sharepoint get role assignments

Managing Role Assignments/Permissions with SharePoint REST

To assign permissions in SharePoint, you make one or more role assignments, which requires three things:

• Some kind of handle for a securable object. That’s basically a site, list, library, folder, document, or item.
• The principal id for something to which roles can be assigned. That’s either an Active Directory user or security group, or a SharePoint group.
• The id of a role definition. Like ‘Full Control’ or ‘Edit’ or ‘Contribute’. This is basically a named collection of granular permissions that are defined at the site collection root and can be assigned to a securable object in that site collection.

In this post, I’m going to explain the REST service calls required in order to make role assignments to SharePoint securable objects. I will show the calls using jQuery’s ajax (because I’m working through them in the console and the console won’t resolve promises). I’ll follow up with a post with some demo code pulling it all together and probably using fetch.

Role Assignments: Prerequisites

As explained above, there are three things I need to make a role assignment, and while these aren’t directly related to role assignments, this is a series on REST in general so I’m going to explain all of the service calls.

The first thing I will get is collection of lists that are available in the current site, via the endpoint /_api/web/lists . Now this endpoint basically returns the whole list schema, and I don’t need all of that, so to reduce the payload I’ll add $select=Id,Title as a request parameter. I also want to weed out hidden lists, so I’ll add $filter=Hidden eq false . With that, the call looks like:

And the returned JSON structure looks like this:

I’ll use this data to populate some sort of multi-select control for lists and can then get a handle on each list by either id or title.

Site Groups

Next, I’ll need to populate a drop-down list with site collection groups. Again, I’ll add the request parameter $select=Id,Title , and while with lists I could have gotten away with just title, here I need both because add role assignment requires the id, and users are likely going to need the title. Here’s the call:

And the response JSON structure looks like this:

I’m not actually going to need this in the demo page, but to be thorough, if you know the name of the group, you can get it’s ID with this call (a lot less chatty):

And the response from this call is quite succinct:

Role Definitions

And the final preliminary piece of the puzzle is that I need a role definition id. To get a list of role definitions defined in the site collection, I make the following call:

Now I didn’t actually select anything, so I’m getting back more information than I actually need, but it’s not that big a structure and I wanted to show the whole thing. In particular, note the base permissions structure. I talked about this a bit in my last post Determining the Permissions of the Current User with REST , and how to dissect this structure to get the granular access controls it represents. Anyway, here is the complete JSON structure returned from the role definitions endpoint.

The only things I actually need from this are the name and the id.

If you know the name of the role definition you’re interested in, you can get the id with the following REST call:

And the very simple returned JSON structure from this call looks like:

Manipulating Role Assignments

Whew! We finally have enough information to make a role assignment. It’s a bit tedious, but not that hard (which kind of describes programming in general). In the following code, I’m going to work on the permissions of the list titled “Speaker Evaluations” . And prior to doing anything, the permissions for that list look like this:

The first thing I need to do is check if the list is currently inheriting permissions. To do that, just like object model code, I need to call has unique role assignments like so:

Keep in mind that the part of the URL before /hasuniqueroleassignments is what I called earlier “a handle to a securable object”, in this case, a list. So I could just as easily use /_api/web/hasuniqueroleassignements , and the returned value would be in exactly the same format but would have told me if the web had broken inheritance. And I could do …/items(2)/hasuniqueroleassignments to determine if the item with id 2 has broken role inheritance. The same is true of all of the endpoints to follow in this post, they can all be tacked onto any URL that represents a securable object to perform securable operations on those objects.

Anyway, here is the returned value, which would be true if role inheritance had already been broken:

If the list is currently inheriting permissions, I now need to break role inheritance. I do that with the following call, passing in false. The input is true if I want to copy all of the role assignments from the parent and false if I want to start with a blank slate.

Which returns the terribly useful JSON structure shown below. Basically, if success gets called back, that’s enough to shout WOO HOO!

And if I re-check the permissions for my list it now looks like this:

Yours will look a little different of course. I wouldn’t expect you to see permissions assigned to Joe McShea for instance ;). Breaking role inheritance with false just assigns full control to the current user to prevent orphaned objects.

But calling break role inheritance on an object that already doesn’t inherit does nothing. Even if you pass in false, it certainly doesn’t delete any previously copied role assignments from the parent. That’s why I had to check has unique role assignments, because if not then I call the above service, and if so then I call the following service.

This call just deletes all role assignments for the user I’m about to add role assignments for. That way, at least with respect to this one user, I always start with a clean slate. Curiously, this call returns nothing on success, just a blank string. not even a lousy { “object.null” : true } ! One thing you need to know, however, is if the user has no role assignments, the result is a “404 Not Found”. This isn’t an error. You asked for a resource and it wasn’t found. So you should handle 404 errors as appropriate.

And finally, we’ve arrived at the point of this post, which is making a role assignment. The following service call adds a role assignment to the “Speaker Evaluation” list, which assigns Edit (i.e. roledefid=’1073741830′) to the SharePoint group “CSRDemos Members” (i.e. principalid=’9′).

And again we see this very useful structure. But again, the fact that the success callback was called is more than enough.

