public static ModelNode AddBreakRoleInheritance(this ModelNode model, BreakRoleInheritanceDefinition definition, Action <ModelNode> action)
{
return(model.AddDefinitionNode(definition, action));
}
private void ProcessRoleInheritance(object modelHost, SPSecurableObject securableObject, BreakRoleInheritanceDefinition breakRoleInheritanceModel)
{
InvokeOnModelEvent(this, new ModelEventArgs
{
CurrentModelNode = null,
Model = null,
EventType = ModelEventType.OnProvisioning,
Object = securableObject,
ObjectType = typeof(SPSecurableObject),
ObjectDefinition = breakRoleInheritanceModel,
ModelHost = modelHost
});
if (!securableObject.HasUniqueRoleAssignments)
{
TraceService.VerboseFormat((int)LogEventId.ModelProvisionCoreCall,
"HasUniqueRoleAssignments is FALSE. Breaking role inheritance with CopyRoleAssignments: [{0}] and ClearSubscopes: [{1}]",
new object[]
{
breakRoleInheritanceModel.CopyRoleAssignments,
breakRoleInheritanceModel.ClearSubscopes
});
securableObject.BreakRoleInheritance(breakRoleInheritanceModel.CopyRoleAssignments, breakRoleInheritanceModel.ClearSubscopes);
}
if (breakRoleInheritanceModel.ForceClearSubscopes)
{
TraceService.Verbose((int)LogEventId.ModelProvisionCoreCall, "ForceClearSubscopes is TRUE. Removing all role assignments.");
while (securableObject.RoleAssignments.Count > 0)
{
securableObject.RoleAssignments.Remove(0);
}
}
InvokeOnModelEvent(this, new ModelEventArgs
{
CurrentModelNode = null,
Model = null,
EventType = ModelEventType.OnProvisioned,
Object = securableObject,
ObjectType = typeof(SPSecurableObject),
ObjectDefinition = breakRoleInheritanceModel,
ModelHost = modelHost
});
}
public void CanDeploySimpleBreakRoleInheritance_OnWeb()
{
var privateProjectWebDef = new WebDefinition
{
Title = "Private project",
Url = "private-project",
WebTemplate = BuiltInWebTemplates.Collaboration.TeamSite
};
var privateProjectWebBreakRoleInheritance = new BreakRoleInheritanceDefinition
{
CopyRoleAssignments = false
};
var privateSecurityGroupMembers = new SecurityGroupDefinition
{
Name = "Private Project Group Members"
};
var privateSecurityGroupViewers = new SecurityGroupDefinition
{
Name = "Private Project Group Viewers"
};
// site model with the groups
var siteModel = SPMeta2Model.NewSiteModel(site =>
{
site.AddSecurityGroup(privateSecurityGroupMembers);
site.AddSecurityGroup(privateSecurityGroupViewers);
});
// web model
var webModel = SPMeta2Model.NewWebModel(web =>
{
web.AddWeb(privateProjectWebDef, publicProjectWeb =>
{
publicProjectWeb.AddBreakRoleInheritance(privateProjectWebBreakRoleInheritance, privateProjectResetWeb =>
{
// privateProjectResetWeb is your web but after breaking role inheritance
// link group with roles by SecurityRoleType / SecurityRoleName
// use BuiltInSecurityRoleTypes or BuiltInSecurityRoleNames
// add group with contributor permission
privateProjectResetWeb.AddSecurityGroupLink(privateSecurityGroupMembers, group =>
{
group.AddSecurityRoleLink(new SecurityRoleLinkDefinition
{
SecurityRoleType = BuiltInSecurityRoleTypes.Contributor
});
});
// add group with reader permission
privateProjectResetWeb.AddSecurityGroupLink(privateSecurityGroupViewers, group =>
{
group.AddSecurityRoleLink(new SecurityRoleLinkDefinition
{
SecurityRoleType = BuiltInSecurityRoleTypes.Reader
});
});
});
});
});
// deploy site model with groups, and then web model with the rest
DeployModel(siteModel);
DeployModel(webModel);
}
public static ModelNode AddBreakRoleInheritance(this ModelNode model, BreakRoleInheritanceDefinition definition)
{
