管理權限一直是各種系統的基礎重點,在Sharepoint跟AD的搭配上,都會以AGDLP去講該如何規劃設計。因此在管理 Sharepoint 群組的權限上,系統管理者(ㄞ ㄊㄧ ㄓㄨㄢ ㄩㄢˊ)又要開熟悉Sharepoint Web/ Sharepoint Designer友善的畫面,以下要說明的是
1.在頂層網站建Group
2.把新建好的Group加到各下層的網站,並停止繼承
3.改下層網站各清單的權限
1.在頂層網站建Group,譬如有3個site
$web = Get-SPWeb "http://sps2010/"
$web.SiteGroups.Add("site1_A", $web.Site.Owner, $web.Site.Owner,"")
$web.SiteGroups.Add("site1_B", $web.Site.Owner, $web.Site.Owner,"")
$web.SiteGroups.Add("site1_C", $web.Site.Owner, $web.Site.Owner, "")
$web.SiteGroups.Add("site2_A", $web.Site.Owner, $web.Site.Owner,"")
$web.SiteGroups.Add("site2_B", $web.Site.Owner, $web.Site.Owner,"")
$web.SiteGroups.Add("site2_C", $web.Site.Owner, $web.Site.Owner, "")
$web.SiteGroups.Add("site3_A", $web.Site.Owner, $web.Site.Owner,"")
$web.SiteGroups.Add("site3_B", $web.Site.Owner, $web.Site.Owner,"")
$web.SiteGroups.Add("site3_C", $web.Site.Owner, $web.Site.Owner, "")
$web.Update()
$web.Dispose()
這一段沒什麼學問,如果需要一次建很多,其實可以用EXCEL去組合上面的字。建完Group後,如果需要先放群組的權限,建議用Sharepoint Designer,用Web去管理會在那邊等等等...
2.把新建好的Group加到各下層的網站,並停止繼承
###########################
#
# 函示:add group permission
#
###########################
function AddGroupToSite ($web, $groupName, $permLevel)
{
$account = $web.SiteGroups[$groupName]
$assignment = New-Object Microsoft.SharePoint.SPRoleAssignment($account)
$role = $web.RoleDefinitions[$permLevel]
$assignment.RoleDefinitionBindings.Add($role);
$web.RoleAssignments.Add($assignment)
}
#########
#Subsites待修改:看有哪些子網站要執行
$SubSites = @("site1","site2","site3"
)
for($i=0 ; $i -lt $SubSites.count ; $i++)
{
$url = "http://sps2010/" + $SubSites[$i]
$web = Get-SPWeb $url
$web.BreakRoleInheritance($false)
#Subsites待修改,看Group的名字
$grp1 = $SubSites[$i]+"_A"
$grp2 = $SubSites[$i]+"_B"
$grp3 = $SubSites[$i]+"_C"
AddGroupToSite -web $web -groupName $grp1 -permLevel "Read"
AddGroupToSite -web $web -groupName $grp2 -permLevel "Read"
AddGroupToSite -web $web -groupName $grp3 -permLevel "Read"
$web.Dispose()
Write-Output $SubSites[$i] + " Completed!"
}
3.改下層網站各清單的權限
$web = Get-SPWeb "http://sps2010/"
#List Permission
#
#兩個清單要改:
#ListA: url是 /Site1/List/ListA
#ListB: url是 /Site1/SitePicLib
#如果有更多要改,就一直加在函示裡面
#
###########################
#
# 函示:Change List Permission
#
###########################
function ChangeListPermission ($strSiteName)
{
$SubSites = $strSiteName
$grp1 = $SubSites+"_A"
$grp2 = $SubSites+"_B"
$grp3 = $SubSites+"_C"
$url = "http://sps2010/" + $SubSites
$web = Get-SPWeb $url
$admaccount = $web.EnsureUser("SHAREPOINT\system")
#############################ListA#############################
#$ListR = $web.Lists["ListA"]
$strListURL = "/" + $SubSites + "/Lists/ListA"
$ListR = $web.GetList($strListURL)
$ListR.BreakRoleInheritance($false)
$account = $web.SiteGroups[$grp2]
$assignment = New-Object Microsoft.SharePoint.SPRoleAssignment($account)
$assignment.RoleDefinitionBindings.Add(($web.RoleDefinitions | Where-Object { $_.Type -eq "Contributor" }))
$ListR.RoleAssignments.Add($assignment)
$account = $web.SiteGroups[$grp4]
$assignment = New-Object Microsoft.SharePoint.SPRoleAssignment($account)
$assignment.RoleDefinitionBindings.Add(($web.RoleDefinitions | Where-Object { $_.Type -eq "Contributor" }))
$ListR.RoleAssignments.Add($assignment)
$ListR.RoleAssignments.Remove($admaccount)
#############################ListB#############################
$strListURL = "/" + $SubSites + "/SitePicLib"
$ListR = $web.GetList($strListURL)
$ListR.BreakRoleInheritance($false)
$account = $web.SiteGroups[$grp2]
$assignment = New-Object Microsoft.SharePoint.SPRoleAssignment($account)
$assignment.RoleDefinitionBindings.Add(($web.RoleDefinitions | Where-Object { $_.Type -eq "Contributor" }))
$ListR.RoleAssignments.Add($assignment)
$account = $web.SiteGroups[$grp4]
$assignment = New-Object Microsoft.SharePoint.SPRoleAssignment($account)
$assignment.RoleDefinitionBindings.Add(($web.RoleDefinitions | Where-Object { $_.Type -eq "Contributor" }))
$ListR.RoleAssignments.Add($assignment)
$account = $web.SiteGroups[$grp1]
$assignment = New-Object Microsoft.SharePoint.SPRoleAssignment($account)
$assignment.RoleDefinitionBindings.Add($web.RoleDefinitions["Read"])
$ListR.RoleAssignments.Add($assignment)
$account = $web.SiteGroups[$grp3]
$assignment = New-Object Microsoft.SharePoint.SPRoleAssignment($account)
$assignment.RoleDefinitionBindings.Add($web.RoleDefinitions["Read"])
$ListR.RoleAssignments.Add($assignment)
$ListR.RoleAssignments.Remove($admaccount)
$web.Dispose()
}
###########################
#待修改
#實際呼叫函示
ChangeListPermission -strSiteName "site1"
ChangeListPermission -strSiteName "site2"
ChangeListPermission -strSiteName "site3"
權限這樣就差不多設定完成了,搭配Excel更快!
如果要對Sharepoint Group加AD Group,請看下一篇!
參考資料:
1.PowerShell to create SharePoint groups http://blog.pointbeyond.com/2011/06/03/powershell-to-create-sharepoint-groups/
#DontLikeSP
