I am building an app which needs to be able to read role-assignments from document libraries on a specific Sharepoint site with the help of ms-graph. The Sites.Selected API permission works almost perfectly for my use case but for some reason I can't retrieve all role-assignments on document libraries without Sites.FullControl.All. I can still retrieve roles from folders and files below a document library.
With the code below I am able to see that 'James Doe' has 'write' permissions to a library while Sites.FullControl.All is active for my app registration and without it the roles attribute holds no elements
var docLibs = await graphServiceClient.Sites[this.siteId].Drives
.Request().GetAsync();
foreach (var docLib in docLibs){
var perms = await graphServiceClient.Sites[siteId].Drives[$"{docLib.Id}"]
.Root.Permissions.Request().GetAsync();
foreach (var perm in perms) {
Console.WriteLine($"{perm.GrantedTo.User.DisplayName} - {Perm.Roles.ToList().Count}");
}
}
// With Sites.Selected (using ['write'] permission):
// ==> James Doe - 0
// With Sites.FullControl.All:
// ==> James Doe - 1
I've tried many other API permission but only Sites.FullControl.All seem to enable the reading of role-assignments correctly. I am looking for a less privileged alternative that still enables the reading of role-assignments on document libraries.
The best solution would be if Sites.Selected could accept a request akin to
// POST https://graph.microsoft.com/v1.0/sites/<...>/permissions
{
"roles": [
"sp.full control" // Instead of 'write'
],
"grantedToIdentities": [
{
"application": {
"id": "11111111-1111-1111-1111-111111111111",
"displayName": "My graph App"
}
}
]
}
giving the application FullControl only to the specific site. However, I have not seen anyone being able to use roles besides read and write for the endpoint.