Wednesday 14 October 2015

SharePoint Permission Matrix generated by PowerShell

I found the most awesome PowerShell script which generates a csv of all the permission access within a SharePoint site. It works so well.

One of the biggest issues in SharePoint, is access. Making sure the right people have the right access to the right things, and more importantly the wrong people don't have access. But SharePoint doesn't give you a good overview of this information. This is why this script is so nice. Its shows, who has access, and where, and with what level.

Original Article from Microsoft SharePoint TechNet:
http://social.technet.microsoft.com/wiki/contents/articles/14242.sharepoint-2010-export-all-unique-permissions-from-site-collection-using-powershell.aspx

How to get it to work:

  1. Save the script as a PowerShell script, example: CreatePermissionMatrix.ps1
  2. Goto the SharePoint Server.
  3. Create a folder, example: C:\PermissionLog
  4. Copy the script in here.
  5. Open "SharePoint Management Shell", as Administrator.
  6. Run the PowerShell script, example: . C:\PermissionLog\CreatePermissionMatrix.ps1
  7. The script will then ask for the SharePoint site URL, you want to report on.
  8. The script will then ask for the location, where the csv file will be generated, example: C:\PermissionLog
  9. Script Done :)
  10. Then you can go a retrieve the csv file.
  11. It will show: Who has access, and where, and with what level

PowerShell Script:

if ((Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue) -eq $null) {
Add-PSSnapin "Microsoft.SharePoint.PowerShell" 


$properties=@{SiteUrl='';SiteTitle='';ListTitle='';ObjectType='';ObjectUrl='';ParentGroup='';GroupOwner='';MemberType='';MemberName='';MemberLoginName='';JobTitle='';Department='';RoleDefinitionBindings='';};
$Permissions=@(); 

$UserInfoList=""; 

$RootWeb=""; 

$SiteCollectionUrl = Read-Host "Enter a Site Collection Url"; 

$ExportFileDirectory = Read-Host "Enter the Directory Path to create permissions export file";
if(Test-Path $ExportFileDirectory){
$spAssgn = Start-SPAssignment;
Get-SPSite $SiteCollectionUrl -AssignmentCollection $spAssgn|Get-SPWeb -limit ALL -AssignmentCollection $spAssgn|%{
$web = $_; 



#Root Web of the Site Collection 

if($web.IsRootWeb -eq $True){ 

$RootSiteTitle = $web.Title; 

$RootWeb = $web; 

$UserInfoList = $RootWeb.GetList([string]::concat($web.Url,"/_catalogs/users"));

$siteUrl = $web.Url; 

$siteRelativeUrl = $web.ServerRelativeUrl; 

Write-Host $siteUrl -Foregroundcolor "Red"; 

$siteTitle = $web.Title; 



#Get Site Level Permissions if it's unique 

if($web.HasUniqueRoleAssignments -eq $True){ 



$web.RoleAssignments|%{ 

$RoleDefinitionBindings=@(); 



$_.RoleDefinitionBindings|%{ 

$RoleDefinitionBindings += $_.Name; 






$MemberName = $_.Member.Name; 

$MemberLoginName = $_.Member.LoginName; 

$MemberType = $_.Member.GetType().Name; 

$GroupOwner = $_.Member.Owner.Name; 



if($MemberType -eq "SPGroup"){ 



$JobTitle="NA"; 

$Department="NA"; 



$permission = New-Object -TypeName PSObject -Property $properties; 

$permission.SiteUrl =$siteUrl; 

$permission.SiteTitle = $siteTitle; 

$permission.ListTitle = "NA"; 

$permission.ObjectType = "Site"; 

$permission.ObjectUrl = $siteRelativeUrl; 

$permission.MemberType = $MemberType; 

$permission.ParentGroup = $MemberName; 

$permission.GroupOwner = $GroupOwner; 

$permission.MemberName = $MemberName; 

$permission.MemberLoginName = $MemberLoginName; 

$permission.JobTitle = $JobTitle; 

$permission.Department = $Department; 

$permission.RoleDefinitionBindings = $RoleDefinitionBindings -join ","; 





$Permissions +=$permission; 



#Expand Groups 

$web.Groups[$MemberName].Users|%{ 



$JobTitle="NA"; 

$Department="NA"; 



try{ 

$userinfo = $UserInfoList.GetItemById($_.ID); 