return(AddBreakRoleInheritance(model, definition, null));
}
public void CanDeploySimpleBreakRoleInheritance_OnList()
{
var privateListDef = new ListDefinition
{
Title = "Private records",
TemplateType = BuiltInListTemplateTypeId.GenericList,
CustomUrl = "lists/private-records",
};
var privateProjectWebBreakRoleInheritance = new BreakRoleInheritanceDefinition
{
CopyRoleAssignments = false
};
var privateSecurityGroupMembers = new SecurityGroupDefinition
{
Name = "Private Project Group Members"
};
var privateSecurityGroupViewers = new SecurityGroupDefinition
{
Name = "Private Project Group Viewers"
};
// site model with the groups
var siteModel = SPMeta2Model.NewSiteModel(site =>
{
site.AddSecurityGroup(privateSecurityGroupMembers);
site.AddSecurityGroup(privateSecurityGroupViewers);
});
// web model
var webModel = SPMeta2Model.NewWebModel(web =>
{
web.AddList(privateListDef, publicProjectWeb =>
{
publicProjectWeb.AddBreakRoleInheritance(privateProjectWebBreakRoleInheritance, privateResetList =>
{
// privateResetList is your list but after breaking role inheritance
// link group with roles by SecurityRoleType / SecurityRoleName
// use BuiltInSecurityRoleTypes or BuiltInSecurityRoleNames
// add group with contributor permission
privateResetList.AddSecurityGroupLink(privateSecurityGroupMembers, group =>
{
group.AddSecurityRoleLink(new SecurityRoleLinkDefinition
{
SecurityRoleType = BuiltInSecurityRoleTypes.Contributor
});
});
// add group with reader permission
privateResetList.AddSecurityGroupLink(privateSecurityGroupViewers, group =>
{
group.AddSecurityRoleLink(new SecurityRoleLinkDefinition
{
SecurityRoleType = BuiltInSecurityRoleTypes.Reader
});
});
});
});
});
// deploy site model with groups, and then web model with the rest
DeployModel(siteModel);
DeployModel(webModel);
}
private void ProcessRoleInheritance(object modelHost, SecurableObject securableObject, BreakRoleInheritanceDefinition breakRoleInheritanceModel)
{
var context = securableObject.Context;
InvokeOnModelEvent(this, new ModelEventArgs
{
CurrentModelNode = null,
Model = null,
EventType = ModelEventType.OnProvisioning,
Object = securableObject,
ObjectType = typeof(SecurableObject),
ObjectDefinition = breakRoleInheritanceModel,
ModelHost = modelHost
});
if (!securableObject.IsObjectPropertyInstantiated("HasUniqueRoleAssignments"))
{
context.Load(securableObject, s => s.HasUniqueRoleAssignments);
context.ExecuteQueryWithTrace();
}
if (!securableObject.HasUniqueRoleAssignments)
{
TraceService.VerboseFormat((int)LogEventId.ModelProvisionCoreCall,
"HasUniqueRoleAssignments is FALSE. Breaking role inheritance with CopyRoleAssignments: [{0}] and ClearSubscopes: [{1}]",
new object[]
{
breakRoleInheritanceModel.CopyRoleAssignments,
breakRoleInheritanceModel.ClearSubscopes
});
securableObject.BreakRoleInheritance(breakRoleInheritanceModel.CopyRoleAssignments, breakRoleInheritanceModel.ClearSubscopes);
context.ExecuteQueryWithTrace();
}
if (breakRoleInheritanceModel.ForceClearSubscopes)
{
TraceService.Verbose((int)LogEventId.ModelProvisionCoreCall, "ForceClearSubscopes is TRUE. Removing all role assignments.");
context.Load(securableObject.RoleAssignments);
context.ExecuteQueryWithTrace();
while (securableObject.RoleAssignments.Count > 0)
{
securableObject.RoleAssignments[0].DeleteObject();
}
}
InvokeOnModelEvent(this, new ModelEventArgs
{
CurrentModelNode = null,
Model = null,
EventType = ModelEventType.OnProvisioned,
Object = securableObject,
ObjectType = typeof(SecurableObject),
ObjectDefinition = breakRoleInheritanceModel,
