Break the Roles in SharePoint Lists

Walkthrough: Programmatically Creating SharePoint Group with Custom Permission Level for SharePoint Lists.

Introduction

When you create a SharePoint site, three SharePoint groups are provided by default (Owners, Members and Visitors). These groups have a permission level (Full Control/Contribute/Read) that user receive by being a member of the group. Now, each permission level has a set of List permissions associated with it, for example, the Visitors group can View Items, Open Items, View Versions and Create Alerts  on list items.

The table below shows you the default groups with the predefined permissions levels on a SharePoint List:



The list permissions above apply to ALL lists and libraries in one site. Which means the members from Visitors, Members or Owners group, can view all items in each list or library in your site.  In real world scenarios when sharing documents or list items with other people, you want to be able to allow access for certain List only. For example, you have an outsider user that can only view a certain list and have no access to other lists or libraries in your site.

The table below shows the new custom group and permission level that we will create in this walkthrough:



The walkthrough is split into a number of smaller pieces:

• Creating Custom Permission Level
• Creating Custom SharePoint Group
• Assign Custom Permission Level to Custom Group

Creating Custom Permission Level

The first step is to create a Custom Permission Level for a certain list. As you can see from the table above the custom permission level contains 4 permissions:

• View Items
• Open Items
• View Versions
• View Application Pages

    SPSecurity.RunWithElevatedPrivileges(delegate()
           {
               SPWeb web = SPContext.Current.Web;
               SPRoleDefinition customPermissionLevel = new SPRoleDefinition();
               customPermissionLevel.Name = "Read List";
               customPermissionLevel.Description = "Can view only view pages, list items, and documents.";
               customPermissionLevel.BasePermissions |= SPBasePermissions.ViewListItems
                                                     | SPBasePermissions.OpenItems
                                                     | SPBasePermissions.ViewVersions
                                                     | SPBasePermissions.ViewFormPages;

             web.AllowUnsafeUpdates = true;
               web.RoleDefinitions.Add(customPermissionLevel);
               web.Update();
              
           });

Creating Custom SharePoint Group

This step is to create a custom site group for the specific Shared Documents List:

SPSecurity.RunWithElevatedPrivileges(delegate()
           {
SPWeb web = SPContext.Current.Web;
                            web.SiteGroups.Add("Shared Documents List Visitors", SPContext.Current.Web.CurrentUser, SPContext.Current.Web.CurrentUser, "Members of this group can ONLY view pages, list items, and documents in Shared Documents List");
              
           });


Assign Custom Permission Level to Custom Group

The last step is to associate the new permission level with the group. Then, we can add this custom group to a specific list.

  SPSecurity.RunWithElevatedPrivileges(delegate()
           {
               SPWeb web = SPContext.Current.Web;
              
               SPGroup group = web.SiteGroups["Shared Documents List Visitors"];
               SPRoleDefinition customRoleDefinition = web.RoleDefinitions["Read List"];
               SPRoleAssignment assignment = new SPRoleAssignment(group);
               assignment.RoleDefinitionBindings.Add(customRoleDefinition);
               SPList list = web.Lists["Shared Documents"];
               list.BreakRoleInheritance(true);
               list.Update();
               list.RoleAssignments.Add(assignment);
               web.AssociatedGroups.Add(group);
               web.Update();
           });

Source Code

The complete code will look like the following:

SPSecurity.RunWithElevatedPrivileges(delegate()
           {
               SPWeb web = SPContext.Current.Web;
               SPRoleDefinition customPermissionLevel = new SPRoleDefinition();
               customPermissionLevel.Name = "Read List";
               customPermissionLevel.Description = "Can view only view pages, list items, and documents.";
               customPermissionLevel.BasePermissions |= SPBasePermissions.ViewListItems
                                                     | SPBasePermissions.OpenItems
                                                     | SPBasePermissions.ViewVersions
                                                     | SPBasePermissions.ViewFormPages;
              
               web.AllowUnsafeUpdates = true;
               web.RoleDefinitions.Add(customPermissionLevel);
               web.Update();

              
               web.SiteGroups.Add("Shared Documents List Visitors", SPContext.Current.Web.CurrentUser, SPContext.Current.Web.CurrentUser, "Members of this group can ONLY view pages, list items, and documents in Shared Documents List");
              
               SPGroup group = web.SiteGroups["Shared Documents List Visitors"];
               SPRoleDefinition customRoleDefinition = web.RoleDefinitions["Read List"];
               SPRoleAssignment assignment = new SPRoleAssignment(group);
               assignment.RoleDefinitionBindings.Add(customRoleDefinition);
               SPList list = web.Lists["Shared Documents"];
               list.BreakRoleInheritance(true);
               list.Update();
               list.RoleAssignments.Add(assignment);
               web.AssociatedGroups.Add(group);
               web.Update();
           });

Summary

As you can see with few lines of code we created a new group called "Shared Documents List Visitors" associated with the "Shared Documents" Library. This group has unique permissions set, members of this group can only view items in your Shared Documents and not in other site lists.