All Authenticated Users claim

Question

I'm adding items to my list by powershell script. I need to fine-grain user permissions to added items.

Code I'm using now:

$claim = New-SPClaimsPrincipal -ClaimValue $role -ClaimType $ROLE_CLAIM -TrustedIdentityTokenIssuer $sts
    [Microsoft.SharePoint.SPRoleAssignment] $roleAssignment = New-Object Microsoft.SharePoint.SPRoleAssignment($claim.ToEncodedString(), "", $role, "")
    $roleAssignment.RoleDefinitionBindings.Add($web.RoleDefinitions[$permissionLevel[$permission]])
    $item.BreakRoleInheritance($true)
    $item.RoleAssignments.Add($roleAssignment)
    $item.Update()

This works when I'm assigning Full Control to administrators. But I'd like also other users to be able to read all items from the list. So I thought I'll add "All Authenticated Users" (like in people picker) read permission. The thing is that I don't what ClaimValue and ClaimType I have to pass to New-SPClaimsPrincipal cmdlet. Any ideas?

Answer 1

To get claim for All Authenticated Users in PS you need to use:

$claim = New-SPClaimsPrincipal -EncodedClaim "c:0(.s|true"

for windows users (NT AUTHORITY\authenticated users):

$claim = New-SPClaimsPrincipal -EncodedClaim "c:0!.s|windows"

and for all forms authenticated users (basic asp.net membership provider)

 $claim = New-SPClaimsPrincipal -EncodedClaim "c:0!.s|forms:aspnetsqlmembershipprovider" 

After that you can create role assignment like in code you provided and add it to item (I didn't test it myself).

And I still cannot believe that MSDN Forum has nice and simple answer to it here.