{"id":1154,"date":"2007-03-12T08:38:00","date_gmt":"2007-03-12T13:38:00","guid":{"rendered":"http:\/\/blogs.devhorizon.com\/reza\/?p=1154"},"modified":"2012-06-30T23:55:18","modified_gmt":"2012-07-01T04:55:18","slug":"role-based-security-model-in-wss-30-part1","status":"publish","type":"post","link":"https:\/\/blogs.devhorizon.com\/reza\/2007\/03\/12\/role-based-security-model-in-wss-30-part1\/","title":{"rendered":"Role-based security model in WSS 3.0 – Part1"},"content":{"rendered":"

Title: The Basics<\/strong><\/p>\n

 <\/p>\n

WSS 3.0 security management is completely a\u00a0role-based model. Unlike in WSS 2.0, in WSS 3.0 user permissions are never managed directly using rights (SPRights,SPRoleCollection are all deprecated in the new version). All user and group permissions are managed through roles.<\/p>\n

 <\/p>\n

A role in WSS 3.0 can be discussed in two parts:<\/p>\n

 <\/p>\n

1) Role Definition<\/strong> (a.k.a. Permission Level): A role definition is basically a collection of rights bound to a specific user or group. Examples of role definitions are\u00a0\u201cFull Control\u201d, \u201cRead\u201d, \u201cContribute\u201d, \u201cDesign\u201d, or \u201cLimited Access\u201d.<\/strong> You can also create your own custom role definition as long as your site is using a Unique Role Definitions and not inheriting them from its parent site(site.HasUniqueRoleDefinitions==true). In most cases role definitions that come with SharePoint, OOTB , are more than enough, so the\u00a0best way would be to create the permission level at the top level and not break the inheritance,\u00a0 but if you ever need to create your own here is how to do it:<\/p>\n

 <\/p>\n

\nSPWeb site = SPContext.Current.Site.AllWebs[“Site_Name\/Subsite_Name”];
\nif (!site.HasUniqueRoleDefinitions)
\n{
\nsite.RoleDefinitions.BreakInheritance(true, true); \/\/ in order to define custom role definition site must have unique role definitions
\n}
\nSPRoleDefinition roleDefinition = new SPRoleDefinition();
\nroleDefinition.Name = “My Custom Role Def”;
\nroleDefinition.Description = “A role definition with all rights except ManagePermissions”;
\nroleDefinition.BasePermissions = SPBasePermissions.FullMask ^ SPBasePermissions.ManagePermissions;
\nsite.RoleDefinitions.Add(roleDefinition);<\/p><\/blockquote>\n

 <\/p>\n

There are couple of things to remember:<\/p>\n

 <\/p>\n

 <\/p>\n

    \n
  1. Since a role definition is scoped to the web site (SPWeb)\u00a0, it has the same meaning everywhere within the Web site, but their meanings can be different from one site to another site within the same site collection and that’s the beauty of this flexible model!<\/li>\n
  2. Breaking role definition inheritance also breaks role assignment inheritance, which results in unique permissions.<\/li>\n
  3. The entire role definition collection is read-only for a Web site that inherits role definitions. Any attempt to add or modify the role definitions fails unless the HasUniqueRoleDefinitions property contains true, which can only be changed by calling the role inheritance methods.<\/li>\n
  4. SPRoleDefinitionCollection represents all the permission levels exist in a site:<\/li>\n<\/ol>\n

     <\/p>\n

    SPRoleDefinitionCollection roleDefinitions = newweb.RoleDefinitions;<\/p>\n

     <\/p>\n

    2) Role Assignment<\/strong>: The role assignment is the only way to relate a role definition to \u00a0the users and groups in WSS 3.0. If you don’t need to come up with your own custom role definition , SPRoleAssignment Class is where you spend most of your time when working with roles in WSS 3.0.<\/p>\n

     <\/p>\n

    \nSPWeb site = SPContext.Current.Site.AllWebs[“Site_Name\/Subsite_Name”];
    \nif (!site.HasUniqueRoleAssignments)
    \n{
    \nsite.BreakRoleInheritance(false);
    \n}
    \nSPRoleDefinitionCollection roleDefinitions = site.RoleDefinitions;
    \nSPRoleAssignmentCollection roleAssignments = site.RoleAssignments;
    \nSPRoleAssignment roleAssignment = new SPRoleAssignment(“mydomain\\rezaa”,”reza@mydomain,com”,”Reza<\/a> Alirezaei”,”here is the note”);
    \nSPRoleDefinitionBindingCollection roleDefBindings = roleAssignment.RoleDefinitionBindings;
    \nroleDefBindings.Add(roleDefinitions[“Role_Definition_Name_For Example: Full Control”]);
    \nroleAssignments.Add(roleAssignment);<\/p><\/blockquote>\n

