Why is roles a collection in permission object in Drive/Sharepoint permission graph API

User123098 41 Reputation points

Hello everyone,

I was going through permission related APIs in Microsoft graph to query OneDrive/Sharepoint item permissions. Permission API has a property roles in its response which is a collection.


  1. Why is roles property a collection. As per my understanding, a single user can have only a single permission either reader, writer or owner, so why does API returns a collection.
  2. Can there be multiple items in roles, or there will always be one item in the roles collection
  3. If there can be multiple values in roles, how do identify what permission does the user have?
  4. How do we identify if a user has review permissions on an item as none of the role values signify review permission.
  5. Also, link level permissions have a type attribute, signifying read only or read write access. As per documentation, there are only 3 possible values: view, edit, embed, however, I received review as a value as well. What other values we can expect in this attribute.
  6. Link level permissions have both role as well as link.type to denote permission type, which one should clients use to determine access type.


Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,321 questions
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
10,211 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. RaytheonXie_MSFT 33,481 Reputation points Microsoft Vendor

    Hi @User123098,

    1. A single user could be granted with several roles. Since the sharelink could be set expire date. If you have shared the item with same user multiple times, the users will have multiple roles to the item with different exipre date.
    2. You could share a folder contains multiple items. The user will have the access to the items in the folder.
    3. If there are multiple values in roles, such as read and write. The user will have the write permision level.
    4. As "can review" is a new feature in the SharePoint, the graph api might haven't updated the document.
    5. Link level permissions have four types contian view, edit, embed and review.
    6. To distinguish level permissions, you could use roles instead of link type.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.