Fetching Real-time Permissions in SharePoint Online via REST API using App Token

%3CLINGO-SUB%20id%3D%22lingo-sub-2261493%22%20slang%3D%22en-US%22%3EFetching%20Real-time%20Permissions%20in%20SharePoint%20Online%20via%20REST%20API%20using%20App%20Token%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2261493%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20trying%20to%20fetch%20real-time%20%3CSPAN%3Euser%20effective%20permissions%20of%20a%20user%20on%20a%20file.%20We%20cannot%20use%20the%20following%20API%20as%20it%20does%20not%20update%20the%20user%20effective%20permissions%20in%20real-time%20when%20the%20user%20is%20either%20added%20or%20removed%20from%20the%20O365%20group%20(Until%20the%20user%20login%20into%20the%20site)%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%3CU%3E%3CEM%3E%2Fgetusereffectivepermissions(userName%3D%40user)%3F%40user%3D'%3CURL_ENCODED_LOGIN_NAME%3E'%3C%2FURL_ENCODED_LOGIN_NAME%3E%3C%2FEM%3E%3C%2FU%3E%3C%2FP%3E%3CP%3E%3CSPAN%3ENote%20that%20we%20are%20using%20SharePoint%20Application%20Access%20Token.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ETherefore%2C%20we%20are%20using%20the%20following%20APIs%20to%20get%20the%20real%20time%20results%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%3CU%3E%3CEM%3E%2FRoleAssignments%3F%24expand%3DMember%2FUsers%2CRoleDefinitionBindings%3C%2FEM%3E%3C%2FU%3E%3C%2FP%3E%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20read%20the%20responses%20having%20'principal%20type%20%3D%204'%20such%20as%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%20class%3D%22lia-indent-padding-left-30px%22%3E%3CEM%3E%22LoginName%22%3A%26nbsp%3B%22c%3A0o.c%7Cfederateddirectoryclaimprovider%7Cd20ae4c3-3429-4f75-8895-793407836d5e_o%22%2C%3C%2FEM%3E%3C%2FDIV%3E%3CDIV%20class%3D%22lia-indent-padding-left-30px%22%3E%3CEM%3E%22LoginName%22%3A%26nbsp%3B%22c%3A0o.c%7Cfederateddirectoryclaimprovider%7C%3CGROUP_UID%3E%22%2C%3C%2FGROUP_UID%3E%3C%2FEM%3E%3C%2FDIV%3E%3CDIV%3E%3CDIV%20class%3D%22lia-indent-padding-left-30px%22%3E%3CEM%3E%22LoginName%22%3A%20%22c%3A0(.s%7Ctrue%22%2C%3C%2FEM%3E%3C%2FDIV%3E%3CDIV%3E%3CDIV%20class%3D%22lia-indent-padding-left-30px%22%3E%3CEM%3E%22LoginName%22%3A%20%22c%3A0-.f%7Crolemanager%7Cspo-grid-all-users%2F%3CTENANT_ID%3E%22%2C%20etc.%3C%2FTENANT_ID%3E%3C%2FEM%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3Eand%20then%20we%20fetch%20the%20owners%20of%20the%20group%20by%20taking%3CEM%3E'%3COWNER_GROUP_GUID%3E_o'%3C%2FOWNER_GROUP_GUID%3E%3C%2FEM%3E%20and%20also%20fetch%20the%20transitive%20members%20of%20the%20group%20by%20taking%26nbsp%3B%3CEM%3E%3CGROUP_UID%3E%20%3C%2FGROUP_UID%3E%3C%2FEM%3Eusing%20Graph%20API.%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EHow%20do%20we%20check%20if%20a%20user%20is%20a%20member%20of%20the%20following%20SharePoint%20groups%3F%3A%3C%2FDIV%3E%3CDIV%20class%3D%22lia-indent-padding-left-30px%22%3E%3CU%3E%3CEM%3EEveryone%3A%26nbsp%3B%26nbsp%3Bc%3A0(.s%7Ctrue%3C%2FEM%3E%3C%2FU%3E%3C%2FDIV%3E%3CDIV%20class%3D%22lia-indent-padding-left-30px%22%3E%3CU%3E%3CEM%3EEveryone%20except%20external%20users%3A%20c%3A0-.f%7Crolemanager%7Cspo-grid-all-users%2F%3CTENANT_ID%3E%3C%2FTENANT_ID%3E%3C%2FEM%3E%3C%2FU%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EAlso%2C%20is%20there%20any%20other%20similar%20SharePoint%20internal%20groups%20that%20should%20be%20taken%20into%20consideration%20while%20fetching%20the%20real-time%20user%20effective%20permissions%3F%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

We are trying to fetch real-time user effective permissions of a user on a file. We cannot use the following API as it does not update the user effective permissions in real-time when the user is either added or removed from the O365 group (Until the user login into the site):

/getusereffectivepermissions(userName=@user)?@user='<url_encoded_login_name>'

Note that we are using SharePoint Application Access Token.

 

Therefore, we are using the following APIs to get the real time results:

/RoleAssignments?$expand=Member/Users,RoleDefinitionBindings

 

We read the responses having 'principal type = 4' such as 

"LoginName": "c:0o.c|federateddirectoryclaimprovider|d20ae4c3-3429-4f75-8895-793407836d5e_o",
"LoginName": "c:0o.c|federateddirectoryclaimprovider|<group_uid>",
"LoginName": "c:0(.s|true",
"LoginName": "c:0-.f|rolemanager|spo-grid-all-users/<tenant_id>", etc.
 
and then we fetch the owners of the group by taking'<owner_group_guid>_o' and also fetch the transitive members of the group by taking <group_uid> using Graph API.
 
How do we check if a user is a member of the following SharePoint groups?:
Everyone:  c:0(.s|true
Everyone except external users: c:0-.f|rolemanager|spo-grid-all-users/<tenant_id>
 
Also, is there any other similar SharePoint internal groups that should be taken into consideration while fetching the real-time user effective permissions?
 
 
 
 

 

 

0 Replies