Sharepoint / MS Graph Layer shows permission differences

Question

Maybe I stuck somewhere at the architectural Concept of Sharepoint and MS Graph API.
Business Requirement is to prevent User from deleting Files in Sharepoint.

This Question is answered in this Discussion: Prevent deletion of SharePoint files => There is a capability to define custom Permission Levels on Sharepoint Level After setting up a custom Permission Level and changing a Document Library Permissions to use the new Permission Level, all Subfolder inherits the parent Permissions: Get the driveItem Permissions shows following: { "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#drives('[REMOVED]')/items('[REMOVED]')/permissions", "value": [ { "id": "[REMOVED]", "roles": [ "owner" ], "shareId": "[REMOVED]", "grantedToV2": { "siteGroup": { "displayName": "Besitzer von [REMOVED]", "id": "3", "loginName": "Besitzer von [REMOVED]" } }, "grantedTo": { "user": { "displayName": "Besitzer von [REMOVED]" } }, "inheritedFrom": {} }, { "id": "[REMOVED]", "roles": [ "read" ], "shareId": "[REMOVED]", "grantedToV2": { "siteGroup": { "displayName": "Besucher von [REMOVED]", "id": "4", "loginName": "Besucher von [REMOVED]" } }, "grantedTo": { "user": { "displayName": "Besucher von [REMOVED]" } }, "inheritedFrom": {} }, { "id": "[REMOVED]", "roles": [ "write" ], "shareId": "[REMOVED]", "grantedToV2": { "siteGroup": { "displayName": "Mitglieder von [REMOVED]", "id": "5", "loginName": "Mitglieder von [REMOVED]" } }, "grantedTo": { "user": { "displayName": "Mitglieder von [REMOVED]" } }, "inheritedFrom": {} } ] } As shown above: The "Mitglieder von [REMOVED]" has the role "write". It does not show my custom permission. According to MS Graph DriveItem Permission resource type DriveItems support only three Roles and their associated permissions: owner, read, write. My Questions are:

• I am aware that all DriveItem has their ListItem twin which represents the Sharepoint Item for the DriveItem. Assumptiom: Sharepoint and DriveItem has their own Permission-Management. It is somehow applied from Sharepoint on DriveItem.
• Why does MS Graph not show a the custom Permission Level as "Role"?
• What will happen If I try to delete the DriveItem? Based on the Permission shown in Sharepoint, It should fail, because I have no delete Permission on the ListItem.
• How to get the actuall Permissions for a DriveItem and also their ListItem Permissions

Thanks!

Answer 1

Hi @David Tissen,

Per my research, currently there is no such function to get users permission in site by graph. As a workaround, I would recommend you to use rest api to get permission level. Please refer to the following api

http://<SharePoint site>/_api/web/roleDefinitions  

Here is the test result

---If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

@RaytheonXie_MSFT Thanks for your answer. That was also my conclusion. My Question is: The Permission on the List Item differes from the permission shown by MS Graph API. My Testing showed that the permission on the List Item seems to be honored and I cannot a delete the driveItem also the MS Graph Role shown for this driveitem would allow such operation. Am I right, that Sharepoint takes care that driveItems are honorring Sharepoint List Items permissions and action on driveItem using MS Graph API are also honorring the List Item permissions?