"Attempted to perform an unauthorized operation" while trying to access folder/file Permissions

David Tissen 40 Reputation points
2024-03-05T08:36:11.05+00:00

Seems that everyone is struggling with Permissions in some way. I found several questions about this topic with more ore less different answers.

I'm forced to use Sharepoint REST API beside MS Graph API, because some Functions are not supported (yet or anytime) by the MS Graph. For example Custom Permissions on Sharepoint Folders and Files, which MS Graph does not support any custom Role - but Sharepoint REST API does (see my other Question here: https://learn.microsoft.com/en-us/answers/questions/1521666/sharepoint-ms-graph-layer-shows-permission-differe)

The scenario is, that we registered an App through Microsoft Entera with following Permissions:

User's image

Me, David, also the Site Owner of a site can successfully access file and folder Permissions: (Postman)

https://{{targetHost}}/sites/one-document-integration01/_api/Web/Lists(guid'ec923e9b-b3ea-49b4-bbfb-2fa96576cd0b')/Items(1)/RoleAssignments?$expand=Member/users,RoleDefinitionBindings

A Testing User (testing1), Member of the Site is unable the same Request with following Answer:

{
    "error": {
        "code": "-2147024891, System.UnauthorizedAccessException",
        "message": {
            "lang": "en-US",
            "value": "Attempted to perform an unauthorized operation."
        }
    }
}

The same User is capable to view the Permission within the Web-FrontUser's image

Question 1: Why does the REST API behave differently than the Sharepoint WEB UI?

Question 2: What Permission is required on which level, so an User can VIEW and CHANCE Permissions? "On App Registration LEvel following API Permission are required ...", additionally the User needs additionally xxx Permission on Site / Library / File to view and Change Permissions.

Question 3: Somehow related to Question 2: Is there a possibility to grant Permissions to a User to view and change permission for a specific Library, instead of granting site Owner permissions?

Question 4: Somehow even worse: The Testing User (testing1) is even allowed to Grant Permissions on a folder within WEB-UI. But afterwards he is unable to revoke granted access. So the User is even allowed to grant access

User's image

To be hones, MS Graph AND Sharepoint REST API feels like a crazy machine. Very frustrating...

SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
9,682 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. RaytheonXie_MSFT 31,606 Reputation points Microsoft Vendor
    2024-03-06T06:33:57.34+00:00

    Hi @David Tissen,

    For graph and rest api, you will need at least Files.Read.All permission to get list item permission. And if you want to set the permission for the item, you will need Files.ReadWrite.All permission at least. You could refer to the following documents:

    https://learn.microsoft.com/en-us/graph/api/permission-update?view=graph-rest-1.0&tabs=http

    https://learn.microsoft.com/en-us/previous-versions/office/developer/sharepoint-rest-reference/dn531432(v=office.15)?redirectedfrom=MSDN#bk_RoleAssignmentCollectionRemoveRoleAssignment

    For question 3, I would recommend you to use Sites.Selected Permission. Please refer to following article

    https://techcommunity.microsoft.com/t5/microsoft-sharepoint-blog/develop-applications-that-use-sites-selected-permissions-for-spo/ba-p/3790476

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.