Permission to RIDE

When working with solutions that contain many site collections managing security can be a bit of a pain. One technique that I like to use is to define all the permission roles within the root site collection and replicate these to the child site collections on creation (assuming you are creating it from a custom template).

Creating the permission within the root site collection.
The easiest way to define a new permission role is to copy an existing one via the UI; open the Contributor permission role and select the copy option to create your new permission role, let’s call it ‘Blog Editor’. For the new role choose the user permissions i.e. Read, Insert, Delete or Edit and save the role.

Cloning the permission role
To get the ‘Blog Editor’ permission role programmatically from the root site:

   1:  SPRoleDefinition role = web.RoleDefinitions['Blog Editor'];

Now let’s copy the role to the new site collection. I have chosen to elevate the permission to the application pool in the case below:

   1:  SPSecurity.RunWithElevatedPrivileges(delegate()

   2:  {

   3:      using (SPSite site = new SPSite(webUrl + "/" + siteUrl))

   4:      {

   5:          using (SPWeb web = site.OpenWeb())

   6:          {

   7:              web.AllowUnsafeUpdates = true;

   8:              PermissionRoleClone(web, role.Name, role.Description, role);

   9:          }

  10:      }

  11:  });

The clone permissions routine checks if the role already exists and then simply adds the copy from the root site with a new name and description:

   1:  public SPRoleDefinition PermissionRoleClone(SPWeb web, String roleName, String roleDescription, SPRoleDefinition sourceRole)

   2:  {

   3:      SPRoleDefinition newRole = null;

   4:   

   5:      try

   6:      {

   7:          newRole = PermissionRoleExists(web, roleName);

   8:   

   9:          if (newRole == null)

  10:          {

  11:              newRole = new SPRoleDefinition(sourceRole);

  12:              newRole.Name = roleName;

  13:              newRole.Description = roleDescription;

  14:              web.RoleDefinitions.Add(newRole);

  15:              web.Update();

  16:          }

  17:      }

  18:      catch (Exception ex)

  19:      {

  20:          logErr = String.Format("PermissionRoleClone:{0}",ex.ToString());

  21:      }

  22:   

  23:      return newRole;

  24:  }

To find if the role already exists within the target site collection:

   1:  public SPRoleDefinition PermissionRoleExists(SPWeb web, String roleName)

   2:  {

   3:      SPRoleDefinition matchRole = null;

   4:   

   5:      foreach (SPRoleDefinition role in web.RoleDefinitions)

   6:          if (role.Name == roleName)

   7:          {

   8:              matchRole = role;

   9:              break;

  10:          }

  11:   

  12:      return matchRole;

  13:  }

Now the permission role can be assigned to your site security groups, libraries and lists, I will cover this in part 2 of this post.