And now if I check the permissions for the list, I see:

In this post I showed the various pieces you need to navigate in order to assign roles to SharePoint groups using the REST API. In my next post, I’ll pull it all together with a demo page.

Set custom permissions on a list by using the REST interface – Microsoft Docs

Share this:

• Click to share on Twitter (Opens in new window)
• Click to share on LinkedIn (Opens in new window)
• Click to share on Facebook (Opens in new window)
• Click to share on Pinterest (Opens in new window)
• Click to share on Pocket (Opens in new window)

4 thoughts on “Managing Role Assignments/Permissions with SharePoint REST”

I am facing issue with ‘X-RequestDigest’: $(‘#__REQUESTDIGEST’).val(). what is mean by ‘X-RequestDigest’: $(‘#__REQUESTDIGEST’).val() in header

So SharePoint Pages generally have a hidden control with an id of __REQUESTDIGEST . If you view source on a SharePoint page and search for that ID, you should see the control. It’s just some kind of hash, that you have to send back to the server in the X-RequestDigest header in order to do any write operations (i.e. POST, PUT, MERGE, or DELETE), if you’re not using OAuth .

JavaScript that runs on a SharePoint page doesn’t need to do OAuth since the user has already authenticated in the browser, so it can just use the __REQUESTDIGEST value of the current page like I am.

$("#__REQESTDIGEST").val() is using jQuery to get that digest value. Without jQuery, you can use pure JavaScript something like document.getElementById("__REQUESTDIGEST").value . If document.getElementById("__REQUESTDIGEST") returns undefined then you’re either not on a SharePoint page, or the page doesn’t use a request digest.

And if you’re on a SharePoint page, meaning the user has already authenticated to SharePoint, but the page doesn’t have a control with an ID of __REQUESTDIGEST , then there is another way to get the request digest, which is to call the context info REST service to retrieve the digest, with a url like:

http://[site url]/_api/contextinfo

The digest serves a couple of purposes, including making sure your version of the item isn’t stale, so it expires from time to time (I believe 30 minutes by default). So if you try to use a stale digest, you’ll get an error like “An error has occurred with XXXX. Please refresh the page and try again”. In which case, you can use the context info service to refresh the digest.

Now if you’re not on a SharePoint page, then you probably have to use OAuth and worry about CORS (Cross Origin Resource Sharing), which is a whole different can of worms, and not what my post is about.

You can find a lot more info about this here:

Complete basic operations using SharePoint REST endpoints

That page has some information on the different contexts you might be in, like on a SharePoint page vs. using OAuth etc.

Hope that helps some.

First of all, thank you for this post, it’s very helpful.

I’d like to ask you if you know how to remove an external user from a specific folder/file.

I granted access to a folder with the “SP.Web.ShareObject” rest call method which accepts a “peoplePickerInput” body parameter (where you can define all the email addresses to invite), but the method “SP.Web.UnshareObject” only accepts the url parameter of the folder, so every external user will lose the access, which it’s not what I need.

Do you have any solution for this ? Thanks in advance.

I do not have any particular insight on that, but I’ll take a look when I get a chance, and let you know if I figure it out.

Leave a Comment Cancel reply

You must be logged in to post a comment.

• TECHNOLOGIES
• An Interview Question

Get SharePoint Role Definition ID's

• Md Tahmidul Abedin
• Jun 05, 2024
• Other Artcile

Retrieve SharePoint Role Definition IDs to manage access levels efficiently. Use SharePoint APIs or PowerShell to access, view, and modify permission settings for users and groups within your SharePoint environment.

What is Role Definition ID?

In SharePoint, we are all familiar with SharePoint Permission and Permission levels like Full Control, Edit, Contribute, etc. We use these permission levels to manage Site/List/item level accessibility. Sometimes we create custom permission for business requirements. These permissions are defined in SharePoint with a unique id which is called “SharePoint Role Definition ID”.

Why it is needed?

In general, role definition IDs are not needed to provide permission to a user or group in a Site, List, or List Item. We can do it with OOB by clicking some steps. But when we try to set permission by using REST Calls, we can’t use the permission level’s name. Then we need these Role Definition IDs. As an example, if we try to change a user’s/group’s permission with a rest call, it will be as follows.

How to get a Role Definition ID?

So, now the question that comes to mind is, how to get these permission levels assigned an ID or SharePoint Role Definition ID. For most of the common permission levels, we can get the Role Definition Id from the internet easily. Here are some out-of-the-box role definition names (Permission level) and their corresponding role definition IDs given below.

But what about any custom permission level that is being created for some specific purpose in that site? Now step by step, we will walk through the process of how to get the SharePoint Custom Role Definition ID. To get the custom permission’s role definition ID we have to use rest call. And with this rest call we will also get the above out-of-the-box role definition IDs.

Let’s create custom permission in the site collection and get the role definition ID for that as an example with the following steps.

• First, go to the site settings of the site collection.

• The site permission window will open.

• Permission levels window will be opened as in the following image.

• Now click on the “Add a permission Level” link as shown in the above image (fig 3).

• Now, provide your custom permission’s name in the text box.
• We can provide a description for future understanding.
• Now we have an option for selecting different types of permissions which are categorized with “List Permissions”, “Site Permissions” and “Personal Permissions”.
• We need to check the needed permission as shown in the image (fig 4).

