Content
View differences
Updated by Marcello Rocha Pereira over 2 years ago
First of all we need to understand what MS calls `Permissions` over their API, to quote them:
> The **Permission** resource provides information about a sharing permission granted for a [DriveItem](https://learn.microsoft.com/en-us/graph/api/resources/driveitem?view=graph-rest-1.0) resource.
>
> Sharing permissions have many different forms. The **permission** resource represents these different forms through facets on the resource.
Sharing Permissions can be one of: `read`, `write` or `owner`. While those gives "access" to the file/folder it isn't exactly access control, as someone who has access to the relevant `Document Library` (i.e. `drive resource`) can see the folder/file normally.
Actual user access control is made thru Sharepoint Site Group, and that's site wide. It is possible to make make folders not inherit the site permissions but this implies steps to be taken by the Sharepoint Admin.
In order The API allows for adding and removing users to make a Folder/Document Library not inherit `Group` but the permissions Site Admin action is required in order to make it so, and it isn't considered a good practice as this creates "granular permissions" a increase the burden on admins.
We can add/remove users to the Site group, the application would need give us a lot of power over their Entra/Directory (namely `GroupMember.ReadWrite.All` and `User.ReadWrite.All`. These application permissions would apply to the whole tenant `User.ReadWrite.All` and all `Groups`. (**Note:** It is worth of noting that there's a possibility of synchronization with a on premises Active Directory)
Note that we can't (as in there's no API at all for):
1\. Create a Site
2\. Edit the ACL for folders or Document Libraries in order to make then not inherit the permissions.
3\. Probably other details :P very possibly `Directory.ReadWrite.All`)
<TO BE CONTINUED>
> The **Permission** resource provides information about a sharing permission granted for a [DriveItem](https://learn.microsoft.com/en-us/graph/api/resources/driveitem?view=graph-rest-1.0) resource.
>
> Sharing permissions have many different forms. The **permission** resource represents these different forms through facets on the resource.
Sharing Permissions can be one of: `read`, `write` or `owner`. While those gives "access" to the file/folder it isn't exactly access control, as someone who has access to the relevant `Document Library` (i.e. `drive resource`) can see the folder/file normally.
Actual user access control is made thru Sharepoint Site Group, and that's site wide. It is possible to make make folders not inherit the site permissions but this implies steps to be taken by the Sharepoint Admin.
In order
We can add/remove users to the Site group, the application would need
Note that we can't (as in there's no API at all for):
1\. Create a Site
2\. Edit the ACL for folders or Document Libraries in order to make then not inherit the permissions.
3\. Probably other details :P
<TO BE CONTINUED>