limited access & web only limited access in share point online

Surya kumar 345 Reputation points
2024-04-05T03:20:15.8766667+00:00

Hello,

I have a user who is having limited access to a site. I need to know where does this access was provided exactly.

By using site permissions > check permissions, I am not able to find. Is there any way that we can find either by GUI or PowerShell?

SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
10,854 questions
SharePoint Development
SharePoint Development
SharePoint: A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.Development: The process of researching, productizing, and refining new or existing technologies.
3,052 questions
0 comments No comments
{count} votes

Accepted answer
  1. Yanli Jiang - MSFT 26,846 Reputation points Microsoft Vendor
    2024-04-11T08:47:49.99+00:00

    Hi @Surya kumar ,

    There is currently no direct way to obtain this result, because the SharePoint permission list is for objects such as files or Items in SharePoint. When a user has unique permission for a certain file, the user will have limited access permission for the upper-level folder, library or even site that contains the file.

    We can try to use the power shell script to obtain the permission report of a user in the site and get the answer from the report.

    Here is the code for your reference:

    #Load SharePoint CSOM Assemblies
    Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
    Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
       
    #Set parameter values
    $SiteURL="https://crescent.sharepoint.com/sites/ops"
    $UserAccount="i:0#.f|membership|Salaudeen@crescent.com"
    $ReportFile="C:\Temp\PermissionRpt.csv"
    $BatchSize = 500
      
    #sharepoint online powershell to get user permissions Applied on a particular Object, such as: Web, List, Folder or Item
    Function Get-Permissions([Microsoft.SharePoint.Client.SecurableObject]$Object)
    {
        #Determine the type of the object
        Switch($Object.TypedObject.ToString())
        {
            "Microsoft.SharePoint.Client.Web"  { $ObjectType = "Site" ; $ObjectURL = $Object.URL }
            "Microsoft.SharePoint.Client.ListItem"
            {
                $ObjectType = "List Item/Folder"
      
                #Get the URL of the List Item
                $Object.ParentList.Retrieve("DefaultDisplayFormUrl")
                $Ctx.ExecuteQuery()
                $DefaultDisplayFormUrl = $Object.ParentList.DefaultDisplayFormUrl
                $ObjectURL = $("{0}{1}?ID={2}" -f $Ctx.Web.Url.Replace($Ctx.Web.ServerRelativeUrl,''), $DefaultDisplayFormUrl,$Object.ID)
            }
            Default
            {
                $ObjectType = "List/Library"
                #Get the URL of the List or Library
                $Ctx.Load($Object.RootFolder)
                $Ctx.ExecuteQuery()           
                $ObjectURL = $("{0}{1}" -f $Ctx.Web.Url.Replace($Ctx.Web.ServerRelativeUrl,''), $Object.RootFolder.ServerRelativeUrl)
            }
        }
      
        #Get permissions assigned to the object
        $Ctx.Load($Object.RoleAssignments)
        $Ctx.ExecuteQuery()
      
        Foreach($RoleAssignment in $Object.RoleAssignments)
        {
                    $Ctx.Load($RoleAssignment.Member)
                    $Ctx.executeQuery()
      
                    #Check direct permissions
                    if($RoleAssignment.Member.PrincipalType -eq "User")
                    {
                        #Is the current user is the user we search for?
                        if($RoleAssignment.Member.LoginName -eq $SearchUser.LoginName)
                        {
                            Write-Host  -f Cyan "Found the User under direct permissions of the $($ObjectType) at $($ObjectURL)"
                              
                            #Get the Permissions assigned to user
                            $UserPermissions=@()
                            $Ctx.Load($RoleAssignment.RoleDefinitionBindings)
                            $Ctx.ExecuteQuery()
                            foreach ($RoleDefinition in $RoleAssignment.RoleDefinitionBindings)
                            {
                                $UserPermissions += $RoleDefinition.Name +";"
                            }
                            #Send the Data to Report file
                            "$($ObjectURL) `t $($ObjectType) `t $($Object.Title)`t Direct Permission `t $($UserPermissions)" | Out-File $ReportFile -Append
                        }
                    }
                      
                    Elseif($RoleAssignment.Member.PrincipalType -eq "SharePointGroup")
                    {
                            #Search inside SharePoint Groups and check if the user is member of that group
                            $Group= $Web.SiteGroups.GetByName($RoleAssignment.Member.LoginName)
                            $GroupUsers=$Group.Users
                            $Ctx.Load($GroupUsers)
                            $Ctx.ExecuteQuery()
      
                            #Check if user is member of the group
                            Foreach($User in $GroupUsers)
                            {
                                #Check if the search users is member of the group
                                if($user.LoginName -eq $SearchUser.LoginName)
                                {
                                    Write-Host -f Cyan "Found the User under Member of the Group '$($RoleAssignment.Member.LoginName)' on $($ObjectType) at $($ObjectURL)"
      
                                    #Get the Group's Permissions on site
                                    $GroupPermissions=@()
                                    $Ctx.Load($RoleAssignment.RoleDefinitionBindings)
                                    $Ctx.ExecuteQuery()
                                    Foreach ($RoleDefinition  in $RoleAssignment.RoleDefinitionBindings)
                                    {
                                        $GroupPermissions += $RoleDefinition.Name +";"
                                    }         
                                    #Send the Data to Report file
                                    "$($ObjectURL) `t $($ObjectType) `t $($Object.Title)`t Member of '$($RoleAssignment.Member.LoginName)' Group `t $($GroupPermissions)" | Out-File $ReportFile -Append
                                }
                            }
                    }
                }
    }
     
    Try {
        #Get Credentials to connect
        $Cred= Get-Credential
        $Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)
       
        #Setup the context
        $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
        $Ctx.Credentials = $Credentials
      
