1

We created a sharepoint add-in with the follow permissions:

<AppPermissionRequests AllowAppOnlyPolicy="true"><AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="Read"/></AppPermissionRequests>

My understanding is that an app with tenant scope permissions should be able to read all the site contents. In this case the call to

/_api/web/lists('<id>')/items(<id>)/roleassignments

fails with the following error:

Client error 403

{
    "odata.error":
    {
       "code":"-2147024891, System.UnauthorizedAccessException",
       "message":
       {
           "lang":"en-US",
           "value":"Access denied. You do not have permission to perform this action or access this resource."
       }
    }
}

Note that a call to /_api/web/lists('<id>')/items(<id>) for the same item works fine. The roleassignments call with tenant permissions is also working for one of the SPO instances but not for a different one.

user2250152
  • 14,658
  • 4
  • 33
  • 57
Sharvanath Pathak
  • 11
  • 2

1 Answers1

0

We've struggled with this issue on and off, because the solution is not obvious, nor even sensible from a least-privilege perspective. In short:

Your application requires FullControl rights in order to access RoleAssignments.

More details

If using an application created by Azure AD, you can demonstrate this by granting and consenting to SharePoint permissions such as:

  • AllSites.Read (delegated)
  • MyFiles.Read (delegated)
  • Sites.Selected (application)
  • User.Read.All (delegated)
  • User.Read.All (application)

If using SharePoint-created application, use appregnew.aspx and appinv.aspx to create the app and grant it Read rights at some reasonable scope; try http://sharepoint/content/tenant.

Then get a bearer token using a client_credentials workflow (use Postman, for example).

Try a query like:

https://your-tenant.sharepoint.com/_api/web/GetFolderByServerRelativeUrl('/Shared Documents')/Files?$select=Length,TimeLastModified,ListItemAllFields,ServerRelativeUrl

Make sure the Authorization header value is Bearer your-access-token

It will work.

Now try the same query, but with getting role assignments:

https://your-tenant.sharepoint.com/_api/web/GetFolderByServerRelativeUrl('/Shared Documents')/Files?$select=Length,TimeLastModified,ListItemAllFields,ServerRelativeUrl&$expand=ListItemAllFields/RoleAssignments/RoleDefinitionBindings/Name

It will fail as you described, with status 403 and System.UnauthorizedAccessException.

Now grant and consent to the SharePoint application permission Sites.FullControl.All, or use appinv.aspx to add FullControl rights. Get a new bearer token. (The old one encodes the old rights granted to the app in the role field of the payload.). You'll need to wait a few minutes until the permissions apparently propagate from AD to SharePoint, if you're using an Azure AD application.

Try the last query again, and it will work.

IMHO, requiring FullControl in order to resolve something like a role assignment, which is needed to capture the permissions required to access content in a SharePoint library, is unjustified. I could understand, sort of, if tenant-scope Read permission were required. However, granting AllSites.Read or tenant-scope (http://sharepoint/content/tenant in appinv.aspx XML permissions) doesn't seem to enable roleassignment lookup.

Eric Schoen
  • 668
  • 9
  • 16