• Now our custom permission level “TestPermission” has been created as we can see in the above image.
• Now, let’s get the role definition ID of this custom permission level. To do that we have to call the rest api which we already discussed before.\
• https://tahmid.sharepoint.com/sites/tahmid/_api/web/roledefinitions
• This is a “GET” request. So we can request this URL in our web browser. We will get the response in XML format where we can get all the Role Definitions and Role Definition ID.

• We can find our custom permission level as well as the out-of-the-box permission level’s role definition ID and other details here.
• So, for our custom permission level “TestPermission”, the role definition id is “1073741928”.

So this is the way to find the SharePoint Role Definition ID’s. In recent days when SharePoint 2010 Workflows are going to be retired, we had to use SharePoint 2013 workflow or Microsoft Power Automation. In these procedures, we need these Role Definition IDs to set permission with REST Call. I hope this article will help. Happy Coding.

• Role Definition
• Role Definition ID
• SharePoint Online
• SharePoint REST API
• Site Collection

Getting Started with SharePoint Framework Development using TypeScript, PnP JS, and React JS

SharePoint Diary

Salaudeen Rajack's Experiences on SharePoint, PowerShell, Microsoft 365 and related products!

SharePoint Online: PowerShell to Get List Permissions

Requirement: Get List Permissions in SharePoint Online using PowerShell.

How to Get List Permissions in SharePoint Online?

If you are a SharePoint administrator, you will need to get list permissions in SharePoint Online sooner or later. The process is not complicated, but there are a few steps that you need to follow. In this blog post, I will walk you through the process step-by-step for retrieving and displaying users’ permission levels on lists or libraries. We’ll also see how to get list permissions in SharePoint Online using PowerShell. Let’s get started!

To view permissions applied to the SharePoint Online list, follow these steps:

• Navigate to your SharePoint Online list >> Click on settings gear >> List settings.
• Click on the “Permissions on this List” link on the List settings page.

However, exporting permissions from lists and libraries in the SharePoint Online user interface can be a complex and time-consuming process. So, let’s simplify this task by using PowerShell to get list permissions in SharePoint Online.

SharePoint Online PowerShell to Get List Permissions

Luckily, we have PowerShell to generate permission reports in SharePoint Online at various levels: Permission Reports in SharePoint Online using PowerShell , Here is the PowerShell to get list permissions and export to CSV in SharePoint Online:

And the exported CSV file looks like this:

In summary, using PowerShell to get list permissions in SharePoint Online can be a powerful tool for managing your SharePoint environment. By utilizing the script provided in this article, you can quickly and easily export the permissions from your SharePoint lists, helping you to maintain a secure and organized environment.

We can also export list or document library permissions to a CSV report with PnP PowerShell: Get SharePoint Online Document Library Permissions and Export to CSV using PnP PowerShell

Related Posts

• ← SharePoint Online: Clone User Group Memberships using PowerShell
• SharePoint Online: How to Hide the Left Navigation Bar using PowerShell? →

Salaudeen Rajack

Salaudeen Rajack - Information Technology Expert with Two-decades of hands-on experience, specializing in SharePoint, PowerShell, Microsoft 365, and related products. He has held various positions, including SharePoint Architect, Administrator, Developer and consultant, has helped many organizations to implement and optimize SharePoint solutions. Known for his deep technical expertise, He's passionate about sharing the knowledge and insights to help others, through the real-world articles! Read More

3 thoughts on “ SharePoint Online: PowerShell to Get List Permissions ”

also if i need users & their permission inside listed groups as well , how i can do that ?

Use this PowerShell script: Get SharePoint Online Document Library Permissions and Export to CSV using PnP PowerShell

Error Getting List Permissions! Exception calling “ExecuteQuery” with “0” argument(s): “‘center’ is an unexpected token. The expected token is ‘”‘ or ”’. Line 7, position 12.” Unfortunately this is what I get. Must be doing something wrong.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Notify me of new posts by email.

SharePointCass

SharePoint Online REST APIs (Part VI): Permissions

In the SharePoint Online REST APIs series, I’ll be sharing the most common APIs I use. I mainly use these APIs in Power Automate, so I’ll base the information in this series on the data you need for a Send an HTTP request to SharePoint action.

This article explores how to break and grant permissions to users and SharePoint Online groups. This is not a comprehensive list; rather a list of calls that I use when I can’t use predefined Power Automate actions. I have used the color red to identify interchangeable values.

Check if a subsite has unique permissions

_api/web?$select=HasUniqueRoleAssignments

This call checks to see if a site is inheriting from its parents, or has broken inheritance. This call can also work on lists, libraries, folders and items (see below).

Check if an item has unique permissions

_api/web/lists(guid' GUID ')/items( 40 )?$select=HasUniqueRoleAssignments

As mentioned above, this call checks to see if a specific item has unique permissions. In this example, I am looking at an item in a specific library that has an ID of 40 .

