One of the nice things about SharePoint 2007 is that you now have the ability to control what permissions are available for a given web application. As an administrator this is nice because you can now prevent site collection administrators from handing out permissions which violate your security policies. As part of my upgrade I wanted to be able to remove some of the available permissions such as the ability to set themes and cascading style sheets for our main portal application (thus preventing users from messing with our corporate brand). You can set the available permissions via the central admin tool here: Central Administration > Application Management > User Permissions for Web Application. Controlling these permissions programmatically is fairly straightforward as well – you simply set the RightsMask property of an SPWebApplication object. RightsMask is a bitmask so you are basically just turning on or off the flag of interest using the SPBasePermissions enum. Once you’ve set the property you call Update() on the web application.

 1string url = keyValues["url"];
 2SPWebApplication wa = SPWebApplication.Lookup(new Uri(url));
 3
 4foreach (KeyValuePair permission in permsDict)
 5{
 6    if (!permission.Value)
 7        continue;
 8
 9    wa.RightsMask = wa.RightsMask & ~(SPBasePermissions)Enum.Parse(typeof(SPBasePermissions), permission.Key, true);
10}
11wa.Update();

The code above will disable a permission but to do the opposite you would simply do the following:

1wa.RightsMask = wa.RightsMask | (SPBasePermissions)Enum.Parse(typeof(SPBasePermissions), permission.Key, true);

I chose to implement the enabling and disabling of permissions as separate commands to make it more explicit – it would, howerver, be extremely easy to merge these into one command and just take in an extra parameter to determine which action to take. The syntax of the two commands can be seen below.

gl-disableuserpermissionforwebapp

C:\>stsadm -help gl-disableuserpermissionforwebapp

stsadm -o gl-disableuserpermissionforwebapp

Disable permissions that can be used in permission levels within the web application.

Parameters:
        -url <web application>
        [-EmptyMask]
        [-ViewListItems]
        [-AddListItems]
        [-EditListItems]
        [-DeleteListItems]
        [-ApproveItems]
        [-OpenItems]
        [-ViewVersions]
        [-DeleteVersions]
        [-CancelCheckout]
        [-ManagePersonalViews]
        [-ManageLists]
        [-ViewFormPages]
        [-Open]
        [-ViewPages]
        [-AddAndCustomizePages]
        [-ApplyThemeAndBorder]
        [-ApplyStyleSheets]
        [-ViewUsageData]
        [-CreateSSCSite]
        [-ManageSubwebs]
        [-CreateGroups]
        [-ManagePermissions]
        [-BrowseDirectories]
        [-BrowseUserInfo]
        [-AddDelPrivateWebParts]
        [-UpdatePersonalWebParts]
        [-ManageWeb]
        [-UseClientIntegration]
        [-UseRemoteAPIs]
        [-ManageAlerts]
        [-CreateAlerts]
        [-EditMyUserInfo]
        [-EnumeratePermissions]
        [-FullMask]

Here’s an example of how to remove the Apply Style Sheets permission:

stsadm –o gl-disableuserpermissionforwebapp –url "http://intranet/" –ApplyStyleSheets

gl-enableuserpermissionforwebapp

C:\>stsadm -help gl-enableuserpermissionforwebapp

stsadm -o gl-enableuserpermissionforwebapp

Enable permissions that can be used in permission levels within the web application.

Parameters:
        -url <web application>
        [-EmptyMask]
        [-ViewListItems]
        [-AddListItems]
        [-EditListItems]
        [-DeleteListItems]
        [-ApproveItems]
        [-OpenItems]
        [-ViewVersions]
        [-DeleteVersions]
        [-CancelCheckout]
        [-ManagePersonalViews]
        [-ManageLists]
        [-ViewFormPages]
        [-Open]
        [-ViewPages]
        [-AddAndCustomizePages]
        [-ApplyThemeAndBorder]
        [-ApplyStyleSheets]
        [-ViewUsageData]
        [-CreateSSCSite]
        [-ManageSubwebs]
        [-CreateGroups]
        [-ManagePermissions]
        [-BrowseDirectories]
        [-BrowseUserInfo]
        [-AddDelPrivateWebParts]
        [-UpdatePersonalWebParts]
        [-ManageWeb]
        [-UseClientIntegration]
        [-UseRemoteAPIs]
        [-ManageAlerts]
        [-CreateAlerts]
        [-EditMyUserInfo]
        [-EnumeratePermissions]
        [-FullMask]

Here’s an example of how to add the Apply Style Sheets permission:

stsadm –o gl-enableuserpermissionforwebapp –url "http://intranet/" –ApplyStyleSheets