     <\/p>\n

    There are couple of things to remember:<\/p>\n

     <\/p>\n

     <\/p>\n

      \n
    1. site.BreakRoleInheritance(false); only breaks RoleAssignments and has nothing to do with permission levels (Role definitions)<\/li>\n
    2. SPRoleAssignment has another constructor which accepts an object of type\u00a0SPPricipal. It comes in handy if you want to assign a SPGroup instead of a user to a role defintion. Remeber that SPGroup is derived from SPPrincipal\u00a0 and can be implicitly casted to this type:<\/li>\n<\/ol>\n

       <\/p>\n

      SPRoleAssignment roleAssignment = new SPRoleAssignment(site.AssociatedMemberGroup); \/\/AssociatedMemberGroup returns an object of type SPGroup<\/p>\n

       <\/p>\n

      2.\u00a0 SPRoleAssignmentCollection represents all the relationships between users and groups and role definitions.<\/p>\n

       <\/p>\n

      SPRoleAssignmentCollection roleAssignments = newweb.RoleAssignments;<\/p>\n

       <\/p>\n

      In next part (Part 2<\/a>), I am going to show you how to programmatically create subsites with unique role assignments <\/span><\/p>\n

      \n","protected":false},"excerpt":{"rendered":"

      Title: The Basics   WSS 3.0 security management is completely a\u00a0role-based model. Unlike in WSS 2.0, in WSS 3.0 user permissions are never managed directly using rights (SPRights,SPRoleCollection are all deprecated in the new version). All user and group permissions are managed through roles.   A role in WSS 3.0 can be discussed in two […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[43],"tags":[],"class_list":["post-1154","post","type-post","status-publish","format-standard","hentry","category-moss-2007"],"yoast_head":"\nRole-based security model in WSS 3.0 - Part1 - Reza Alirezaei's Blog %<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blogs.devhorizon.com\/reza\/2007\/03\/12\/role-based-security-model-in-wss-30-part1\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Reza Alirezaei\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/blogs.devhorizon.com\\\/reza\\\/2007\\\/03\\\/12\\\/role-based-security-model-in-wss-30-part1\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/blogs.devhorizon.com\\\/reza\\\/2007\\\/03\\\/12\\\/role-based-security-model-in-wss-30-part1\\\/\"},\"author\":{\"name\":\"Reza Alirezaei\",\"@id\":\"https:\\\/\\\/blogs.devhorizon.com\\\/reza\\\/#\\\/schema\\\/person\\\/cdbb24d283697a65951cb4a14e474938\"},\"headline\":\"Role-based security model in WSS 3.0 – Part1\",\"datePublished\":\"2007-03-12T13:38:00+00:00\",\"dateModified\":\"2012-07-01T04:55:18+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/blogs.devhorizon.com\\\/reza\\\/2007\\\/03\\\/12\\\/role-based-security-model-in-wss-30-part1\\\/\"},\"wordCount\":600,\"commentCount\":1,\"articleSection\":[\"MOSS 2007\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/blogs.devhorizon.com\\\/reza\\\/2007\\\/03\\\/12\\\/role-based-security-model-in-wss-30-part1\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/blogs.devhorizon.com\\\/reza\\\/2007\\\/03\\\/12\\\/role-based-security-model-in-wss-30-part1\\\/\",\"url\":\"https:\\\/\\\/blogs.devhorizon.com\\\/reza\\\/2007\\\/03\\\/12\\\/role-based-security-model-in-wss-30-part1\\\/\",\"name\":\"Role-based security model in WSS 3.0 - Part1 - Reza Alirezaei's Blog %\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/blogs.devhorizon.com\\\/reza\\\/#website\"},\"datePublished\":\"2007-03-12T13:38:00+00:00\",\"dateModified\":\"2012-07-01T04:55:18+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/blogs.devhorizon.com\\\/reza\\\/#\\\/schema\\\/person\\\/cdbb24d283697a65951cb4a14e474938\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/blogs.devhorizon.com\\\/reza\\\/2007\\\/03\\\/12\\\/role-based-security-model-in-wss-30-part1\\\/\"]}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/blogs.devhorizon.com\\\/reza\\\/#website\",\"url\":\"https:\\\/\\\/blogs.devhorizon.com\\\/reza\\\/\",\"name\":\"Reza Alirezaei's Blog\",\"description\":\"Blogging from the field!\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/blogs.devhorizon.com\\\/reza\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/blogs.devhorizon.com\\\/reza\\\/#\\\/schema\\\/person\\\/cdbb24d283697a65951cb4a14e474938\",\"name\":\"Reza Alirezaei\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3ba940d84e0ecb909e62e93df4c56daf0395c7e53c914467ab2ee73124a7d7b6?