$JobTitle=$userinfo["JobTitle"]; 

$Department=$userinfo["Department"]; 


catch{ 




$permission = New-Object -TypeName PSObject -Property $properties; 

$permission.SiteUrl =$siteUrl; 

$permission.SiteTitle = $siteTitle; 

$permission.ListTitle = "NA"; 

$permission.ObjectType = "Site"; 

$permission.ObjectUrl = $siteRelativeUrl; 

$permission.MemberType = "SPGroupMember"; 

$permission.ParentGroup = $MemberName; 

$permission.GroupOwner = $GroupOwner; 

$permission.MemberName = $_.DisplayName; 

$permission.MemberLoginName = $_.UserLogin; 

$permission.JobTitle = $JobTitle; 

$permission.Department = $Department; 

$permission.RoleDefinitionBindings = $RoleDefinitionBindings -join ","; 



$Permissions +=$permission; 





elseif($MemberType -eq "SPUser"){ 



$JobTitle="NA"; 

$Department="NA"; 



try{ 

$userinfo = $UserInfoList.GetItemById($_.ID); 

$JobTitle=$userinfo["JobTitle"]; 

$Department=$userinfo["Department"]; 


catch{ 




$permission = New-Object -TypeName PSObject -Property $properties; 

$permission.SiteUrl =$siteUrl; 

$permission.SiteTitle = $siteTitle; 

$permission.ListTitle = "NA"; 

$permission.ObjectType = "Site"; 

$permission.MemberType = $MemberType; 

$permission.ObjectUrl = $siteRelativeUrl; 

$permission.ParentGroup = "NA"; 

$permission.GroupOwner = "NA"; 

$permission.MemberName = $MemberName; 

$permission.MemberLoginName = $MemberLoginName; 

$permission.JobTitle = $JobTitle; 

$permission.Department = $Department; 

$permission.RoleDefinitionBindings = $RoleDefinitionBindings -join ","; 



$Permissions +=$permission; 








#Get all Uniquely secured objects 

$uniqueObjects = $web.GetWebsAndListsWithUniquePermissions(); 



#Get uniquely secured Lists pertaining to the current site 

$uniqueObjects|?{$_.WebId -eq $web.Id -and $_.Type -eq "List"}|%{ 



$listUrl = ($_.Url); 

$list = $web.GetList($listUrl); 



#Exclude internal system lists and check if it has unique permissions 

if($list.Hidden -ne $True){ 



Write-Host $list.Title -Foregroundcolor "Yellow"; 

$listTitle = $list.Title; 

#Check List Permissions 



if($list.HasUniqueRoleAssignments -eq $True){ 



$list.RoleAssignments|%{ 



$RoleDefinitionBindings=""; 

$_.RoleDefinitionBindings|%{ 

$RoleDefinitionBindings += $_.Name; 




$MemberName = $_.Member.Name; 

$MemberLoginName = $_.Member.LoginName; 

$MemberType = $_.Member.GetType().Name; 

$JobTitle="NA"; 

$Department="NA"; 



if($MemberType -eq "SPUser"){ 

try{ 

$userinfo = $UserInfoList.GetItemById($_.ID); 

$JobTitle=$userinfo["JobTitle"]; 

$Department=$userinfo["Department"]; 


catch{ 





$permission = New-Object -TypeName PSObject -Property $properties; 

$permission.SiteUrl =$siteUrl; 

$permission.SiteTitle = $siteTitle; 

$permission.ListTitle = $listTitle; 

$permission.ObjectType = $list.BaseType.ToString(); 

$permission.ObjectUrl = $listUrl; 

$permission.ParentGroup = "NA"; 

$permission.GroupOwner = "NA"; 

$permission.MemberType=$MemberType; 

$permission.MemberName = $MemberName; 

$permission.MemberLoginName = $MemberLoginName; 

$permission.JobTitle = $JobTitle; 

$permission.Department = $Department; 

$permission.RoleDefinitionBindings = $RoleDefinitionBindings -join ","; 



$Permissions +=$permission; 





if($list.BaseType -eq "DocumentLibrary"){ 



#Check All Folders 

$list.Folders|%{ 

$folderUrl = $_.Url; 



if($_.HasUniqueRoleAssignments -eq $True){ 



$_.RoleAssignments|%{ 

$RoleDefinitionBindings=""; 



