates two Custom Access levels for
#			a given SharePoint URL.
#
#			* NoDelete = Contribute without delete
#			* AddOnly  = Contribute without delete or edit
#			* EditOnly = Contribute without add or delete
#			* NoEdit   = Contribute without edit
#
# REQUIRE:  Permission to unlock account
# USAGE:    .\AddCustomRoles.ps1 http://sharepoint/sites/team
#
# #############################################################################

[CmdletBinding()]
Param(
	[Parameter(Mandatory=$True,Position=1)]
	[string]$url
)

Write-Host "Opening $url ... " 
$web = Get-SPWeb $url
Write-Host "OK" -ForegroundColor Green

#### CREATE NODELETE
$nd = $web.RoleDefinitions |? {$_.Name -eq "NoDelete"}
if ($nd) {
	Write-Host "Found NoDelete" -ForegroundColor Green
} else {
	Write-Host "Missing NoDelete" 
	Write-Host "Adding NoDelete ..." 
	$noDeleteRole = New-Object "Microsoft.SharePoint.SPRoleDefinition"
	$noDeleteRole.Name = "NoDelete"
	$noDeleteRole.Description = "Can view, add, and update list items and documents."
	$noDeleteRole.BasePermissions = "AddAndCustomizePages,AddDelPrivateWebParts,AddListItems,BrowseDirectories,BrowseUserInfo,CreateAlerts,EditListItems,EditMyUserInfo,ManagePersonalViews,Open,OpenItems,UpdatePersonalWebParts,UseClientIntegration,UseRemoteAPIs,ViewFormPages,ViewListItems,ViewPages,ViewVersions"
	$web.RoleDefinitions.Add($noDeleteRole)
	Write-Host "OK" -ForegroundColor Green
}

#### CREATE ADDONLY 
$ao = $web.RoleDefinitions |? {$_.Name -eq "AddOnly"}
if ($ao) {
	Write-Host "Found AddOnly" -ForegroundColor Green
} else {
	Write-Host "Missing AddOnly" 
	Write-Host "Adding AddOnly ..." 
	$addOnlyRole = New-Object "Microsoft.SharePoint.SPRoleDefinition"
	$addOnlyRole.Name = "AddOnly"
	$addOnlyRole.Description = "Can view and add items and documents."
	$addOnlyRole.BasePermissions = "AddAndCustomizePages,AddDelPrivateWebParts,AddListItems,BrowseDirectories,BrowseUserInfo,CreateAlerts,EditMyUserInfo,ManagePersonalViews,Open,OpenItems,UpdatePersonalWebParts,UseClientIntegration,UseRemoteAPIs,ViewFormPages,ViewListItems,ViewPages,ViewVersions"
	$web.RoleDefinitions.Add($addOnlyRole)
	Write-Host "OK" -ForegroundColor Green
}


#### CREATE EDITONLY 
$eo = $web.RoleDefinitions |? {$_.Name -eq "EditOnly"}
if ($eo) {
	Write-Host "Found EditOnly" -ForegroundColor Green
} else {
	Write-Host "Missing EditOnly"
	Write-Host "Adding EditOnly ..." 
	$EditOnlyRole = New-Object "Microsoft.SharePoint.SPRoleDefinition"
	$EditOnlyRole.Name = "EditOnly"
	$EditOnlyRole.Description = "Can view, and update list items and documents."
	$EditOnlyRole.BasePermissions = "AddAndCustomizePages,AddDelPrivateWebParts,BrowseDirectories,BrowseUserInfo,CreateAlerts,EditMyUserInfo,ManagePersonalViews,Open,OpenItems,UpdatePersonalWebParts,UseClientIntegration,UseRemoteAPIs,ViewFormPages,ViewListItems,ViewPages,ViewVersions"
	$web.RoleDefinitions.Add($EditOnlyRole)
	Write-Host "OK" -ForegroundColor Green
}


#### CREATE NOEDIT 
$ne = $web.RoleDefinitions |? {$_.Name -eq "NoEdit"}
if ($ne) {
	Write-Host "Found NoEdit" -ForegroundColor Green
} else {
	Write-Host "Missing NoEdit"
	Write-Host "Adding NoEdit ..." 
	$NoEditRole = New-Object "Microsoft.SharePoint.SPRoleDefinition"
	$NoEditRole.Name = "NoEdit"
	$NoEditRole.Description = "Can add, view and delete list items and documents."
	$NoEditRole.BasePermissions = "AddAndCustomizePages,AddDelPrivateWebParts,AddListItems,BrowseDirectories,BrowseUserInfo,CreateAlerts,DeleteListItems,DeleteVersions,EditMyUserInfo,ManagePersonalViews,Open,OpenItems,UpdatePersonalWebParts,UseClientIntegration,UseRemoteAPIs,ViewFormPages,ViewListItems,ViewPages,ViewVersions"
	$web.RoleDefinitions.Add($NoEditRole)
	Write-Host "OK" -ForegroundColor Green
}

© Copyright 2016
@ SPJeff

Return to Top ▲Return to Top ▲