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3ba940d84e0ecb909e62e93df4c56daf0395c7e53c914467ab2ee73124a7d7b6?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3ba940d84e0ecb909e62e93df4c56daf0395c7e53c914467ab2ee73124a7d7b6?s=96&d=mm&r=g\",\"caption\":\"Reza Alirezaei\"},\"url\":\"https:\\\/\\\/blogs.devhorizon.com\\\/reza\\\/author\\\/rezaa\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Role-based security model in WSS 3.0 - Part1 - Reza Alirezaei's Blog %","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blogs.devhorizon.com\/reza\/2007\/03\/12\/role-based-security-model-in-wss-30-part1\/","twitter_misc":{"Written by":"Reza Alirezaei","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blogs.devhorizon.com\/reza\/2007\/03\/12\/role-based-security-model-in-wss-30-part1\/#article","isPartOf":{"@id":"https:\/\/blogs.devhorizon.com\/reza\/2007\/03\/12\/role-based-security-model-in-wss-30-part1\/"},"author":{"name":"Reza Alirezaei","@id":"https:\/\/blogs.devhorizon.com\/reza\/#\/schema\/person\/cdbb24d283697a65951cb4a14e474938"},"headline":"Role-based security model in WSS 3.0 – Part1","datePublished":"2007-03-12T13:38:00+00:00","dateModified":"2012-07-01T04:55:18+00:00","mainEntityOfPage":{"@id":"https:\/\/blogs.devhorizon.com\/reza\/2007\/03\/12\/role-based-security-model-in-wss-30-part1\/"},"wordCount":600,"commentCount":1,"articleSection":["MOSS 2007"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/blogs.devhorizon.com\/reza\/2007\/03\/12\/role-based-security-model-in-wss-30-part1\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/blogs.devhorizon.com\/reza\/2007\/03\/12\/role-based-security-model-in-wss-30-part1\/","url":"https:\/\/blogs.devhorizon.com\/reza\/2007\/03\/12\/role-based-security-model-in-wss-30-part1\/","name":"Role-based security model in WSS 3.0 - Part1 - Reza Alirezaei's Blog %","isPartOf":{"@id":"https:\/\/blogs.devhorizon.com\/reza\/#website"},"datePublished":"2007-03-12T13:38:00+00:00","dateModified":"2012-07-01T04:55:18+00:00","author":{"@id":"https:\/\/blogs.devhorizon.com\/reza\/#\/schema\/person\/cdbb24d283697a65951cb4a14e474938"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blogs.devhorizon.com\/reza\/2007\/03\/12\/role-based-security-model-in-wss-30-part1\/"]}]},{"@type":"WebSite","@id":"https:\/\/blogs.devhorizon.com\/reza\/#website","url":"https:\/\/blogs.devhorizon.com\/reza\/","name":"Reza Alirezaei's Blog","description":"Blogging from the field!","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blogs.devhorizon.com\/reza\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blogs.devhorizon.com\/reza\/#\/schema\/person\/cdbb24d283697a65951cb4a14e474938","name":"Reza Alirezaei","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/3ba940d84e0ecb909e62e93df4c56daf0395c7e53c914467ab2ee73124a7d7b6?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/3ba940d84e0ecb909e62e93df4c56daf0395c7e53c914467ab2ee73124a7d7b6?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/3ba940d84e0ecb909e62e93df4c56daf0395c7e53c914467ab2ee73124a7d7b6?s=96&d=mm&r=g","caption":"Reza Alirezaei"},"url":"https:\/\/blogs.devhorizon.com\/reza\/author\/rezaa\/"}]}},"_links":{"self":[{"href":"https:\/\/blogs.devhorizon.com\/reza\/wp-json\/wp\/v2\/posts\/1154","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.devhorizon.com\/reza\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.devhorizon.com\/reza\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.devhorizon.com\/reza\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.devhorizon.com\/reza\/wp-json\/wp\/v2\/comments?post=1154"}],"version-history":[{"count":2,"href":"https:\/\/blogs.devhorizon.com\/reza\/wp-json\/wp\/v2\/posts\/1154\/revisions"}],"predecessor-version":[{"id":1379,"href":"https:\/\/blogs.devhorizon.com\/reza\/wp-json\/wp\/v2\/posts\/1154\/revisions\/1379"}],"wp:attachment":[{"href":"https:\/\/blogs.devhorizon.com\/reza\/wp-json\/wp\/v2\/media?parent=1154"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.devhorizon.com\/reza\/wp-json\/wp\/v2\/categories?post=1154"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.devhorizon.com\/reza\/wp-json\/wp\/v2\/tags?post=1154"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}