Break permission inheritance on an item

_api/web/lists/GetByTitle(' Site Pages ')/items( 5 )/BreakRoleInheritance(CopyRoleAssignments=true, ClearSubscopes=true)

This example breaks inheritance on a site page. However, you can also use this call to break permission inheritance on a site, list, library or item. BreakRoleInheritance essentially breaks the inheritance. The CopyRoleAssignments and ClearSubscopes are parameters which can be true or false. For more information on these parameters, read this article .

Get user principal ID

_api/web/SiteUsers/GetByEmail(' [email protected] ')/Id

After you’ve broken inheritance, you need to add users (or groups; which is explored next). Before you can add a user to an item/site/list etc., you’ll need to get their Id .

Get group principal ID

_api/web/SiteGroups/GetByName(' Site Name Owners ')?$select=Id

This is the same concept as above, however, it is getting the Id of a SharePoint group.

Give permissions to a user or group

_api/web/lists/GetByTitle(' Site Pages ')/items( 5 )/RoleAssignments/AddRoleAssignment(PrincipalId= 9 ,RoleDefId= 1073741827 )

Finally, we can grant permissions to a user or group. To do this, we need the principal Id (which we got in the above calls) and the value for RoleDefId . These values are not straight forward. I have included the main permissions in the table below, but Microsoft details some more on their site .

Published by SharePointCass

I've been in the Microsoft world for over 10 years. I started out as a SharePoint developer but have since found myself intrigued by other aspects of Microsoft 365 including the Power Platform, Stream and Teams. I like to consider myself a sucker for organizational collaboration business systems, and this blog explores how to achieve the best out of these applications. View all posts by SharePointCass

4 Replies to “SharePoint Online REST APIs (Part VI): Permissions”

• Pingback: Resolved: how to manage people that can access to folders in SharePoint using API - Daily Developer Blog

Hi. Unfortunately, my groupID and userID are the same (yes, the same integer number). How can I grant permissions to a library item only with user email address?

Hi , I want create a sharing link of SharePoint documents for external users using REST API with PHP.Could me help me out how I can achieve this. waiting for your reply.

Hi, how do I create a new user group please? That part was missing in the article. Thanks much.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Save my name, email, and website in this browser for the next time I comment.

Notify me of follow-up comments by email.

Notify me of new posts by email.

The Lazy IT Admin

• Central Administration
• SharePoint Designer
• Contact Us!

SharePoint Role Assignments

Introduction.

You may be asking yourself, what exactly are SharePoint role assignments?!  This article will discuss the following role assignment topics:

SharePoint Impact

Maintenance.

A role assignment is the relationship between role definitions, users and groups, and scopes.  Let's break that down a little further!

Role Definition

Role definition is synonymous with permission level.  So, the default permission levels such as Full Control, Contribute, Read are individual role definitions.

Users and Groups

SharePoint best practice recommends that you grant permissions using groups.  These groups can be SharePoint groups or Active Directory Groups.  You can also grant permissions directly to a user account.

Scope determines WHERE  permission applies.  For example, to a web site, to a list or library, or an individual list or library item.

Role Definition Examples

So now we know what a role definition is, let's see some examples!

As your portal grows, so will permissions and in turn, role assignments.  Also, if you do a lot of work with item level security, this will have a significant impact on the number of role assignments.  The depth of your portal and granularity of permissions will also impact the number of role assignments.

Growth Example

Here's a quick example of how role assignments can grow exponentially.

• Portal site http://portal
• Sub site http://portal/hr
• Sub site http://portal/hr/team
• A list named "Restricted" with 1,000 items
• Item level permissions on every item in the list
• For each item, one user is granted contribute permission

How many role assignments do you think you have?  For this list alone, there would be 4,000 role assignments.  Say what?!  Here's how it breaks down:

• 1,000 list items with item level permission per item = 1,000 role assignments
• http://portal/hr/team will receive 1,000 "Limited Access" role assignments
• http://portal/hr will receive 1,000 "Limited Access" role assignments
• http://portal will receive 1,000 "Limited Access" role assignments

Permissions must be carefully planned and implemented.  Otherwise role assignments can grow out of control.  I recently finished cleaning up a site collection that had over 5 MILLION role assignments.  Yikes!

A large number of role assignments will lead to performance degradation.  When a user accesses an item, such as a site, page, list, library or item, role assignments have to be checked to determine permission.  If the role assignments list is huge, this will impact the amount of time it takes to figure out the user's permissions.  Other operations such as viewing list/library permissions, granting/revoking permissions and removing users from site collections will also suffer.

For example, on our troubled site collection with over 5 million role assignments, it could take up to 2 hours to remove a user from the site collection.  Once role assignments were cleaned up, removal time decreased to about 10 seconds.

The following T-SQL query can be ran against individual content databases to display all the role assignments.

You may find, like I did, that your permissions are out of control and need to be cleaned up.  This can be done in a variety of ways, including but not limited to:

• Resetting list inheritance
• Resetting list item inheritance
• Removing list permissions

You can find information and example PowerShell scripts for all of these activities here .

I hope you enjoyed the article.  Now go forth and conquer!

