Objective: To retrieve all items from a SharePoint site and their associated permissions (e.g., users, groups, site groups).
Our Approach:
1. Tracking changes:
We use the endpoint /drives/{drive-id}/root/delta as documented here.
2. Fetching permissions for each item:
For every item retrieved in Step 1, we call /drives/{drive-id}/items/{item-id}/permissions as per this documentation.
3. Permissions configuration:
- Delegated Permissions:
Files.Read.All,Sites.Read.All,User.ReadBasic.All,User.Read,GroupMember.Read.All,offline_access,email. Application Permission:Files.Read.All.
User Context:
- The user account making these requests via
graph.microsoftis limited to "Visitor" rights in SharePoint (part of a Visitor site group). - We cannot provide this user with permissions beyond "Read" in SharePoint or Azure. Similarly, we cannot grant our Azure App any Application permissions beyond "Read".
The Problem:
- While the user is able to read SharePoint items successfully, the
/drives/{drive-id}/items/{item-id}/permissionsendpoint consistently returns an empty result. It seems the user does not have sufficient access to retrieve item permissions data.
Request for Assistance:
- Is it possible to retrieve item permissions data under the constraints described (i.e., user with only "Read" rights in SharePoint and no additional Application permissions in Azure)?
- If this is not possible, could you clarify the minimal set of permissions and/or configuration required to achieve our goal?
- Are there any alternative approaches within the scope of our constraints that you recommend for retrieving SharePoint item permissions?
We managed to make this work, however we had to use Sites.FullControl.All, which we cannot be provided with in this situation.
发布者:admin,转转请注明出处:http://www.yc00.com/questions/1736137605a3863076.html
评论列表(0条)