Skip to content

Instantly share code, notes, and snippets.

@glapointe
Created May 5, 2015 17:03
Show Gist options
  • Save glapointe/5548a56e1132743cb885 to your computer and use it in GitHub Desktop.
Save glapointe/5548a56e1132743cb885 to your computer and use it in GitHub Desktop.
function Get-SPUserEffectivePermissions() {
[CmdletBinding(DefaultParameterSetName="Farm")]
param (
[Parameter(Mandatory=$true, Position=0)]
[ValidateNotNull()]
[object[]]$users,
[Parameter(Mandatory=$true, ValueFromPipeline=$true, Position=1)]
[ValidateNotNull()]
[Microsoft.SharePoint.SPSecurableObject]$InputObject
)
begin { }
process {
$so = $InputObject
if ($so -isnot [Microsoft.SharePoint.SPSecurableObject]) {
throw "A valid SPWeb, SPList, or SPListItem must be provided."
}
foreach ($user in $users) {
# Set the users login name
$loginName = $user
if ($user -is [Microsoft.SharePoint.SPUser] -or $user -is [PSCustomObject]) {
$loginName = $user.LoginName
}
if ($loginName -eq $null) {
throw "The provided user is null or empty. Specify a valid SPUser object or login name."
}
# Determine the URL to the securable object being evaluated
$resource = $null
$webApp = $null
if ($so -is [Microsoft.SharePoint.SPWeb]) {
$resource = $so.Url
$webApp = $so.Site.WebApplication
} elseif ($so -is [Microsoft.SharePoint.SPList]) {
$resource = $so.ParentWeb.Site.MakeFullUrl($so.RootFolder.ServerRelativeUrl)
$webApp = $so.ParentWeb.Site.WebApplication
} elseif ($so -is [Microsoft.SharePoint.SPListItem]) {
$resource = $so.ParentList.ParentWeb.Site.MakeFullUrl($so.Url)
$webAPp = $so.ParentList.ParentWeb.Site.WebApplication
}
if ($webApp.UseClaimsAuthentication -and !$loginName.Contains("|")) {
$claim = [Microsoft.SharePoint.Administration.Claims.SPClaimProviderManager]::CreateUserClaim($loginName, "Windows")
$loginName = [Microsoft.SharePoint.Administration.Claims.SPClaimProviderManager]::Local.EncodeClaim($claim)
}
# Get the users permission details.
$permInfo = $so.GetUserEffectivePermissionInfo($loginName)
# Get the role assignments and iterate through them
$roleAssignments = $permInfo.RoleAssignments
if ($roleAssignments.Count -gt 0) {
foreach ($roleAssignment in $roleAssignments) {
$member = $roleAssignment.Member
# Build a string array of all the permission level names
$permName = @()
foreach ($definition in $roleAssignment.RoleDefinitionBindings) {
$permName += $definition.Name
}
# Determine how the users permissions were assigned
$assignment = "Direct Assignment"
if ($member -is [Microsoft.SharePoint.SPGroup]) {
$assignment = $member.Name
} else {
if ($member.IsDomainGroup -and ($member.LoginName -ne $loginName)) {
$assignment = $member.LoginName
}
}
# Create a hash table with all the data
$hash = @{
Resource = $resource
"Resource Type" = $so.GetType().Name
User = $loginName
Permission = $permName -join ", "
"Granted By" = $assignment
}
# Convert the hash to an object and output to the pipeline
New-Object PSObject -Property $hash
}
}
}
}
end {}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment