When Sitecore 6 came out, Sitecore changed the Security model dramatically. Sitecore now uses the .net security model, and on top of this they have built a set of classes to help with the assigning of roles and members.
UPDATE 2017-11-24: This article applies to Sitecore 6, Sitecore 7, Sitecore 8.
You will find the helper classes in the Sitecore.Security namespace:
using Sitecore.Security.Accounts; using Sitecore.Security.AccessControl;
Access rights to items can be added programatically to any item using the AccessRuleCollection class. The following example demonstates how to apply read access to a role (group) using the AccessRuleCollection:
public void SetAccess(Item item)
{
Role myRole = Role.FromName("sitecore\\myRole");
// Get the current accessrules
AccessRuleCollection accessRules = item.Security.GetAccessRules();
// Apply read access for the "myRole" to the current item
// and all it's children
accessRules.Helper.AddAccessPermission(myRole,
AccessRight.ItemRead,
PropagationType.Any,
AccessPermission.Allow);
// Write the rules back to the item
item.Editing.BeginEdit();
item.Security.SetAccessRules(accessRules);
item.Editing.EndEdit();
}
As you already know, the Item in the function’s parameter must come from the “master” database.
The AddAccessPermission is pretty straight forward. In my example I grant access to a role, but the function will also take a user. Please also note that when retrieving a role or user from the user database, you must prefix the user or role name with the domain name.
The AccessRight class defines which right to apply to the item. If you need to grant more than one right, you will need to add them one by one. Like in this example:
PropagationType pt = PropagationType.Any; AccessPermission ap = AccessPermission.Allow; accessRules.Helper.AddAccessPermission(myRole, AccessRight.ItemRead, pt, ap); accessRules.Helper.AddAccessPermission(myRole, AccessRight.ItemWrite, pt, ap); accessRules.Helper.AddAccessPermission(myRole, AccessRight.ItemRename, pt, ap); accessRules.Helper.AddAccessPermission(myRole, AccessRight.ItemCreate, pt, ap); accessRules.Helper.AddAccessPermission(myRole, AccessRight.ItemDelete, pt, ap); accessRules.Helper.AddAccessPermission(myRole, AccessRight.WorkflowStateDelete, pt, ap); accessRules.Helper.AddAccessPermission(myRole, AccessRight.WorkflowStateWrite, pt, ap); accessRules.Helper.AddAccessPermission(myRole, AccessRight.WorkflowCommandExecute, pt, ap);
The PropagationType enumeration determines which items will be granted the access right. Any means the item and all items inheriting. Descendants applies rights to inheriting children only, and Entity applies right to the item only.
Finally, the AccessPermission enumeration determines whether to grant (allow) or deny the access right.
If you wish to know more about the Sitecore security model, you should read the Sitecore Security API Cookbook (available for members of the Sitecore Developer Network only).
Brian Pedersen's Sitecore and .NET Blog 
Thanks for this post! This is exactly what I needed. For those on the SDN, this forum post has a few more details also, including setting inheritance:
http://sdn.sitecore.net/forum//ShowPost.aspx?PostID=18417
LikeLike
Thanks. Dynamically activating/de-activating inheritance permission on a content node was what I needed, which is well covered in the suggested link.
LikeLike
Pingback: Sitecore Users and C# | Brian Pedersen's Sitecore and .NET Blog
Pingback: Sitecore check access and roles programatically | Brian Pedersen's Sitecore and .NET Blog
Pingback: Which of my old Sitecore posts are still valid in Sitecore 9? | Brian Pedersen's Sitecore and .NET Blog