• Stack Overflow for Teams Where developers & technologists share private knowledge with coworkers
• Advertising & Talent Reach devs & technologists worldwide about your product, service or employer brand
• OverflowAI GenAI features for Teams
• OverflowAPI Train & fine-tune LLMs
• Labs The future of collective knowledge sharing
• About the company Visit the blog

Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Get early access and see previews of new features.

Reliable way to get role definition

What is the best way to get role definition id of the predefined role (like, reader, admin)?

I'm trying to configure a folder to have members have only read permissions. For this I'm removing existing role assignments to members and adding reader role to them. SharePoint REST API requires me to provide role definition id, but I can't find a way to get it reliably.

It seems like I can get it by name _api/web/roledefinitions/getbyname('Read') , but I'm concerned how to handle the case of non-English locale. I would expect it can be searched by type kind _api/web/roledefinitions/getbytypekind(2) , but I can't get it working. It gives me an error Cannot find resource for the request getbytypekind.

Also, can default role definition be deleted?

• sharepoint-online

2 Answers 2

It seems like I can get it by name _api/web/roledefinitions/getbyname('Read'), but I'm concerned how to handle the case of non-English locale

that's correct, SP.RoleDefinition.name property could vary per locale, so retrieving role definition by role type is definitely more reliable in this regard, SP.RoleDefinitionCollection.getByType method could be utilized here, for example:

where roletypeid corresponds to SP.RoleType enumeration

You can get the role definition list by

Then you can get the specific role by id(like read),so we don't need to care the locale issue:

The role list and id:

We can use the default role or customize our own role, so i think Microsoft do not need to provide API for deleting built-in roles.

Although we can use the getbytype method too, but the list of role type values are not very user friendly.(see more in the link below)

https://msdn.microsoft.com/en-us/library/office/dn531432.aspx#bk_RoleDefinitionCollectionGetById https://msdn.microsoft.com/en-us/library/office/dn531432.aspx#bk_RoleDefinitionCollectionGetByType

Your Answer

Reminder: Answers generated by artificial intelligence tools are not allowed on Stack Overflow. Learn more

Sign up or log in

Post as a guest.

Required, but never shown

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy .

• The Overflow Blog
• The evolution of full stack engineers
• One of the best ways to get value for AI coding tools: generating tests
• Featured on Meta
• Join Stack Overflow’s CEO and me for the first Stack IRL Community Event in...
• User activation: Learnings and opportunities
• Staging Ground Reviewer Motivation
• What does a new user need in a homepage experience on Stack Overflow?

Hot Network Questions

• Working principle of the Zener diode acting as a voltage regulator in a circuit
• How do I go about writing a tragic ending in a story while making it overall satisfying to the reader?
• How can I support a closet rod where there's no shelf?
• Exam package: \numpages wrong when enforcing an even number of pages
• What's wrong with this solution?
• What does the phrase 'sons of God'/בני אלוהים mean throughout the Hebrew bible?
• If a friend hands me a marijuana edible then dies of a heart attack am I guilty of felony murder?
• Engaging students in the beauty of mathematics
• Why does friendship seem transitive with befriended function templates?
• Is the closest diagonal state to a given state always the dephased original state?
• Is it feasible to create an online platform to effectively teach college-level math (abstract algebra, real analysis, etc.)?
• Why doesn't SiLU suffer from a worse version of a "dying ReLU" problem?
• Is it possible for one wing to stall due to icing while the other wing doesn't ice?
• Was using an older version of a legal card from a nonlegal set ever not legal?
• Best memory / storage solution for high read / write throughput application(s)?
• Is this grammartically correct sentence "這藥物讓你每天都是良好的狀態"？
• Would it be illegal for Companies House to require a response to a letter on registration?
• What is the shortest viable hmac for non-critical applications?
• Identify this 6 pin IC
• Can anyone ID this bike? NSW, Australia
• How can I analyze the anatomy of a humanoid species to create sounds for their language?
• Was Willy Wonka correct when he accused Charlie of stealing Fizzy Lifting Drinks?
• Where to put acknowledgments in a math paper
• jq - ip addr show in tabular format

SharePoint Permissions Management – SharePoint Role Assignment

Last updated: July 17, 2024

Table of contents

This blog has been prepared by our dear friend Agnes Molnar, a SharePoint Server MVP . We will post it in two parts, this is the first part and we are sure it will be interesting and useful.

Agnes Molnar is an International Consultant, ECM & Search Expert, and SharePoint Server MVP. She has been working with SharePoint technologies since 2001, and has developed dozens of SharePoint and FAST implementations for commercial and government organizations throughout the world. A co-author and contributor to several SharePoint books, Agnes is a regular speaker at technical conferences and symposiums around the globe, read more on her blog .

Security is always one of the most critical points in any Content Management System. Knowing who I am and what I can see or do in the system is essential. This sounds obvious but actually it’s always very complex—in SharePoint 2013 as well.

SharePoint Security Steps

When talking about security, we can identify two major steps in every system: authentication and authorization.

• Authentication is the process when the system identifies me, gets answer to the question “Who are you?”, and verifies if you really are who you say you are.
• Authorization is the process of verifying what you can see or do, or in other words —“you are permitted to do what you are trying to do.” Authorization always presupposes successful authentication.