        #Get the Web
        $Web = $Ctx.Web
        $Ctx.Load($Web)
        $Ctx.ExecuteQuery()
      
        #Get the User object
        $SearchUser = $Web.EnsureUser($UserAccount)
        $Ctx.Load($SearchUser)
        $Ctx.ExecuteQuery()
      
        #Write CSV- TAB Separated File) Header
        "URL `t Object `t Title `t PermissionType `t Permissions" | out-file $ReportFile
      
        Write-host -f Yellow "Searching in the Site Collection Administrators Group..."
        #Check if Site Collection Admin
        If($SearchUser.IsSiteAdmin -eq $True)
        {
            Write-host -f Cyan "Found the User under Site Collection Administrators Group!"
            #Send the Data to report file
            "$($Web.URL) `t Site Collection `t $($Web.Title)`t Site Collection Administrator `t Site Collection Administrator" | Out-File $ReportFile -Append
        }
      
      
        #Function to Check Permissions of All List Items of a given List
        Function Check-SPOListItemsPermission([Microsoft.SharePoint.Client.List]$List)
        {
            Write-host -f Yellow "Searching in List Items of the List '$($List.Title)..."
      
            $Query = New-Object Microsoft.SharePoint.Client.CamlQuery
            $Query.ViewXml = "<View Scope='RecursiveAll'><Query><OrderBy><FieldRef Name='ID' Ascending='TRUE'/></OrderBy></Query><RowLimit Paged='TRUE'>$BatchSize</RowLimit></View>"
     
            $Counter = 0
            #Batch process list items - to mitigate list threshold issue on larger lists
            Do { 
                #Get items from the list in Batch
                $ListItems = $List.GetItems($Query)
                $Ctx.Load($ListItems)
                $Ctx.ExecuteQuery()
               
                $Query.ListItemCollectionPosition = $ListItems.ListItemCollectionPosition
                #Loop through each List item
                ForEach($ListItem in $ListItems)
                {
                    $ListItem.Retrieve("HasUniqueRoleAssignments")
                    $Ctx.ExecuteQuery()
                    if ($ListItem.HasUniqueRoleAssignments -eq $true)
                    {
                        #Call the function to generate Permission report
                        Get-Permissions -Object $ListItem
                    }
                    $Counter++
                    Write-Progress -PercentComplete ($Counter / ($List.ItemCount) * 100) -Activity "Processing Items $Counter of $($List.ItemCount)" -Status "Searching Unique Permissions in List Items of '$($List.Title)'"
                }
            } While ($Query.ListItemCollectionPosition -ne $null)
        }
      
        #Function to Check Permissions of all lists from the web
        Function Check-SPOListPermission([Microsoft.SharePoint.Client.Web]$Web)
        {
            #Get All Lists from the web
            $Lists = $Web.Lists
            $Ctx.Load($Lists)
            $Ctx.ExecuteQuery()
      
            #Get all lists from the web  
            ForEach($List in $Lists)
            {
                #Exclude System Lists
                If($List.Hidden -eq $False)
                {
                    #Get List Items Permissions
                    Check-SPOListItemsPermission $List
      
                    #Get the Lists with Unique permission
                    $List.Retrieve("HasUniqueRoleAssignments")
                    $Ctx.ExecuteQuery()
      
                    If( $List.HasUniqueRoleAssignments -eq $True)
                    {
                        #Call the function to check permissions
                        Get-Permissions -Object $List
                    }
                }
            }
        }
      
        #Function to Check Webs's Permissions from given URL
        Function Check-SPOWebPermission([Microsoft.SharePoint.Client.Web]$Web)
        {
            #Get all immediate subsites of the site
            $Ctx.Load($web.Webs) 
            $Ctx.executeQuery()
       
            #Call the function to Get Lists of the web
            Write-host -f Yellow "Searching in the Web "$Web.URL"..."
      
            #Check if the Web has unique permissions
            $Web.Retrieve("HasUniqueRoleAssignments")
            $Ctx.ExecuteQuery()
      
            #Get the Web's Permissions
            If($web.HasUniqueRoleAssignments -eq $true)
            {
                Get-Permissions -Object $Web
            }
      
            #Scan Lists with Unique Permissions
            Write-host -f Yellow "Searching in the Lists and Libraries of "$Web.URL"..."
            Check-SPOListPermission($Web)
       
            #Iterate through each subsite in the current web
            Foreach ($Subweb in $web.Webs)
            {
                    #Call the function recursively                           
                    Check-SPOWebPermission($SubWeb)
            }
        }
      
        #Call the function with RootWeb to get site collection permissions
        Check-SPOWebPermission $Web
      
        Write-host -f Green "User Permission Report Generated Successfully!"
        }
    Catch {
        write-host -f Red "Error Generating User Permission Report!" $_.Exception.Message
    }
    

    Reference:

    https://www.sharepointdiary.com/2018/09/sharepoint-online-get-user-permission-report-using-powershell.html

    Hope this can help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


1 additional answer

Sort by: Most helpful
  1. Yanli Jiang - MSFT 26,846 Reputation points Microsoft Vendor
    2024-04-05T09:41:44.3666667+00:00

    Hi @Surya kumar ,

    Please go through the permissions article.

    It explains Limited Access as Enables a user or group to browse to a site page or library to access a specific content item when they do not have permissions to open or edit any other items in the site or library. This level is automatically assigned by SharePoint when you provide access to one specific item. You cannot assign Limited Access permissions directly to a user or group yourself. Instead, when you assign edit or open permissions to the single item, SharePoint automatically assigns Limited Access to other required locations, such as the site or library in which the single item is located. This allows SharePoint to render the user interface correctly and show the user some context around their location in the site. Limited Access does not grant any additional permissions to the user, so they can't see or access any other content.

    User's image


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.