Insdie CSOM what does Web.SiteUsers include exactly

john john 946 Reputation points
2021-01-13T17:16:52.74+00:00

I am a bit confused on what does Web.SiteUsers include in CSOM? as per the documentation it includes the users which belong to a site collection, but what does belong mean? does it mean users who have permission on the site, even if the permission was not granted directly to the user but through an AD group or through the "Everyone Except external" group? I need a way to get all the users which can access the site regardless of the way they have been granted access to.. can anyone advice ?

SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
9,807 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Baker Kong-MSFT 3,791 Reputation points
    2021-01-14T04:54:21.527+00:00

    Hi @john john ,

    I believe there is no way to get that list of all the users who can access the site. SharePoint doesn't even know it.

    SiteUsers is the closest, it includes users who have a relationship with the site (have access or used to have access to this site/item, or assigned with an item .etc). Once it establishes the relationship, it will be resolved as a user entity in the collection.

    In the past, it doesn't include users who have access due to group membership but haven't used that access yet. From SP2013, It has been changed a little bit, SiteUsers will contain the user as soon as you give them permission to site regardless of they logon this site or not.

    Best Regards,
    Baker Kong


    If an Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  2. Baker Kong-MSFT 3,791 Reputation points
    2021-01-15T08:50:01.33+00:00

    Hi @john john ,

    Siteuser comes from user information hidden list. '_catalogs/users/simple.aspx' is just a simple view, you can compare their items via below rest API:

    1. {site}/_api/web/siteusers?$select=Title,id
    2. {site}/_api/Web/SiteUserInfoList/Items?&$select=ID,Title or /_api/Web/lists/getbytitle('User Information List')/Items?$select=Title,Id

    Users are added to the User Info List when:

    1. The specified user is granted permissions individually within a site collection
    2. The specified user is added to a person/group field value anywhere in the site collection
    3. The user is named specifically in a workflow anywhere in the site collection
    4. The user is added to a SharePoint group as an individual (i.e. not when added as a member of a domain group)
    5. The user is granted permissions anywhere in the site collection via a domain group membership AND subsequently visits the site (if the user is granted access via a domain group membership but never visits the content they were granted access to, they are not added to the user info list)
    6. The user is passed into the SPWeb.EnsureUser() method

    'Everyone' belongs to scenario 5, it's a domain security group, you can treat it as a user more than a SharePoint group.

    Thanks
    Baker Kong