Content
View differences
Updated by Marcello Rocha Pereira over 2 years ago
First of all we need to understand what MS calls `Permissions` over their API, to quote them:
> The **Permission** resource provides information about a sharing permission granted for a [DriveItem](https://learn.microsoft.com/en-us/graph/api/resources/driveitem?view=graph-rest-1.0) resource.
>
> Sharing permissions have many different forms. The **permission** resource represents these different forms through facets on the resource.
Sharing Permissions can be one of: `read`, `write` or `owner`. While those gives "access" to the file/folder it isn't exactly access control, as someone who has access to the relevant `Document Library` (i.e. `drive resource`) can see the folder/file normally.
Actual user access control is made thru Sharepoint Site Group, and that's site wide. It is possible to make make folders not inherit the site permissions but this implies steps to be taken by the Sharepoint Admin.
The API allows for adding and removing users to a `Group` but the permissions required would give us a lot of power over their Entra/Directory (namely `GroupMember.ReadWrite.All` and `User.ReadWrite.All` and very possibly `Directory.ReadWrite.All`)
<TO BE CONTINUED>
> The **Permission** resource provides information about a sharing permission granted for a [DriveItem](https://learn.microsoft.com/en-us/graph/api/resources/driveitem?view=graph-rest-1.0) resource.
>
> Sharing permissions have many different forms. The **permission** resource represents these different forms through facets on the resource.
Sharing Permissions can be one of: `read`, `write` or `owner`. While those gives "access" to the file/folder it isn't exactly access control, as someone who has access to the relevant `Document Library` (i.e. `drive resource`) can see the folder/file normally.
Actual user access control is made thru Sharepoint Site Group, and that's site wide. It is possible to make make folders not inherit the site permissions but this implies steps to be taken by the Sharepoint Admin.
The API allows for adding and removing users to a `Group` but the permissions required would give us a lot of power over their Entra/Directory (namely `GroupMember.ReadWrite.All` and `User.ReadWrite.All` and very possibly `Directory.ReadWrite.All`)
<TO BE CONTINUED>