SharePoint REST api access restriction

%3CLINGO-SUB%20id%3D%22lingo-sub-122647%22%20slang%3D%22en-US%22%3ESharePoint%20REST%20api%20access%20restriction%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-122647%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20a%20situation%20as%20follows%3A%3C%2FP%3E%3CP%3E1.%20Building%20a%20public%20facing%20site%20in%20sharepoint%202016%20(enterprise%20version)%20with%20form%20based%20authentication.%3C%2FP%3E%3CP%3E2.%20All%20external%20users%20who%20can%20access%20the%20portal%20have%20only%20%22Read%20Only%22%20permissions.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EProblem%3A%20External%20users%20can%20access%20the%20site%20user%20list%20via%20api%20(_api%2Fweb%2Fsiteusers).%20This%20is%20an%20information%20security%20for%20the%20client%20as%20the%20users%20might%20be%20competitors.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQuestions%3A%20Is%20there%20a%20way%20in%20SharePoint%20to%20restrict%20the%20%22siteusers%22%20api%20endpoint%20for%20all%20the%20users%20who%20have%20read%20permission%3F%3C%2FP%3E%3CP%3EIf%20not%2C%20then%20what%20could%20be%20the%20workaround%20to%20achieve%20this%20requirement%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethanks%20in%20advance!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-122647%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3E2016%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPermissions%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2154119%22%20slang%3D%22en-US%22%3ERe%3A%20SharePoint%20REST%20api%20access%20restriction%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2154119%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F57764%22%20target%3D%22_blank%22%3E%40Ravi%20Chahal%3C%2FA%3Ehave%20you%20been%20able%20to%20find%20a%20way%20to%20restrict%20access%20to%20the%20API%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Visitor

I have a situation as follows:

1. Building a public facing site in sharepoint 2016 (enterprise version) with form based authentication.

2. All external users who can access the portal have only "Read Only" permissions.

 

Problem: External users can access the site user list via api (_api/web/siteusers). This is an information security for the client as the users might be competitors.

 

Questions: Is there a way in SharePoint to restrict the "siteusers" api endpoint for all the users who have read permission?

If not, then what could be the workaround to achieve this requirement?

 

thanks in advance!

 

 

1 Reply

@Ravi Chahalhave you been able to find a way to restrict access to the API?