As SharePoint does role based on access control, the next thing to be aware of and understand is the role assignment. SharePoint role assignment has three main components in SharePoint:

• User or Group – the person or group of persons who gets the role.
• Security Scope – the subject
• Permission Level – the level of permission(s) the user or group is assigned to the subject.

Let me show you some examples:

• User : Jeff
• Security Scope : this document
• Permission Level : edit
• User : Chris
• Security Scope : this list
• Permission Level : change the settings (admin)
• Groups : HR, Marketing
• Security Scope : this site
• Permission Level : read
• User : Gary
• Security Scope : these files

SharePoint Role Assignment

In SharePoint, there are several levels of available security scopes. These levels are organized into a well-defined hierarchy; therefore, we have a very clear inheritance — by default, all the permission settings are inherited from the parent level to its children.

These levels are:

• List/Library
• Item/Document

It’s also worth noting that we have permission inheritance by the site hierarchy as well, by default; every site inherits the role assignment from its parent .

In this case, using the default settings, every list and document library inherits the role assignments from the site (and the site inherits from its parent site), as well as the folders, subfolders and items inside. These settings can be, for example:

• Group Marketing has contribution (read or write) access to everything;
• Group Sales has read access to everything;
• Jeff, Joe and Jim have contribution access to everything (regardless of their group membership).

If you use the default settings (inheritance) on each level, these groups will have read (Marketing) and contribution (HR) access to every list and library, every folder and subfolder, every item and document. For example, if you have a document library “Campaigns” with a folder for each year (2013, 2012 etc.), the Marketing group, Jeff, Joe, and Jim can add new documents, open and edit the existing ones, while the members of the Sales group will be able to read these documents but not modify them.

But of course, you can break this inheritance by defining custom SharePoint role assignment , on any level. In this case, you have the default role assignment on the site level (either set on this site or inherited from its parent site), but it’s not inherited to, and below the folder where you create the custom role assignment.

For example, let’s say we have the very same role assignment on site level:

But you have a specific folder in the document library “Campaigns” for the current year (2014) where you want the group ‘Sales’ to have contribution access as they might have to add or modify the current documents. In this case, you have to break the permission inheritance. The default role assignment after this will be identical with the current settings, but you can change it according to your needs:

• Group Sales has contribution (read or write) access to everything;

Of course, you can do this on any level. On one hand, this is good as you can have as custom and complex permission settings on your content as you want. On the other hand, it’s a very big challenge and might be a huge risk due to its complexity.

Note : In SharePoint 2013 and Office 365, it’s very simple to share documents or even folders, lists and libraries with your colleagues. This makes the end users’ lives much easier, but can be a real challenge for the administrators.

SPDockit is a great solution that can be very useful during the SharePoint permissions management process. Use it to explore or create many useful and very detailed SharePoint permissions reports .

Continue reading part two…

Discover, secure, and control M365

Manage your company’s Microsoft 365 ecosystem with Syskit Point, a scalable platform that will help you govern and secure your environment while giving you deep visibility into your entire inventory.

Subscribe to our Newsletter

Thank you for joining our community!

Related Posts

Microsoft 365 migration checklist with SPDockit

SharePoint Admin problem #1: The SQL Server is out of disk space

Can you save money with Microsoft 365 Archive?

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

What is client context and role assignments?

This script is used to remove all sharing link on files. My question is: I don't understand what Get-PnPContext is or what RoleAssignment is?

I don't understand those commands, can someone explain them to me?

• pnp-powershell

2 Answers 2

In most cases, you can get a lot of information on all PowerShell commands by using the Get-Help (or simply the alias help ) before the command itself:

In that case, not very helpful unless you know what the ClientContext Class actually does. Simply explained, the client context is an object that contains information about SharePoint objects ( sites, lists and items ) and methods ( create, read, update, delete ).

We need it to be able to do things like retrieve files and send updates back.

An item can have many Role Assignments . Each of them contains a user or a group as well as role definitions that says what the user or group is allowed to do with that item.

In your script, you are looping through the role assignments of each item and looking for members (users/groups) that begin with "SharingLinks". These are special SharePoint groups that are created when you use the Share/Get link function of a library.

When you delete just these members from the role assignments, you are removing all the sharing links but leaving the rest of the permissions set for the files intact.

What is Get-PnPContext?

It returns a Client Side Object Model context.

For example,

The above code will put the current context in the $ctx variable.

For details about the Get-PnPContext refer to the below MSDN article:

Get-PnPContext

What is RoleAssignment?

It defines the securable object role assignments for a user or group on the Web site, list, or list item.

Otherway, we can say a role assignment is a relationship between role definitions, users and groups, and scopes.

Is there any impact on SharePoint over a larger number of role assignments?

A large number of role assignments will lead to performance degradation . When a user accesses an item, such as a site, page, list, library, or item, role assignments have to be checked to determine permission. If the role assignments list is huge, this will impact the amount of time it takes to figure out the user’s permissions. Other operations such as viewing list/library permissions, granting/revoking permissions, and removing users from site collections will also suffer.

For example, on our troubled site collection with over 5 million role assignments, it could take up to 2 hours to remove a user from the site collection. Once role assignments were cleaned up, removal time decreased to about 10 seconds.

