Hi SharePoint Admins! I’ve recently worked on a module to enhance SharePoint Backup experience. If you haven’t known SharePoint Native Backup enough, please read this.  SharePoint Native backup supports Backup-SPFarm, Backup-SPSite, Backup-SPFarm, Export-SPWeb.

All these approaches backup the actual content of the file and at times requires the entire Site or List to be restored entirely. If you are using Version History feature, recovering file can be made easier by restoring only the mis-updated files. In additional, the introduction of Recycle Bin since SharePoint 2010 has helped many SharePoint Admins (at least for myself) to recover accidentally deleted files without burning much of your time.

However, there is no Version History for Permission. Whatever permission changes that you have made onto a document, library or site do not keep a backup copy for you to restore in the later time. You can tap on third party product to help you on this, downside is, you have to pay for the service. Some 3rd party products that you can find in the markets are like Lightning Tools and AvePoint . (Personally never tried that but I’m more of a Self Fulfilling kind, where everything can be done by my left hand and my right hand. But please don’t get me wrong, paying more for premier service sometimes can be good as it comes with support and service level assurance)

So much for the introduction, now let’s go into the script!

I uploaded my script to CodePlex – PowerShell to backup/restore SharePoint Webs, Libraries, Folders and Files and inside the source code, you can find two powershell script, namely BackupPermission.ps1 and RestorePermission.ps1.

You would first run the BackupPermission.ps1. This backuppermission.ps1 generates a Permission.xml file that you gonna need it for the RestorePermission.ps1 later.

What this Backuppermission.ps1 does is to loop through your entire SharePoint Farm for Site Collections. Subsequently, for each of the site collection, it back up its Root Web permissions and Sub Web permissions. After backing up the web level permission, it goes to back up all document libraries permission, folder permission within each library and optionally (turn on by default) files permission.

Why do I need to care about backing up the permission? Well, there may have many reasons for that but below are just some for myself…

1. You screw up the permission and can’t afford to restore the SharePoint Site Collection (cause only Backup-SPFarm was running DAILY)
2. You do not want to inform the user for backup recovery cause the user will scream at you if the data that you going to restore has been modified by the user.
3. You do have full confidence to run SharePoint Native Restore-SPSite as you all know, some times it doesn’t Work. Some how.. (MS, no offense on this, well, it does work most of the time but reason 1 superseded this)
4. You accidentally RESET or Hit the “Delete Unique Permission” button when trying to change a WEB permission. Refer to my previous post on why this will kill your document permission.

Here I’m gonna talk about the Permissions.xml that is generated by my BackupPermission.ps1. You can always change the XML to suit your backup needs. Things like Restoring only partial of your Site Collection, restoring only a document library and even up to only a folder or file. By default, if a entity does not contains <RoleAssignments> node, the RestorePermission.ps1 script will bypass updating the permission and it will remains as its current stage (could be Inherting its parent permission or already broken permission. no changes will be done).

<?xml version=”1.0″ encoding=”UTF-8″?>
<SharePoint>
<Sites>
<Site>
<Url>https://mysharepoint.com</Url>
<RootWeb>
<Title>SharePoint Portal</Title>
<Url>https://mysharepoint.com</Url>
<RoleAssignments>
<RoleAssignment User=”i:0#.w|contoso\appadmin”>
<RoleDefinitionBindings>
<RoleDefinition Name=”Full Control”/>
</RoleDefinitionBindings>
</RoleAssignment>
<RoleAssignment Group=”SharePoint Portal Owners”>
<RoleDefinitionBindings>
<RoleDefinition Name=”Full Control”/>
</RoleDefinitionBindings>
</RoleAssignment>
<RoleAssignment Group=”SharePoint Portal Visitors”>
<RoleDefinitionBindings>
<RoleDefinition Name=”Read”/>
</RoleDefinitionBindings>
</RoleAssignment>
</RoleAssignments>
<Lists>
<List>
<Title>Documents</Title>
<RootFolder>
<Name>Documents</Name>
<Url>Documents</Url>
<SubFolders>
<Folder>
<Name>Folder A</Name>
<Url>Documents/Folder A</Url>
<RoleAssignments>
<RoleAssignment Group=”SharePoint Portal Owners”>
<RoleDefinitionBindings>
<RoleDefinition Name=”Full Control”/>
</RoleDefinitionBindings>
</RoleAssignment>
<RoleAssignment Group=”SharePoint Portal Visitors”>
<RoleDefinitionBindings>
<RoleDefinition Name=”Read”/>
</RoleDefinitionBindings>
</RoleAssignment>
<RoleAssignment Group=”SharePoint Portal Members”>
<RoleDefinitionBindings>
<RoleDefinition Name=”Contribute”/>
</RoleDefinitionBindings>
</RoleAssignment>
</RoleAssignments>
</Folder>
<Folder>
<Name>Folder B</Name>
<Url>Documents/Folder A – Copy (8)</Url>
</Folder>
</SubFolders>
<Files>
</Files>
</RootFolder>
</List>
</Lists>
<Webs>
</Webs>
</RootWeb>
</Site>
</Sites>
</SharePoint>

What you are seeing above basically showing a backup xml that if you restore using this, only 1 site “https://mysharepoint.com” will be processed.  The permission of this site will have the following permissi

• appadmin (SPUser) – Full Control
• SharePoint Portal Owners (SPGroup) – Full Control
• SharePoint Portal Visitors (SPGroup) – Read

Subsequently, the script will continue to loop and restore List (in my backup script, this node stores only document libraries.) with Title “Documents” which is inheriting parent permission.

Folder “Folder A” within this document library will have unique permission while “Folder B” will inherit library permission which follows the Web permissions.

Well if you don’t really care at all, simply running BackupPermission.ps1 and RestorePermission.ps1 should be able to help you recovering you web permission.

To complete the entire process, set a Task Scheduler job to backup your farm permission regularly!