Enumerate Effective Base Permissions

Posted on Posted in SharePoint 2007, STSADM Commands

I created this command because I was trying to debug an issue I was having. If you go through the central admin and remove a site permission for a web app (central admin > app management > user permissions for web applications) certain functionality that should work regardless of what setting you’ve removed no longer functions. For example – I removed “Apply Themes and Borders” for my intranet app:

I then went to site settings for one of my site collections and clicked the “Related Links Scope Settings” under Site Administration. The result is that I get an access denied error. The reason is that the code for this feature is checking whether the user’s Effective Base Permissions match the FullMask permission:

“0x7fffffffffffffffL” corresponds to the SPEffectiveBasePermissions.FullMask permission. In my case my account is a site collection administrator and site owner so I should always have full control over the site but because I’ve denied the apply themes and borders permission the permissions that come back for my user are as follows:

C:\>stsadm -o gl-enumeffectivebaseperms -url "http://intranet/hr"

13 thoughts on “Enumerate Effective Base Permissions

  1. Yep – we discovered that issue a few months back. It should be officially bugged in the PSS database

  2. Yes – we ran into this same issue a couple months ago. It is offically bugged in the PSS database.

  3. Sorry for not getting back to you sooner (had an issue where I wasn’t getting any comments). Normally I try to post the code before adding the post but sometimes my script that does the upload fails for one reason or another and I don’t always pay close enough attention to that. I usually detect the problem pretty quickly though so if it happens again just check back shortly and I’ll have it up there. Sorry for the confusion.

  4. I am having an issue accessing Related Links Scope and Site Collection Polices. I am using the Site Collection administration which also has full control account.

    These links work fine in our other web application with client integration turned on. But this web application has client integration turned off.

    When I run the -enumeffectivebaseperms on the web application I get Full Mask

    When I use the -invert flag I get UseClientIntegration, FullMask

    Any ideas how to resolve this?

  5. Hi Gary,

    I have downloaded and installed a new wss server hotfix from here :
    and got a message “Ambigous match found.” when i execute this command

    It seems that the following part doesn’t work anymore with this hotfix …

    MethodInfo getPermissions =
    BindingFlags.NonPublic |
    BindingFlags.Public |
    BindingFlags.Instance |
    BindingFlags.InvokeMethod |

    Do you have any idea to fix this ? Thanks

  6. Unfortunately they’ve changed the signature of that method so my code is breaking. I’m not currently at a point where I can deploy the update myself to fix the issue but will try to get to it when I can.

  7. Try

    MethodInfo getPermissions =
    BindingFlags.NonPublic |
    BindingFlags.Public |
    BindingFlags.Instance |
    BindingFlags.InvokeMethod |
    new Type[] {typeof(SPUserToken), typeof( ISecurableObject)},

    This happens because getPermissions() now has some overloads and you need to tell GetMethod which one you would like.

  8. Came across this post when investigating option to disable permissions for Theme and Border in SP2010.

    Looks like this is fixed in SP2010. (Probably earlier too).

Comments are closed.