Understand SharePoint Permissions - Part 1. SPBasePermissions in Hex, Decimal and Binary - The Basics

SPBasePermissions always reminds me of  "Introduction to Computer System" course from year one in university. It was Implemented based on the same basic and simple technique that almost used by every applications with permission system. But as high level programming language developer, we often forget how it works fundamentally.

For example, you know by calling SPWeb.DoesUserHavePermissions() you can check permissions granted by user. But what if this method has not been implemented or when you have no reference to Microsoft.SharePoint.dll? It is time to use "&","^" operators to work out the basics.

I am breaking this topic into two parts. Part 1. shows how is SPBasePermissions implemented. And in Part 2. you will see how to work out user permissions manually without calling DoesUserHavePermissions() or any other SharePoint code.

/*SPBasePermissions enum*/

public enum SPBasePermissions : ulong
    AddAndCustomizePages = 0x40000L,
    AddDelPrivateWebParts = 0x10000000L,
    AddListItems = 2L,
    ApplyStyleSheets = 0x100000L,
    ApplyThemeAndBorder = 0x80000L,
    ApproveItems = 0x10L,
    BrowseDirectories = 0x4000000L,
    BrowseUserInfo = 0x8000000L,
    CancelCheckout = 0x100L,



As you can see SPBasePermissions enum is representing in hex and stored as unsigned long. The complete table of permissions in both hex and decimal are in following table.

Permission Name Hex (base 16) Decimal
EmptyMask 0x0000000000000000 0
List and Document permission    
ViewListItems 0x0000000000000001 1
AddListItems 0x0000000000000002 2
EditListItems 0x0000000000000004 4
DeleteListItems 0x0000000000000008 8
ApproveItems 0x0000000000000010 16
OpenItems 0x0000000000000020 32
ViewVersions 0x0000000000000040 64
DeleteVersions 0x0000000000000080 128
CancelCheckout 0x0000000000000100 256
ManagePersonalViews 0x0000000000000200 512
ManageLists 0x0000000000000800 2048
ViewFormPages 0x0000000000001000 4096
Web level permission    
Open 0x0000000000010000 65536
ViewPages 0x0000000000020000 131072
AddAndCustomizePages 0x0000000000040000 262144
ApplyThemeAndBorder 0x0000000000080000 524288
ApplyStyleSheets 0x0000000000100000 1048576
ViewUsageData 0x0000000000200000 2097152
CreateSSCSite 0x0000000000400000 4194314
ManageSubwebs 0x0000000000800000 8388608
CreateGroups 0x0000000001000000 16777216
ManagePermissions 0x0000000002000000 33554432
BrowseDirectories 0x0000000004000000 67108864
BrowseUserInfo 0x0000000008000000 134217728
AddDelPrivateWebParts 0x0000000010000000 268435456
UpdatePersonalWebParts 0x0000000020000000 536870912
ManageWeb 0x0000000040000000 1073741824
UseRemoteAPIs 0x0000002000000000 137438953472
ManageAlerts 0x0000004000000000 274877906944
CreateAlerts 0x0000008000000000 549755813888
EditMyUserInfo 0x0000010000000000 1099511627776
Special Permissions    
EnumeratePermissions 0x4000000000000000 4611686018427387904
FullMask 0x7FFFFFFFFFFFFFFF 9223372036854775807


From table above, It is obvious that each permission also represents a single binary digit. And bitwise OR can be used when you assigning multiple permissions to single role.

For example, users with ViewListItems, EditListItems, AddListItmes and DeleteListItems permissions will have decimal 15 or hex 0xF as their permissions mask.

       0001 (0x1, 1) ViewListItems
       0010 (0x2, 2) EditListItems
       0100 (0x3, 4) AddListItmes
  OR 1000 (0x4, 8) DeleteListItems
    = 1111 (0xF, 15)

This is basically how permission level works in SharePoint. - More code examples in part 2 .

blog comments powered by Disqus

James Tsai

Blog Disclaimer