SharePoint Role Assignments

For more details on RoleAssignment refer to the below MSDN article:

RoleAssignment class

RoleAssignment properties

Your Answer

Sign up or log in, post as a guest.

Required, but never shown

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy .

Not the answer you're looking for? Browse other questions tagged powershell pnp-powershell or ask your own question .

• The Overflow Blog
• The evolution of full stack engineers
• One of the best ways to get value for AI coding tools: generating tests
• Featured on Meta
• Join Stack Overflow’s CEO and me for the first Stack IRL Community Event in...
• User activation: Learnings and opportunities

Hot Network Questions

• Is it possible for one wing to stall due to icing while the other wing doesn't ice?
• How can I analyze the anatomy of a humanoid species to create sounds for their language?
• Does hydrogen peroxide work as a rocket fuel oxidizer by itself?
• Practice test paper answers all seem incorrect, but provider insists they are ... what am i missing?
• Use of "them" in "…she fights for the rights and causes I believe need a warrior to champion them" by Taylor Swift
• Engaging students in the beauty of mathematics
• Is this grammartically correct sentence "這藥物讓你每天都是良好的狀態"？
• What's wrong with this solution?
• How to make conditions work in Which?
• Is it secure to block passwords that are too similar to other employees' old passwords?
• If a friend hands me a marijuana edible then dies of a heart attack am I guilty of felony murder?
• How much technological progress could a group of modern people make in a century?
• Inspector tells me that the electrician should have removed green screw from the panel
• LaTeX labels propositions as Theorems in text instead of Propositions
• Getting lost on a Circular Track
• What prevents indoor climbing gyms from making a v18 boulder even if one hasn't been found outside?
• Please help me identify my Dad's bike collection (80's-2000's)
• Finding Exact Trigonometric Values
• Why doesn't SiLU suffer from a worse version of a "dying ReLU" problem?
• How much could gravity increase before a military tank is crushed
• Did Queen (or Freddie Mercury) really not like Star Wars?
• Assumptions of Linear Regression (homoscedasticity and normality of residuals)
• Is this map real?
• Can a V22 Osprey operate with only one propeller?

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Get-Management Role Assignment

This cmdlet is available in on-premises Exchange and in the cloud-based service. Some parameters and settings may be exclusive to one environment or the other.

Use the Get-ManagementRoleAssignment cmdlet to retrieve management role assignments.

For information about the parameter sets in the Syntax section below, see Exchange cmdlet syntax .

Description

You can retrieve role assignments in a variety of ways including by assignment type, scope type, or name, and whether the assignment is enabled or disabled. You can also view a list of role assignments that provide access to a specified recipient, server, or database.

For more information about management role assignments, see Understanding management role assignments .

You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet .

This example retrieves the Denver Help Desk role assignment using the Get-ManagementRoleAssignment cmdlet and pipes the output to the Format-List cmdlet. For more information about the Format-List cmdlet, see Working with command output .

This example retrieves all the role assignments that are enabled and have been designated as delegating role assignments.

This example retrieves all the role assignments that include the MyGAL recipient-based scope restriction type.

This example retrieves all the role assignments associated with the Mail Recipients management role.

This example retrieves a list of all the users and the role assignments that can modify the recipient Bob.

This example retrieves a list of all exclusive scopes that can modify server objects that match Redmond Executive Servers. The command also lists the users who are effectively assigned the role assignments through role groups or USGs.

This example retrieves all the role assignments that can modify the database Contoso Sales.

-AssignmentMethod

The AssignmentMethod parameter specifies the type of role assignment to include in the results returned by the cmdlet. You can specify one or more of the following values:

• SecurityGroup
• RoleAssignmentPolicy

If you provide more than one value, separate each value with a comma.

You must specify a value with the RoleAssignee parameter if you use the AssignmentMethod parameter.

-ConfigWriteScope

The ConfigWriteScope parameter specifies the type of management configuration scope to include in the results returned by the cmdlet. The valid values are None, OrganizationConfig, CustomConfigScope, and ExclusiveConfigScope.

-CustomConfigWriteScope

This parameter is available only in on-premises Exchange.

The CustomConfigWriteScope parameter returns only the regular role assignments that include the specified configuration-based regular scope.

This parameter can only be used to retrieve regular configuration-based scopes. To retrieve a list of exclusive configuration-based scopes, use the ExclusiveConfigWriteScope parameter instead.

If the scope name contains spaces, enclose it in quotation marks (").

-CustomRecipientWriteScope

The CustomRecipientWriteScope parameter returns only the regular role assignments that include the specified recipient-based regular scope.

This parameter can only be used to retrieve regular recipient-based scopes. To retrieve a list of exclusive recipient-based scopes, use the ExclusiveRecipientWriteScope parameter instead.

-Delegating

The Delegating parameter specifies whether delegating or regular role assignments should be returned.

By default, both delegating and regular scopes are returned. To return only delegating role assignments, specify a value of $true. To return only regular role assignments, specify a value of $false.

-DomainController

The DomainController parameter specifies the domain controller that's used by this cmdlet to read data from or write data to Active Directory. You identify the domain controller by its fully qualified domain name (FQDN). For example, dc01.contoso.com.

