Friday, October 17, 2014

How to manage custom policy roles for SharePoint Web Application through Powershell?

We have identified an interesting configuration that might be done by previous SharePoint administrator. There are several custom policy roles created and assigned to many groups on MySites web application as in the screenshot.


Since this will grant permission for everyone who could view other people’s mysite, we have concern that we could need to manage the policy roles creation and policy roles assignment.  Here are some powershell scripts for you o help on the following use cases.
  1. Add new custom policy roles
  2. Add users/groups and bind to the custom policy roles
  3. Display custom policy role details
  4. Monitor any user/group blind to any custom policy role
  5. Monitor any custom policy role created

#**************************************************************************************
# References and Snapins
#**************************************************************************************
$snapin = Get-PSSnapin | Where-Object {$_.Name -eq 'Microsoft.SharePoint.Powershell'}
if ($snap -eq $null) {
Add-PSSnapin Microsoft.SharePoint.Powershell
}
#**************************************************************************************

function AddPolicyRoleBuildUser ($rootsite, $PolicyRole, $user)
{
    # Add Policy roles and bind users
    #$webApp = Get-SPWebApplication -Identity "http://spsbx15:300/"
    $rootsite
    $PolicyRole
    $user
    $webApp = Get-SPWebApplication -Identity $rootsite
    $webApp

    # add the new policy role
    $policyRoles = $webApp.PolicyRoles
    $policyRoles
   
    $policyRole = $policyRoles.Add($PolicyRole, "Permissions required for user to create mysites")
    $policyRole.GrantRightsMask="Open, ViewPages, ManageSubwebs, BrowseUserInfo"

    # add the user
    $policyCollection = $webApp.Policies
    #$policyCollection
    #$policy = $policyCollection.Add("c:0(.s|true","Everyone")
    $policy = $policyCollection.Add("c:0(.s|true",$user)

    # bind the policyrole to the user
    $policy.PolicyRoleBindings.Add($policyRole);
    $webApp.Update()
}

function DeletePolicyRole([string]$rootsite, [string]$PolicyRole)
{
    # Delete role
    $webApp = Get-SPWebApplication -Identity $rootsite
    $policyRoles = $webApp.PolicyRoles
    $policyRoles.Delete($PolicyRole)
    $webApp.Update()
}

function DisplayPolicyRole([string]$rootsite, [string]$PolicyRole)
{
    #Verify the permission content
    $wapp = Get-SPWebApplication $rootsite
    $pr = $wapp.PolicyRoles | ? {$_.Name -eq $PolicyRole}
    $pr.Xml
}

# Main
# Add Policy Role and blind to user/group
AddPolicyRoleBuildUser "http://spsbx15:300/" "MySitePolicy2" "Everyone"

# Display Policy Role
DisplayPolicyRole "http://spsbx15:300/" "MySitePolicy2"

# Delete Policy Role
DeletePolicyRole "http://spsbx15:300/" "MySitePolicy2"


I have also provide the following script to monitor if any user/group blind to any custom policy role. You could modify to monitor whether there is any custom policy role.

# Load SharePoint.Powershell
$snapin = Get-PSSnapin | Where-Object {$_.Name -eq 'Microsoft.SharePoint.Powershell'}
if ($snapin -eq $null) {
        Write-Host   $(Get-Date -format "dd_MM_yyyy_HH_mm_ss") '- Loading SharePoint Powershell Snapin'
        Write-Host
        Add-PSSnapin "Microsoft.SharePoint.Powershell"
}

# Get my site web application
$webApp  = Get-SPWebApplication -Identity "http://spsbx15:300/"

# Get policy roles
$policyRoles = $webApp.PolicyRoles

# $policyRoles.Count should be 4
If ($policyRoles.Count -gt 4){

    $message = "There might be custom policy roles. "
}

# OoB Policy Types are DenyAll, DenyWrite, FullRead, and FullControl, The "None" means "No role type assigned".
$pr = $webApp.PolicyRoles | ?{$_.Type -eq "None"}
If (!($pr –eq $null)){
    # This is monitor to report custom PolicyRoles - disabled now
    #$pr  
}

# Get policy collection
$policyCollection = $webApp.Policies

# Verify each policy and identify any policy is assigned with custom policy role
foreach ($pl in $policyCollection) {

    #$pl.PolicyRoleBindings
    $pl1 = $pl.PolicyRoleBindings | ?{$_.Type -eq "None"}

    If (!($pl1 –eq $null)){
        #$pl
        $name += "'"
        $name += $pl.DisplayName
        $name += "'; "

    #$pr
    }

}

# If any users/groups have custom policy role assigned, send notification
If (!($name –eq $null)){

    $message = $message + $name + "have custom policy role on "  + [System.DateTime]::Now.ToLocalTime()
    #$message
    $emailFrom = "PermissionMonitor@mycompany.com"
    $emailTo = "admin@
mycompany.com"
    $subject="SharePoint permission monirotor "  + [System.DateTime]::Now.ToLocalTime()    
    $smtpserver="smtphost.qualcomm.com"
    $smtp=new-object Net.Mail.SmtpClient($smtpServer)
    $smtp.Send($emailFrom, $emailTo, $subject, $message)
   
}

No comments:

Post a Comment