Thursday, May 20, 2010

Inspecting Policies for a Web Application

MOSS 2007 has a new feature called Web Application Policies. These are security permissions that is tied to a Web Application. These security settings override any security setting that is set at the Site Collection or Site (Web) level for that user. This post will show you how to get all the policies for a Web Application and see what kind of rights they are.
On the SPWebApplication object there is a property called Policies. This property is a SPPolicyCollection that contains SPPolicy objects. The UserName property contains the name of the AD user or group that this policy belongs to. Because a policy can actually have a Grant and Deny permisions assigned to it, there is a property called PolicyRoleBindings that contain all the permission bindings for this property. we can simply loop through the role bindings and inspect them to see what kind of bindings they are. Below is a utility method that will inspect the policies for a Web Application passed in.
private void InspectPolcies(SPWebApplication oWebApplication)
{
    // Loop through the web application policies
    foreach (SPPolicy oPolicy in oWebApplication.Policies)
    {
        // The user name of the policy we are looking at
        string strUserName = oPolicy.UserName;
        // Loop through the policy role bindings for this policy
        foreach (SPPolicyRole oPolicyRole in oPolicy.PolicyRoleBindings)
        {
            // See if the grant policy is NOT empty
            if (oPolicyRole.GrantRightsMask != SPBasePermissions.EmptyMask)
            {
                // Put your grant policy processing code here…
            }
            // See if we have a deny policy
            if (oPolicyRole.DenyRightsMask != SPBasePermissions.EmptyMask)
            {
                // Put your deny policy processing code here…
            }
        }
    }
}

No comments:

Post a Comment