Scott Wickham

We just had an employee in the HR department leave and now a new employee is taking their place. We want to give the new employee the exact same set of user permissions that the former employee had. The former employee had been granted various levels of user permissions throughout the site collection...Read-only access in some subsites, Contribute access in others, and even more granular permissions on specific lists and document libraries. We unfortunately did not document every permission that had been granted to the former employee.

What would be a good way to produce a report or listing of every user permission for the former employee Should I write some code to walk through the site collection tree and examine every object in every subsite to see if the former employee has any permissions on that object I had also tried the route of peeking directly into the content database to see if the permissions info would be easy to pull with a SQL statement, but it looked like the user permissions were stored in a binary-format ACL and I didn't know how to process/parse it to make any sense of it.

If anyone knows of any pre-built tools/scripts out there that have already been written for this purpose, that would be perfect too.



Re: SharePoint - Development and Programming Show all User Permissions


Depending on whether or not there are items in workflows, tasks, individual items, etc. that the user has sepcific access to, you could be in for a heavy task. You might have a look at GetEffectiveRights() That might help you get a bigger picture.

If you want to get the site permissions, you can write code to parse the site tree and check the groups for the current user, and add the new user to the same groups.

Code Snippet

SPSite mySite = new SPSite("URL of your site");

foreach(SPWeb myWeb in SPSite.AllWebs)


foreach(SPGroup myGroup in myWeb.Groups)




or you can use the Groups from the SPUser object

You can get the SPUser object from the email,

Code Snippet

SPUser oldUser = myWeb.Users.GetByEmail("Email");


and just loop through the groups and add the new user to the existing groups (might be a bit faster this way, but I think you will still have to get a SPUser for each subWeb)

I hope this helps - DK

Re: SharePoint - Development and Programming Show all User Permissions

Scott Wickham

Thanks DK. Unfortunately we are not using groups to organize our permission assignments so I couldn't approach it by iterating through the group assignments. However when I looked at GetEffectiveRights as you suggested, it got me thinking I should try a little harder to figure out the permissions from the info that is stored directly in the content database. I found a very helpful SQL query on Bill Baer's blog that I tweaked a bit to get exactly what I was looking for.

Here is the tweaked version, which lists all users and their permissions within a site collection on sites, lists, document libraries, and even individual documents and list items whose permissions have been customized:

Code Snippet


UserInfo.tp_login user_login,

UserInfo.tp_title user_title,

Webs.title site_title,

Webs.fullUrl site_full_url,

Perms.scopeurl scope_url,

Roles.title access_level

FROM RoleAssignment

JOIN Roles ON Roles.siteID = RoleAssignment.siteID AND Roles.roleID = RoleAssignment.roleID

JOIN UserInfo ON UserInfo.tp_siteID = RoleAssignment.siteID AND UserInfo.tp_id = RoleAssignment.principalID

JOIN Sites ON Sites.[id] = RoleAssignment.siteID

JOIN Perms ON Perms.siteID = RoleAssignment.siteID AND Perms.scopeID = RoleAssignment.scopeID

JOIN Webs ON Webs.[id] = Perms.webID







Re: SharePoint - Development and Programming Show all User Permissions


Good deal, thanks for supplying the link as well, glad you got things worked out.