powershell
powershell copied to clipboard
pnp
[FEATURE] Get-PnpProperty RoleAssignments returns many Limited Access entries
Is your feature request related to a problem? Please describe. Feature
Describe the solution you'd like
I would like to see either a dedicated method for Get-PNPRoleAssignments for an object (Web/List/Folder/File/ListItem) or the ability to filter the role assignments returned for permissions on an object so the server doesn't return RoleAssignments with Role Definition binding of LimitedAccess or have the IsHiddenFromUI property on it.
We have a site with WAY too many limited access permissions sitting on the root web thanks to Microsoft's dumb permission granting Sharing Links functionality that was over-used in a site by our users. Now when we run a report to try and gather permissions on items if they have inherited permissions from the site and we make a call for RoleAssignments it returns 50+ limited access entries and hidden from UI entries. Which we then need to filter out.
This is a huge waste of data and processing to remove these when I know that the API call can be passed filters for these if I call it directly. My recommendation would be to have a flag for -IncludeSystemAndLimitedPermissions on the method to include these otherwise hidden and not meaningful to the user a majority of the time permissions.
Describe alternatives you've considered
I could try doing the call myself to query the role assignments but I'm not quite sure how to work with both PNP and rest api at the same time?
Additional context Add any other context or screenshots about the feature request here.
hi @SPDEVGUY , how do you do it currently, can you maybe share a sample script ? We can absolutely help out with a cmdlet to make this easier.
Something to keep in mind is that many resources within SharePoint, especially regarding Site or OneDrive level resources, require that you are a Site Collection administrator to pull various pieces of data depending on what it is. One way that I've gotten around this on some scripts is to run a check for admin permissions on the location, if fails then applies permissions and adds you to an index. After the script is complete, it runs through that index and removes you from locations you weren't already a site admin for to begin with. Hope this helps.
Also, I agree with gautamdsheth. Having a script copy would help.
When retrieving an item I request the RoleAssignments property;
$web = get-pnpweb -includes HasUniqueRoleAssignments,RoleAssignments,LastItemModifiedDate
Then I loop through each role assignment, getting the RoleDefinitionBindings and Members. (Honestly, those both should be populated automatically that's the only purpose of going through the role assignments lol)
I have to filter out IsHiddenInUI on members and Hidden on RoleDefinitionBindings which usually removes any Limited Access type permissions. Which could mean it comes back with no role defs so then I have to skip that.
If we could have the role assignments pre-filtered if they are hidden (with a specific argument or method call or something) then it would save me an api call with get-PnPProperty and it would also return WAY less information in RoleAssignments. As it returns 200+ items and I end up filtering it down to around 15 actual non-system permissions.
I have a function which receives the $web obj then performs this:
foreach($ra in $permissionSource.RoleAssignments) {
.
.
.
get-PnPProperty -clientobject $ra -property RoleDefinitionBindings,Member
$roleDefs = $ra.RoleDefinitionBindings | ?{$_.Hidden -eq $false}
$member = $ra.member
if($member.IsHiddenInUI) {
continue; #Skip hidden items
}
$moniker = $ra.Member.Title
$isGroup = $ra.Member -is [Microsoft.SharePoint.Client.Group]
$roles = ($roleDefs.Name -join ", ")
if($roles -eq "" -or $roles -eq $null) {
continue; #skip limited access
}
.
.
.
}