Translations/Definitions:
SPPrincipal = Base class of all group/user classes in MOSS 2007, when a method asks to be passed an SPPrincipal object, you can pass it an SPGroup or SPUser object.
SPGroup = Cross Site Group
SPUser = AD Accounts(group/user) Note: This is if you are using AD for authentication…
SPRoleDefinition = Permission Level
SPRoleAssignment = Instance of Authorization for a SPGroup/SPUser utilizing and SPRoleDefinition(permission level) to grant access
Relationships:
SPRoleDefinition + SPUser/SPGroup = SPRoleAssignment
Typical Security Add:
First you need a SPRoleDefinition that states what authorization the SPRoleAssignment will have. Then instantiate a SPRoleAssignment with either a login or instance of the SPPrincipal class. Bind the instance of SPRoleDefinition to the instance of SPRoleAssignment and then add the instance of SPRoleAssignment to the Site.
For Example:
SPRoleDefinition roleDefViewOnly = newSite.RoleDefinitions["View Only"];
SPRoleAssignment roleAssignNAMs = new SPRoleAssignment(newSite.SiteGroups["NAMS"]);
roleAssignDomainUsers.RoleDefinitionBindings.Add(roleDefViewOnly);
newSite.RoleAssignments.Add(roleAssignNAMs);
SPUser pool = newSite.SiteUsers(loginName);
SPGroup pool = newSite.SiteGroups(groupName);
Note: If you attempt to user the BreakUserRoleInteritance Method… This is an all inclusive method and in which case it performs an allowunsafeupdates = true and an allowunsafeupdates = false. This will cause you frustration, because you'll set allunsafeupdates = true before you start playing with security and then after the BreakUserRoleInheritance method you do a .Update, and low and behold you'll get an exception that GET request are not allowed… And you'll wonder why…
This really is a cohesive object model for SPSecurity, although its not neccessarily apparent when you begin to work with it.Safe Journey's in the world of sharepoint!