Seems that everyone is struggling with Permissions in some way. I found several questions about this topic with more ore less different answers.
I'm forced to use Sharepoint REST API beside MS Graph API, because some Functions are not supported (yet or anytime) by the MS Graph. For example Custom Permissions on Sharepoint Folders and Files, which MS Graph does not support any custom Role - but Sharepoint REST API does (see my other Question here: https://learn.microsoft.com/en-us/answers/questions/1521666/sharepoint-ms-graph-layer-shows-permission-differe)
The scenario is, that we registered an App through Microsoft Entera with following Permissions:
Me, David, also the Site Owner of a site can successfully access file and folder Permissions: (Postman)
https://{{targetHost}}/sites/one-document-integration01/_api/Web/Lists(guid'ec923e9b-b3ea-49b4-bbfb-2fa96576cd0b')/Items(1)/RoleAssignments?$expand=Member/users,RoleDefinitionBindings
A Testing User (testing1), Member of the Site is unable the same Request with following Answer:
{
"error": {
"code": "-2147024891, System.UnauthorizedAccessException",
"message": {
"lang": "en-US",
"value": "Attempted to perform an unauthorized operation."
}
}
}
The same User is capable to view the Permission within the Web-Front
Question 1: Why does the REST API behave differently than the Sharepoint WEB UI?
Question 2: What Permission is required on which level, so an User can VIEW and CHANCE Permissions? "On App Registration LEvel following API Permission are required ...", additionally the User needs additionally xxx Permission on Site / Library / File to view and Change Permissions.
Question 3: Somehow related to Question 2: Is there a possibility to grant Permissions to a User to view and change permission for a specific Library, instead of granting site Owner permissions?
Question 4: Somehow even worse: The Testing User (testing1) is even allowed to Grant Permissions on a folder within WEB-UI. But afterwards he is unable to revoke granted access. So the User is even allowed to grant access
To be hones, MS Graph AND Sharepoint REST API feels like a crazy machine. Very frustrating...