SharePoint 2010 Security using Object Model

1-    Permission Assignment:

Mostly we want to assign SPUser/SpGroup to a SpWeb/SpList/SpListItem, below contain a generalize method to perform such operation

    ''' <summary>

    ''' Assigning SPUsers to any Securable Object

    ''' </summary>

    ''' <param name="web">Root SPWeb</param>

    ''' <param name="item">SPWeb or SpList or SplitItem

    ''' where it should be Elevated to avoid any problem during update</param>

    ''' <param name="User">Any SPUser</param>

    ''' <param name="spRoleType">Enumeration of default Permission Level</param>

    ''' <remarks></remarks>

    Public Shared Sub AssignSPUserToSecuribleObjectWithUniquePermission(ByVal web As SPWeb, ByVal Item As SPSecurableObject, ByVal User As SPUser, ByVal spRoleType As SPRoleType)

        EnsureUniquePermissions(Item)

        Dim roleAssignment As New SPRoleAssignment(User)

        Dim rolDefination As SPRoleDefinition = web.RoleDefinitions.GetByType(spRoleType)

        roleAssignment.RoleDefinitionBindings.Add(rolDefination)

        Item.RoleAssignments.Add(roleAssignment)

        'update

        UpdateSecurableObject(Item)

    End Sub

By using above method SpUser is assigned permission to SecurableObject as per SPRoleType.

Where above method can be used for assignment of SPGroup by just replacing SpUser param to SpGroup .

 ''' <summary>

    ''' Assigning SPGroup to any Securable Object

    ''' </summary>

    ''' <param name="web">Root SPWeb</param>

    ''' <param name="item">SPWeb or SpList or SplitItem

    ''' where it should be Elevated to avoid any problem during update</param>

    ''' <param name="Group">Any SPGroup</param>

    ''' <param name="spRoleType">Enumeration of default Permission Level</param>

    ''' <remarks></remarks>

    Public Shared Sub AssignSPGroupToSecuribleObjectWithUniquePermission(ByVal web As SPWeb, ByVal Item As SPSecurableObject, ByVal Group As SPGroup, ByVal spRoleType As SPRoleType)

        EnsureUniquePermissions(Item)

        Dim roleAssignment As New SPRoleAssignment(Group)

        Dim rolDefination As SPRoleDefinition = web.RoleDefinitions.GetByType(spRoleType)

        roleAssignment.RoleDefinitionBindings.Add(rolDefination)

        Item.RoleAssignments.Add(roleAssignment)

        'update

        UpdateSecurableObject(Item)

    End Sub

2-    Breaking Inheritance:

As we know In SharePoint there is a hierarchy as shown below

Where by each arrow Security gets inherited however we can break this security inheritance by using below method, it’s important to note that Web Application scope security is assigned globally.

    ''' <summary>

    ''' Assigning Unique Permission

    ''' </summary>

    ''' <param name="item">SPWeb or SpList or SplitItem

    ''' where it should be Elevated to avoid any problem during upate</param>

    ''' <remarks></remarks>

    Public Shared Sub EnsureUniquePermissions(ByVal item As SPSecurableObject)

        If Not item.HasUniqueRoleAssignments Then

            item.BreakRoleInheritance(True)

            UpdateSecurableObject(item)

        End If

    End Sub

    ''' <summary>

    ''' Generalize method to update Securable Object

    ''' </summary>

    Public Shared Sub UpdateSecurableObject(ByVal item As SPSecurableObject)

        If TypeOf item Is SPWeb Then

            CType(item, SPWeb).Update()

        ElseIf TypeOf item Is SPListItem Then

         If CType(item, SPListItem).ParentList.BaseType = SPBaseType.DocumentLibrary Then

                'no version update document library

                CType(item, SPListItem).SystemUpdate(False)

            Else

                CType(item, SPListItem).Update()

            End If

        ElseIf TypeOf item Is SPList Then

            CType(item, SPList).Update()

        End If

    End Sub

This post discusses basic two operations that are mostly commonly used however SPSecurableObject got some other good stuff to explore especially DoesUserHavePermissions method which is good for validation.