Delegating sub-site creation while inhibiting site deletion

If you've ever administered SharePoint, then you'll know that one of the hardest parts is knowing how much control to delegate to users. Should they be able to set themes? Change Web Parts displayed? Customize lists?

But the trickiest one is definitely the creation of sites themselves. The problem is that site creation automatically gives the user "Full Control" over the site, allowing them to delete the site deliberately or accidentally, potentially opening up a world of trouble when it comes to appropriate recordkeeping practices. However, the "Full Control" role permissions cannot be modified from the user interface.

The solution is to use PowerShell:


$web = SP-GetWeb "http://my-sharepoint/web"


# For "Full Control", grant all rights except "ManageWeb" -- 
# You must also ensure that "Full Control" is not granted 
# at the root site otherwise people will be able to self-modify their
# permissions levels to allow site deletions
$role = $web.RoleDefinitions["Full Control"]
$role.BasePermissions = 
"ViewListItems,AddListItems,EditListItems,DeleteListItems,ApproveItems,
OpenItems,ViewVersions,DeleteVersions,CancelCheckout,
ManagePersonalViews,ManageLists,ViewFormPages,Open,
ViewPages,AddAndCustomizePages,ApplyThemeAndBorder,
ApplyStyleSheets,ViewUsageData,CreateSSCSite,ManageSubwebs,
CreateGroups,BrowseDirectories,BrowseUserInfo,
AddDelPrivateWebParts,UpdatePersonalWebParts,
UseClientIntegration,UseRemoteAPIs,ManageAlerts,
CreateAlerts,EditMyUserInfo,EnumeratePermissions"
$role.Description = "Full control, but some actions (eg site deletion) 
will require a site administrator to be logged in."
$role.Update()

Note that this means Site Collection Administrators will be the only ones able to delete sites and modify permissions levels -- probably what you want anyway.