In SharePoint 2010 you can manage what a User or Group can do by granting permissions to a User or Group.
SharePoint 2010 shippes with a couple of standard permission such as: Full Control, Design, Contribute and Read.
But how do you create your own Permission Levels?
Say you want a user to be able to View Pages and Lists, Download Documents and Update List Items but not Create or Delete List Items.
To achieve this, we have to create a custom Role Definition. First we return a Site using the Get-SPWeb cmdlet.
PS > $spWeb = Get-SPWeb <a href="http://SP2010">http://SP2010</a>
Next we Store an instance of Microsoft.SharePoint.SPRoleDefinition in a variable and set the Name and Description properties.
PS > $spRoleDefinition = New-Object Microsoft.SharePoint.SPRoleDefinition
PS > $spRoleDefinition.Name = "Custom"
PS > $spRoleDefinition.Description = "Can Create and Modify Items, Not Delete"
Next we want to add specific BasePermissions, but before adding them let’s see what kind of permissions we can add by enumerating Microsoft.SharePoint.SPBasePermissions.
PS > [System.Enum]::GetNames("Microsoft.SharePoint.SPBasePermissions")
Pretty cool!. In our Case we want to add the same Base Permissions as the “Read” permission level has, which are: ViewListItems, OpenItems, ViewVersions, ViewFormPages, Open, ViewPages, CreateSSCSite, BrowseUserInfo, UseClientIntegration, UseRemoteAPIs, CreateAlerts.
We also want to add additional an additional permission: EditListItems. So that the Users can Edit Items (but not create or delete Items).
PS > $spRoleDefinition.BasePermissions =
>> "ViewListItems, OpenItems, ViewVersions,
>> ViewFormPages, Open, ViewPages, CreateSSCSite,
>> BrowseUserInfo, UseClientIntegration,
>> UseRemoteAPIs, CreateAlerts,EditListItems"
Finally, we add our custom Rolde Definition to our Site as demonstrated below:
PS > $spweb.RoleDefinitions.Add($spRoleDefinition)
Now we can simply add Grant Users or Groups our new Custom permission as shown below.
When the User or Group logs into SharePoint 2010 he/she will be able to view content, Update List Items but not Create or Delete List Items.