SharePoint 2010 change permissions on lists using Powershell

It might getting interesting if your customer needs functionalitiy like freeze or publish documents, whole site or webs or just special lists. If the process needs something that can stop users from being able to edit or delete items, lists or do anything in the current site. You have many options for this:

• create an application page using c#
• create a workflow
• use powershell
• use both: powershell in a workflow by using the extended custom actions for SPD

One of the basics are the scripts. Below you will find a script which iterates through the permissions and set the permissions to read (except the full control). So every user who does not have full control, will get read access to the lists. The script can also be used for a site or a web.  This powershell script can be used in a workflow, if you installed the custom actions for SPD from codeplex.

As i experienced, if you need the functionality to freeze something and also want to provide a unfreeze function, it is easier to change the permissions on list level, cause then you just can reset the breakroleinheritance foreach list. If you reset the breakroleinheritance on the site and the site is a subsite, then you get the permissions from the toplevel site. But if the subsite should have other access permissions as the top level site, you won’t be happy changing permissions on the web(subsite).

Let’s have a look at the code:

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

Function Change-RoleAssignments($SPElement)
{
foreach($ElementRole in $SPElement.RoleAssignments)
{
$FullControlUser = $false
$LimitedAccessUser = $true

Foreach($ElementRoleDef in $ElementRole.RoleDefinitionBindings)
{
if($ElementRoleDef.Id -eq "1073741829")
{
$FullControlUser = $true
$LimitedAccessUser = $false
}
elseif($ElementRoleDef -ne "1073741825")
{
$LimitedAccessUser = $false
}
}
if($FullControlUser -eq $false -and $LimitedAccessUser -eq $false)
{
$ElementRole.RoleDefinitionBindings.RemoveAll()
$ElementRole.RoleDefinitionBindings.Add($Read)
$ElementRole.Update()
}
}
}

$Url = "http://servername/sites/sitecollection"
$Web = Get-SPWeb $Url

#Get Contribute permission
$Read = $web.RoleDefinitions.GetById("1073741826")

Change-RoleAssignments $Web

foreach($List in $Web.Lists | ? {$_.hidden -eq $false -and $_.AllowDeletion -eq $true})
{
if($List.HasUniqueRoleAssignments)
{
Change-RoleAssignments $List
}
else
{
$List.BreakRoleInheritance($true)
Change-RoleAssignments $List
}
}

As i told you, below you will find the code / script to reset the inheritance.

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue
$Url = "http://servername/sites/sitecollection"
$Web = Get-SPWeb $Url

$Read = $web.RoleDefinitions.GetById("1073741826")

foreach($List in $Web.Lists | ? {$_.hidden -eq $false -and $_.AllowDeletion -eq $true})
{
if($List.HasUniqueRoleAssignments)
{
$List.ResetRoleInheritance()
}
}

It’s not that complicated.

..:: I LIKE SHAREPOINT ::..