#Get Permission Level against the Permission 

$_.RoleDefinitionBindings|%{ 

$RoleDefinitionBindings += $_.Name; 




$MemberName = $_.Member.Name; 

$MemberLoginName = $_.Member.LoginName; 

$MemberType = $_.Member.GetType().Name; 



$JobTitle="NA"; 

$Department="NA"; 



if($MemberType -eq "SPUser"){ 

try{ 

$userinfo = $UserInfoList.GetItemById($_.ID); 

$JobTitle=$userinfo["JobTitle"]; 

$Department=$userinfo["Department"]; 


catch{ 





$permission = New-Object -TypeName PSObject -Property $properties; 

$permission.SiteUrl =$siteUrl; 

$permission.SiteTitle = $siteTitle; 

$permission.ListTitle = $listTitle; 

$permission.ObjectType = $list.BaseType.ToString(); 

$permission.ObjectUrl = $folderUrl; 

$permission.MemberType = $MemberType; 

$permission.ParentGroup = "NA"; 

$permission.GroupOwner = "NA"; 

$permission.MemberName = $MemberName; 

$permission.MemberLoginName = $MemberLoginName; 

$permission.JobTitle = $JobTitle; 

$permission.Department = $Department; 

$permission.RoleDefinitionBindings = $RoleDefinitionBindings -join ","; 



$Permissions +=$permission; 






#Check All Items 

$list.Items|%{ 



$fileUrl = $_.File.Url; 

$file=$_.File; 

if($_.HasUniqueRoleAssignments -eq $True){ 



$_.RoleAssignments|%{ 

$RoleDefinitionBindings=""; 

$_.RoleDefinitionBindings|%{ 

$RoleDefinitionBindings += $_.Name; 




$MemberName = $_.Member.Name; 

$MemberLoginName = $_.Member.LoginName; 

$MemberType = $_.Member.GetType().Name; 

$JobTitle="NA"; 

$Department="NA"; 



if($MemberType -eq "SPUser"){ 

try{ 

$userinfo = $UserInfoList.GetItemById($_.ID); 

$JobTitle=$userinfo["JobTitle"]; 

$Department=$userinfo["Department"]; 


catch{ 





$permission = New-Object -TypeName PSObject -Property $properties; 

$permission.SiteUrl =$siteUrl; 

$permission.SiteTitle = $siteTitle; 

$permission.ListTitle = $listTitle; 

$permission.ObjectType = $file.GetType().Name; 

$permission.ObjectUrl = $fileUrl; 

$permission.MemberType=$MemberType; 

$permission.MemberName = $MemberName; 

$permission.MemberLoginName = $MemberLoginName; 

$permission.JobTitle = $JobTitle; 

$permission.Department = $Department; 

$permission.RoleDefinitionBindings = $RoleDefinitionBindings -join ","; 



$Permissions +=$permission; 









if($_.IsRootWeb -ne $True){ 

$_.Dispose(); 



#Dispose root web 

$RootWeb.Dispose(); 

Stop-SPAssignment $spAssgn;
$exportFilePath = Join-Path -Path $ExportFileDirectory -ChildPath $([string]::Concat($RootSiteTitle,"-Permissions.csv"));
$Permissions|Select SiteUrl,SiteTitle,ObjectType,ObjectUrl,ListTitle,MemberName,MemberLoginName,MemberType,JobTitle,Department,ParentGroup,GroupOwner,RoleDefinitionBindings|Export-CSV -Path $exportFilePath -NoTypeInformation;
}
else{
Write-Host "Invalid directory path:" $ExportFileDirectory -ForegroundColor "Red";
}

Posted by at
Labels: , ,

3 comments:

  1. Unknown8 September 2017 at 12:16

    Thanks for sharing a blog post on Creating Permissions in SharePoint site.

    Best Regards,
    Best SharePoint 2013 Training in Hyderabad
    SharePoint 2013 Training in Hyderabad
    SharePoint 2013 Online Training in Hyderabad

    ReplyDelete
  2. Government Jobs in Rajasthan11 June 2022 at 14:14

    This is the one of the most important information for me. And I am feeling glad reading your article. The article is really excellent ?
    uok bsc 2nd year result 2021 roll number wise

    ReplyDelete
  3. Books Made Easy28 July 2023 at 20:19

    nice post .... true technical information you are posting here
    Data Analytics Courses in Surat

    ReplyDelete

Subscribe to: Post Comments (Atom)