The Enabled parameter specifies whether enabled or disabled role assignments should be returned. To return enabled role assignments, specify a value of $true. To return disabled role assignments, specify a value of $false.

The Exclusive parameter specifies whether exclusive or regular role assignments should be returned.

By default, both exclusive and regular scopes are returned. To return only exclusive role assignments, specify a value of $true. To return only regular role assignments, specify a value of $false.

-ExclusiveConfigWriteScope

The ExclusiveConfigWriteScope parameter returns only the exclusive role assignments that include the specified configuration-based exclusive scope.

This parameter can only be used to retrieve exclusive configuration-based scopes. To retrieve a list of regular configuration-based scopes, use the CustomConfigWriteScope parameter instead.

-ExclusiveRecipientWriteScope

The ExclusiveRecipientWriteScope parameter returns only the exclusive role assignments that include the specified recipient-based exclusive scope.

This parameter can only be used to retrieve exclusive recipient-based scopes. To retrieve a list of regular recipient-based scopes, use the CustomRecipientWriteScope parameter instead.

-GetEffectiveUsers

The GetEffectiveUsers switch specifies that the command should show the list of users in the role groups, role assignment policies, or USGs that are associated with the role assignment. You don't need to specify a value with this switch.

Effectively, users are associated with the role assignment through their role group, role assignment policy, or USG memberships.

The Identity parameter specifies the name of the role assignment to retrieve. If the name of the role assignment contains spaces, enclose it in quotation marks ("). If the RoleAssignee parameter is used, you can't use the Identity parameter.

-RecipientAdministrativeUnitScope

This parameter is functional only in the cloud-based service.

The RecipientAdministrativeUnitScope parameter returns only the role assignments that include the specified administrative unit.

Administrative units are Microsoft Entra containers of resources. You can view the available administrative units by using the Get-AdministrativeUnit cmdlet.

-RecipientGroupScope

This parameter is available only in the cloud-based service.

The RecipientGroupScope parameter returns only the role assignments that are scoped to groups. You can use any value that uniquely identifies the group: Name, DistinguishedName, GUID, DisplayName.

-RecipientOrganizationalUnitScope

The RecipientOrganizationalUnitScope parameter returns only the role assignments that include the specified organizational unit (OU). If the OU tree contains spaces, enclose it in quotation marks (").

-RecipientWriteScope

The RecipientWriteScope parameter returns only the role assignments associated with the recipient scope restriction type specified. The valid values are None, MyGAL, Self, OU, CustomRecipientScope, MyDistributionGroups and ExclusiveRecipientScope.

The Role parameter returns only the role assignments associated with the specified management role. If the name of the role contains spaces, enclose it in quotation marks (").

-RoleAssignee

The RoleAssignee parameter specifies the role group, assignment policy, user, or universal security group (USG) for which you want to view role assignments. If the RoleAssignee parameter is used, you can't use the Identity parameter.

By default, the command returns both direct role assignments to the role assignee and indirect role assignments granted to a role assignee through role groups or assignment policies.

If the name of the user or USG contains spaces, enclose it in quotation marks (").

-RoleAssigneeType

The RoleAssigneeType parameter specifies the type of role assignee to return. The valid values are User, SecurityGroup, RoleAssignmentPolicy, ForeignSecurityPrincipal, RoleGroup, LinkedRoleGroup and Computer.

-WritableDatabase

The WritableDatabase parameter specifies the database object you want to test to determine which role assignments allow it to be modified. The command takes into account the roles and scopes associated with each role assignment. You can use any value that uniquely identifies the database. For example:

• Distinguished name (DN)

If you use this parameter with the GetEffectiveUsers switch, all the users who can modify the database object indirectly through role groups and USGs are also returned. Without the GetEffectiveUsers switch, only the role groups, users and USGs directly assigned the role assignment are returned.

-WritableRecipient

The WritableRecipient parameter specifies the recipient object you want to test to determine which role assignments allow it to be modified. The command takes into account the roles and scopes associated with each role assignment. If the recipient name contains spaces, enclose it in quotation marks (").

If this parameter is used with the GetEffectiveUsers switch, all of the users who can modify the recipient object indirectly through role groups and USGs are also returned. Without the GetEffectiveUsers switch, only the role groups, users and USGs directly assigned the role assignment are returned.

-WritableServer

The WritableServer parameter specifies the server object you want to test to determine which role assignments allow it to be modified. The command takes into account the roles and scopes associated with each role assignment.

You can use any value that uniquely identifies the server. For example:

• Exchange Legacy DN

If this parameter is used with the GetEffectiveUsers switch, all of the users who can modify the server object indirectly through role groups and USGs are also returned. Without the GetEffectiveUsers switch, only the role groups, users and USGs directly assigned the role assignment are returned.

Input types

To see the input types that this cmdlet accepts, see Cmdlet Input and Output Types . If the Input Type field for a cmdlet is blank, the cmdlet doesn't accept input data.

Output types

To see the return types, which are also known as output types, that this cmdlet accepts, see Cmdlet Input and Output Types . If the Output Type field is blank, the cmdlet doesn't return data.

Was this page helpful?

Additional resources