Social media


Thursday, September 10, 2009

Permission reporting tool for SharePoint

Few days ago Microsoft has released the Fourth Release of the Microsoft SharePoint Administration Toolkit. It was announced on the SharePoint team blog.

A very interesting part of this toolkit is a permission reporting tool. I think that every administrator should have it on their MOSS/WSS environment as this helps with permission management on the farm. It is also really useful when working with Workbox - it can help you debug some problems with the permissions to the workflow and workflow items.

Generally the tool allows administrators to quickly check users' permissions. This is very useful, since due to multiple inheritances and big number of permission levels it is very easy to lose track who has which permissions.

The tool allows you to check on every level - site, list and even item - what permissions has chosen user. The tool displays what kind of permission levels given user has to a chosen object and how were they assigned (through group or directly). More about this functionality is here.

Reporting tool gives you also ability to quickly glance through permissions for all lists and sites in a given site. It also lets you to compare the permissions to parent permission and list which are different - who was added and who was removed. More on

What is strange - the tool does not tell you that a user is a farm admin.

The third cool thing is a broken inheritance report. This report gives you information what are the permissions for current object and its siblings. More info about these report is here. The reports are in form of an XML, but can be easily opened in Excel. By default reports are stored in SharePoint list. It takes some time to run the report.

You can download the tool from here.
Here are some tips about the setup:
  • you need to have SP2 with the April Cumulative Updates. I would recommend installing the June Updates, as the April ones are included in the June CU. All details how to setup the June CU are here. Make sure you install SP to all the language packs, as without them you will not be able to install the CU.
  • after you setup the Toolkit you will find the reporting tool in the folder where the toolkit was setup (by default C:\Program Files\Microsoft\SPAdministrationToolkit\PermissionReportingSolution). It's in the form of a WSP. You need to use the STADM and addsolution operation and to set it up on your farm. Here is an MSDN article on how to add solution, depoly it and activate the feature from the STSADM 
  • Next you need to deploy the solution from the central administration (operations -> global configuration -> solution management).
  • The last step is the feature activation - you activate it for the farm. You need the April CU to activate the future.
After that you are good to go. Enjoy!


  1. I have also posted this article on Experts Exchange

  2. Dear Pawel,

    Its a nice article about permissions reporting in SharePoint available through the admin toolkit.

    However, I need to run this tool on SharePoint 2010 and I am able to add the "PermissionReporting.wsp" using ManagementShell command :

    Add-SPSolution "C:\Program Files\Microsoft\SPAdministratio

    but when trying to activate it :

    stsadm -o activatefeature -name permissionreporting

    it says:
    SharePoint version validation failed. April CU is required to activate Permissio
    n Reporting.

    Now I am scared if I tries to install April CU on SharePoint 2010 Farm, it may cause some unexpected issues.

    Please help me and guide me if its safe to install April CU or not.

  3. Hello

    This tool was created for SharePoint 2007 not 2010. I' surprised it allowed you to set it up on SP2010. Do not install the SP2007 April CU on the 2010 environment under no conditions!

    2010 has some improvements in this area OOB - you can check effective permissions and permission inheritance from the permission screen.

  4. Thank you Paweł for the prompt reply and thank you for posting and updating me about WorkBox. However, what I want is the same thing provided in permissions reporting tool for Sharepoint 2007 because effective permissions in SP 2010 are only available at sites and lists level and not at site collection level.

    There is one tool available provided by DeliverPoint 2010 but its not freely available.