ModelHost = modelHost
});
}
public static TModelNode AddBreakRoleInheritance <TModelNode>(this TModelNode model, BreakRoleInheritanceDefinition definition,
Action <TModelNode> action)
where TModelNode : ModelNode, ISecurableObjectHostModelNode, new()
{
return(model.AddTypedDefinitionNode(definition, action));
}
public static TModelNode AddBreakRoleInheritance <TModelNode>(this TModelNode model, BreakRoleInheritanceDefinition definition)
where TModelNode : ModelNode, ISecurableObjectHostModelNode, new()
{
return(AddBreakRoleInheritance(model, definition, null));
}
private static void CreateOrUpdateSubSite(SPSite spSite, string siteName, int itemId, SPFieldUserValue director, SPFieldUserValueCollection members)
{
const string securityGroupNameFormat = "{0} - {1}";
string siteUrl = "user-web-" + itemId;
var newWebDef = new WebDefinition
{
Title = siteName,
Description = "",
Url = siteUrl,
WebTemplate = BuiltInWebTemplates.Collaboration.TeamSite
};
var newWebBreakRoleInheritance = new BreakRoleInheritanceDefinition
{
CopyRoleAssignments = false
};
var ownersGroup = new SecurityGroupDefinition
{
Name = string.Format(securityGroupNameFormat, siteName, Constants.SecurityGroups.OfficeOwners),
Owner = director.LoginName
};
var membersGroup = new SecurityGroupDefinition
{
Name = string.Format(securityGroupNameFormat, siteName, Constants.SecurityGroups.OfficeMembers),
Owner = director.LoginName
};
var visitorsGroup = new SecurityGroupDefinition
{
Name = string.Format(securityGroupNameFormat, siteName, Constants.SecurityGroups.OfficeVisitors),
Owner = director.LoginName
};
// site model with the groups
var siteModel = SPMeta2Model.NewSiteModel(site =>
{
site.AddSecurityGroup(ownersGroup);
site.AddSecurityGroup(membersGroup);
site.AddSecurityGroup(visitorsGroup);
});
// web model
var webModel = SPMeta2Model.NewWebModel(web =>
{
web.AddWeb(newWebDef, publicProjectWeb =>
{
publicProjectWeb.AddBreakRoleInheritance(newWebBreakRoleInheritance, newResetWeb =>
{
// add group with owner permission
newResetWeb.AddSecurityGroupLink(ownersGroup, group =>
{
group.AddSecurityRoleLink(new SecurityRoleLinkDefinition
{
SecurityRoleType = BuiltInSecurityRoleTypes.Administrator
});
});
// add group with contributor permission
newResetWeb.AddSecurityGroupLink(membersGroup, group =>
{
group.AddSecurityRoleLink(new SecurityRoleLinkDefinition
{
SecurityRoleType = BuiltInSecurityRoleTypes.Contributor
});
});
// add group with reader permission
newResetWeb.AddSecurityGroupLink(visitorsGroup, group =>
{
group.AddSecurityRoleLink(new SecurityRoleLinkDefinition
{
SecurityRoleType = BuiltInSecurityRoleTypes.Reader
});
});
});
});
});
var csomProvisionService = new SSOMProvisionService();
csomProvisionService.DeploySiteModel(spSite, siteModel);
csomProvisionService.DeployWebModel(spSite.RootWeb, webModel);
SPWeb existWeb = spSite.AllWebs.SingleOrDefault(w => w.Url.Contains(siteUrl));
if (existWeb == null)
{
return;
}
// add users to members group
SPGroup spOwnerGroup = existWeb.SiteGroups.Cast <SPGroup>().FirstOrDefault(siteGroup => siteGroup.Name == string.Format(securityGroupNameFormat, siteName, Constants.SecurityGroups.OfficeOwners));
if (spOwnerGroup != null)
{
spOwnerGroup.AddUser(director.User);
}
SPGroup spMembersGroup = existWeb.SiteGroups.Cast <SPGroup>().FirstOrDefault(siteGroup => siteGroup.Name == string.Format(securityGroupNameFormat, siteName, Constants.SecurityGroups.OfficeMembers));
if (spMembersGroup != null)
{
foreach (SPFieldUserValue member in members)
{
spMembersGroup.AddUser(member.User);
}
}
}
