how do you get the permissions of a remote driveItem?

1
votes

Using the MS Graph REST API, I can retrieve driveItems that are shared with me. The Permissions of those "remote" driveItems include one identifying me as a user. However, that Permission object has no "Roles" in it (specifically, the Roles list has zero entries).

I tried looking at the RemoteItem properties, but these do not contain any security info.

What is the correct method to determine what my user's permissions are on that specific DriveItem?

Thus far, I have tested using the C# MSGraph SDK and found all the items shared with me to have an empty Roles list.

I have also used the online Graph Explorer and determined the same to be true.

When I retrieved the actual item using Graph Explorer, note the following in this example snippet from MSFT:

        {
        "id": "aTowIy5mfG1lbWJlcnNoaXB8YWxleHdAbTM2NXgyMTQzNTUub25taWNyb3NvZnQuY29t",
        "roles": [],
        "grantedTo": {
            "user": {
                "email": "AlexW@M365x214355.onmicrosoft.com",
                "id": "4782e723-f4f4-4af3-a76e-25e3bab0d896",
                "displayName": "Alex Wilber"
            }
        }
    },

(No roles are listed for the user?)

I would have expected, since my User was explicitly listed in one of the Permits of the actual DriveItem retrieved, that the Role would also have specified my access/actual permission.

1
microsoft-graph-apionedrive
What request did you make to get the permission without the roles?Brad
I mentioned it below, but to be clear: Go to Graph Explorer, do not login (or log out) so you're using the default/example account, and click the Shared With Me example (graph.microsoft.com/v1.0/me/drive/sharedWithMe). Take the first DriveItem returned as the example. Use the remoteItem.ParentReference.DriveId and the RemoteItem.Id to make the following permissions call:graph.microsoft.com/v1.0/drives/…AWeber

1 Answers

1
votes

The following endpoint:

GET /drives/{remoteItem-driveId}/items/{remoteItem-id}/permissions

returns sharing permissions on a DriveItem resource

Result

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#drives('b%21IZJbPb0BjUKDAjMnMOSRf44bwdRO75NGunQibG16o65AcVUi0kiOSZ9k4-NxVd6C')/items('01H24BBVK3QUEPTCR2MNB3HMLTNUZINN54')/permissions",
    "value": [
        {
            "id": "c0594808-fbbb-4c56-9b62-bc37307a2424",
            "roles": [
                "write"
            ],
            "link": {
                "scope": "anonymous",
                "type": "edit",
                "webUrl": "https://contoso-my.sharepoint.com/:w:/g/personal/jdoe_contoso_onmicrosoft_com/EVuFCPmKOmNDs7FzbTKGt7wBxdHHpbjDMOzy3_ng2KHCAQ"
            }
        },
        {
            "id": "8a03ff0b-5196-4585-b8a9-4d95115e10c2",
            "roles": [
                "read"
            ],
            "link": {
                "scope": "anonymous",
                "type": "view",
                "webUrl": "https://contoso-my.sharepoint.com/:w:/g/personal/jdoe_contoso_onmicrosoft_com/EVuFCPmKOmNDs7FzbTKGt7wB8wPZsfAqSd-IQYE337GDjg"
            }
        },
        {
            "id": "aTowIy5mfG1lbWJlcnNoaXB8dmdyZW1AbWVkaWFkZXY4OC5vbm1pY3Jvc29mdC5jb20",
            "roles": [
                "owner"
            ],
            "grantedTo": {
                "user": {
                    "email": "jdoe@contoso.onmicrosoft.com",
                    "id": "1ee49b6f-4632-4806-a4dd-e065844f9cd1",
                    "displayName": "Jon Doe"
                }
            }
        }
    ]
}

The following example demonstrates how to print Permissions resource Roles property via msgraph-sdk-dotnet:

var item = await graphClient.Drives[driveId].Items[itemId].Request().Expand("Permissions").GetAsync();
foreach (var permission in item.Permissions)
{
    var roleNames = String.Join(", ", permission.Roles.ToArray());
    Console.WriteLine(roleNames);
}