Enumerate Effective Base Permissions
I created this command because I was trying to debug an issue I was having. If you go through the central admin and remove a site permission for a web app (central admin > app management > user permissions for web applications) certain functionality that should work regardless of what setting you’ve removed no longer functions. For example – I removed “Apply Themes and Borders” for my intranet app:
I then went to site settings for one of my site collections and clicked the “Related Links Scope Settings” under Site Administration. The result is that I get an access denied error. The reason is that the code for this feature is checking whether the user's Effective Base Permissions match the FullMask permission:
“0x7fffffffffffffffL” corresponds to the SPEffectiveBasePermissions.FullMask permission. In my case my account is a site collection administrator and site owner so I should always have full control over the site but because I’ve denied the apply themes and borders permission the permissions that come back for my user are as follows:
C:\>stsadm -o gl-enumeffectivebaseperms -url "http://intranet/hr"
October 16th, 2007 - 12:10
Very cool. Just linked to this from my recent post on permissions and roles. http://blogs.msdn.com/joelo
I’ve also given support a heads up.
October 19th, 2007 - 14:17
Yep – we discovered that issue a few months back. It should be officially bugged in the PSS database
October 19th, 2007 - 14:18
Yes – we ran into this same issue a couple months ago. It is offically bugged in the PSS database.
October 25th, 2007 - 08:14
Great! I wait for the stsadm extension zip update
November 1st, 2007 - 09:00
I fixed a minor bug which resulted in the display sometimes coming back as the numerical mask rather than the actual names of the permissions.
November 7th, 2007 - 03:38
I’ve downloaded the stsadm extension zip but I haven’t found this new command. Is it normal?
November 13th, 2007 - 15:24
Sorry for not getting back to you sooner (had an issue where I wasn’t getting any comments). Normally I try to post the code before adding the post but sometimes my script that does the upload fails for one reason or another and I don’t always pay close enough attention to that. I usually detect the problem pretty quickly though so if it happens again just check back shortly and I’ll have it up there. Sorry for the confusion.
May 20th, 2009 - 08:35
I am having an issue accessing Related Links Scope and Site Collection Polices. I am using the Site Collection administration which also has full control account.
These links work fine in our other web application with client integration turned on. But this web application has client integration turned off.
When I run the -enumeffectivebaseperms on the web application I get Full Mask
When I use the -invert flag I get UseClientIntegration, FullMask
Any ideas how to resolve this?
May 26th, 2009 - 20:03
Make sure you are running at least the August Cumulative Update – there’s a fix in that update (best to install SP2 if you can).
August 4th, 2009 - 03:21
Hi Gary,
I have downloaded and installed a new wss server hotfix from here :
http://support.microsoft.com/hotfix/KBHotfix.aspx?kbnum=971538
and got a message “Ambigous match found.” when i execute this command
It seems that the following part doesn’t work anymore with this hotfix …
MethodInfo getPermissions =
typeof(SPUtility).GetMethod(“GetPermissions”,
BindingFlags.NonPublic |
BindingFlags.Public |
BindingFlags.Instance |
BindingFlags.InvokeMethod |
BindingFlags.Static);
Do you have any idea to fix this ? Thanks
August 7th, 2009 - 17:18
Unfortunately they’ve changed the signature of that method so my code is breaking. I’m not currently at a point where I can deploy the update myself to fix the issue but will try to get to it when I can.
September 15th, 2009 - 05:34
Try
MethodInfo getPermissions =
typeof(SPUtility).GetMethod(“GetPermissions”,
BindingFlags.NonPublic |
BindingFlags.Public |
BindingFlags.Instance |
BindingFlags.InvokeMethod |
BindingFlags.Static,
null,
new Type[] {typeof(SPUserToken), typeof( ISecurableObject)},
null);
This happens because getPermissions() now has some overloads and you need to tell GetMethod which one you would like.
November 11th, 2010 - 12:16
Came across this post when investigating option to disable permissions for Theme and Border in SP2010.
Looks like this is fixed in SP2010. (Probably earlier too).