Introduction
I have a collaboration web application that is used within my Company, within this web application we have several hundred Site Collections. All site collections are using a customized set of Permission Levels which contain some restrictions from the out of
the box Permission Levels, such as Owners are not allowed to create Subsites as each site collection (we call them workspaces) are supposed to be for collaborating on a specific item (which could be a document, a topic, a project, a team, etc.)
It was noticed that the CustomOwner permission was allowing Owners of a Site Collection (not to be confused with Site Collection Owner) to be able to create subsites. The template that drives the newly created site collections was amended to change this for
all new site collections. However that left us with several hundred existing site collections that still had the wrong permissions set against the permission level.
The Problem
Here's where my problem started, I was tasked with finding a way to update all of the existing site collections to have the correct permissions assigned against the permission levels. As our staff have had training on managing the permissions within their
workspace, we could not simply create a new permission level and push out that new permission level as a replacement for the old one.
So to re-cap, I have a permission level called CustomOwner. This permission level should give the user/group assigned with the permission level ALL permissions on Lists, ALL Permissions on Personal Permissions and a limited set of Permissions against Site
Permissions.
I chose PowerShell as my option for a solution on the premise of its ability to do a task multiple times with ease, however I found this task much harder to complete that I hould have. I was unaware when I started of what I would need to do and so I turned
to Technet, Google, etc for answers and there were literally thousands of websites/blogs/posts/etc. regarding using PowerShell to amend SharePoint Permissions however they were all referring to changing which Permission Level was used against a Group and/or
Person. After much searching and trial and error testing I finally discovered you could the Role Definition for your permission level into a variable and then set the Base Permissions against that Permission Level and update it.
This left me now needing to find the names of the Base Permissions and then make my script. As I had to find the information in multiple places I put together a quick table of all the Display Name of the Base Permissions, their Description and the name of
the actual permission. Then with this information I was able to build my script. Its worth noting at this point also that you cannot use Delete or Remove to remove a base permission from a Permission Level (or if you can, I couldn't figure out how :P) but
you can simply apply the Add option which will add only the Base Permissions you specify and remove the ones you don't if they were already active (which is what I was looking for as my Owners were allowed already to create subsites and I wanted to remove
that permission from them).
Here are the permission tables I mentioned. and below them is the PowerShell I used.
The PowerShell
$sites = get-spsite -Limit ALL –webapplication http://mywebapplication.com
ForEach ($site in $Sites)
{
# The URL to the Site Collection
$spWeb = $site.RootWeb
# Enter the Name of the Permission Level to Change= get-spsite -Limit ALL –webapplication http://mywebapplication.com
ForEach ($site in $Sites)
{
# The URL to the Site Collection
$spWeb =
$PermissionLevel=$spWeb.RoleDefinitions["CustomOwner"]
# Enter all the permissions that Permission Level should have enabled
$PermissionLevel.BasePermissions="ViewListItems, AddListItems, EditListItems, DeleteListItems, ApproveItems, OpenItems, ViewVersions, DeleteVersions, CancelCheckout, ManagePersonalViews, ManageLists, ViewFormPages, Open, ViewPages, AddAndCustomizePages, ViewUsageData, CreateSSCSite, ManagePermissions, BrowseDirectories, BrowseUserInfo, AddDelPrivateWebParts, UpdatePersonalWebParts, UseClientIntegration, UseRemoteAPIs, ManageAlerts, CreateAlerts, EditMyUserInfo, CreateGroups, EnumeratePermissions"
$PermissionLevel.Update()
$spweb.Dispose()
$spsite.Dispose()
}