Quantcast
Channel: Second Life of a Hungarian SharePoint Geek
Viewing all articles
Browse latest Browse all 206

How to Set a SharePoint Document Library to Read-Only Mode

$
0
0

Recently we had to archive a few document libraries on our SharePoint farm. The document libraries may have they own permission setting on the library level, and / or at the folder, and / or the document levels either. We do not have any custom permission level defined in our sites.

We defined “archive” as this: all users that have read / write permission to an item, should keep the access on the item, but it has to be restricted to read permission in the future. The users having permission to the documents should be able to download them, and work on them locally (if they wish) but are not allowed to save them back to the library.

I wrote a PowerShell script that processes the permissions, and replaces write permissions with read permissions on demand.

Note: the solution implemented in this post is a one-way street. It’s not a read-only switch you can turn on or off as you can do for example in the case of a site collection (like Set-SPSite http://YourSharePointSite -LockState ReadOnly). You won’t be able to reproduce the original permissions once you run the script.

  1. $url = "http://YourSharePointSite/SubSite"
  2. $docLibName = "Documents"
  3.  
  4. $web = Get-SPWeb $url
  5. $docLib = $web.Lists[$docLibName]
  6.  
  7. $limitedAccess = $web.RoleDefinitions.GetByType([Microsoft.SharePoint.SPRoleType]::Guest)
  8. $readAccess = $web.RoleDefinitions.GetByType([Microsoft.SharePoint.SPRoleType]::Reader)
  9.  
  10. $allowedAccess = $limitedAccess.Name, $readAccess.Name
  11.  
  12. function Replace-Permissions($securable)  
  13. {
  14.   $securable.RoleAssignments | ? { $_.RoleDefinitionBindings | ? { $allowedAccess -notcontains $_.Name }} | % {
  15.     $_.RoleDefinitionBindings.RemoveAll()
  16.     $_.RoleDefinitionBindings.Add($readAccess)
  17.     $_.Update()
  18.   }
  19. }
  20.  
  21. # if the doc. lib. inherits the permissions and if there is any role assignments that contains an access level beyond read only
  22. # we should break the inheritance first, to be able to change the permissions on the library level
  23. If (($doclib.HasUniqueRoleAssignments) -and (($docLib.RoleAssignments | ? { $_.RoleDefinitionBindings | ? { $allowedAccess -notcontains $_.Name }}).Count -gt 0))
  24. {
  25.   $doclib.BreakRoleInheritance($true);
  26. }
  27.  
  28. # set permissions on the doc. lib level
  29. Replace-Permissions($docLib)
  30. # set permissions on all folders having its own role assignment
  31. $doclib.Folders | ? { $_.HasUniqueRoleAssignments } | % { Replace-Permissions $_ }
  32. # set permissions on all documents having its own role assignment
  33. $doclib.Items | ? { $_.HasUniqueRoleAssignments } | % { Replace-Permissions $_ }

In the Replace-Permissions function I replace any permissions  on a securable object other than Read or Limited Access (Guest) permissions with Read permissions.

Note: If you remove a Limited Access permission using the web UI, or the corresponding role assignment from code, you will loose the permissions set explicitly for that user anywhere in the hierarchy below that level. As described here, you can call the RemoveAll method on the RoleDefinitionBindings without such side effects. Then we can add the read permissions in place of the removed permissions.

I invoke the Replace-Permissions function once for the document library, then once for each folder and document having its own unique role assignments.



Viewing all articles
Browse latest Browse all 206

Trending Articles