I have two SP2019 farms which have been setup trust. When the user001 searched from the sending farm, only the results(team002 with "everyone" group permission) are returned, although the user001 has full control permission in team001.
Does anyone tell me the reason?
search from the sending farm
search from the receiving farm
the permission of user001 in team001
Related
This seems like a simple question but I'm struggling to find an answer anywhere. Help! ;-)
I'm trying to use Microsoft Graph to read SharePoint lists/libraries in a SharePoint site, however this is just for one site (for our department) amongst many on our SharePoint online. I've registered an Azure AD app (with secret etc...) and requested 'application' permissions for the Microsoft Graph ('Create, edit, and delete items and lists in all site collections') and its saying 'admin consent required' is 'yes' and its currently flagged as 'not granted for *****'.
My boss is now asking - with a worried tone ;-)
will this mean the app can basically read/write/delete on all sites in
the organisations SharePoint (not just our site) if our IT department
'consent'?
I said I don't know actually... I guess I'm not entirely clear on which permissions this is for, is it just to call the Microsoft Graph API or is it for this app to access SharePoint itself? I've searched for answers to this but I'm struggling to find anywhere that says anything about giving your app permissions in SharePoint, it all seems to be about getting permissions for the Microsoft Graph to access SharePoint.
I just want the app to have permissions to read/write lists/files in this one SharePoint site, not any others (we have loads of sites for other departments). I feel like we should be adding permissions for this app (its service principal?) somewhere on the SharePoint site we want to access, but what permissions do I need to setup and where so this app can only access this one site?
Azure AD app registration now allows for granular access to SharePoint site collection, there is a new option Sites.Selected under Azure AD App Registration - Request API Permissions - refer to https://developer.microsoft.com/en-us/graph/blogs/controlling-app-access-on-specific-sharepoint-site-collections/
Unfortunately, this feature is still missing. It is not possible to limit the permissions to only one SharePoint site. It's either access to all SharePoint sites in the organisation or none. Check out the user vote for more information: here. Microsoft is still working on providing a way to limit the access to specific resources.
Was not able to find a way to discover all the sites of an organization:
creating a site with user2
approving the app with an admin
using 'https://graph.microsoft.com/v1.0/sites?search=' does not show the new site.
Only once i add the admin to the site group I find the new site.
how can I find all the sites?
Do I need to get an access token for each user?
For example with this token I can access all the drives but can't find the sites.
There are a couple things going on related to what you're asking and I'll try to address each of them:
1) We don't have an officially supported way to discover all of the sites and site collections in a given tenant today. The "search=*" query may give you the results you're after but it is not guaranteed in all scenarios. We're looking at this scenario but do not have formal support in the product today.
2) Search results are security trimmed, when using delegated permissions the search API will only return sites that the logged in user has access to. This could explain why you needed to add the Admin first before it showed up.
3) To use search in scenarios where you do not want security trimmed results you will need to user Application permissions and have the Tenant Admin perform the application consent flow for the entire tenant. This is a fairly broad permission but is required for some scenarios.
not sure if this is the right place to post dev question so please point me to the right place if its not...
I have a customer that gave a user permission to one specific list.
for example:
https://[tenant].sharepoint.com/sites/qa/permissions/lists/tasks
The user cannot browse to the site:
https://[tenant].sharepoint.com/sites/qa/permissions
But he can get to the list with no problems.
When we try to get the list items using REST api, that user gets "UnauthorizedAccessException" error.
Rest API url we tried:
https://[tenant].sharepoint.com/sites/qa/permissions/_api/web/lists/getbytitle('tasks')
https://[tenant].sharepoint.com/sites/qa/permissions/_api/web/lists/getbytitle('tasks')/items
Users with at least read permissions on the site /sites/qa/permissions have no problems getting to both these API endpoints.
Is there a different way to make the REST API work for users with permissions to just one list?
Is there a limitation of the REST API and it does not support that?
Thanks!
(I posted this on technet as well, and will update here if I get an answer there)
You can deactivate the site collection feature Limited-access user permission lockdown mode.
When this feature is activated, users with "Limited access" as permissions have reduced permissions which prevent them from accessing the list item/documents properties. This will cause the Unauthorized Exception error while accessing SharePoint artefacts.
So, go to your Site Settings > Site collection features
And Deactivate the Limited-access user permission lockdown mode feature.
After that, refresh and check.
More details - Enable or disable site collection features
I have installed SharePoint 2013 Foundation in a 2 server farm topography. I am trying to create a sub-site for normal authenticated users and keep the Central Administration root site for only the SP admins. When I create a sub-site I think I am adding a user group and users to that site, for access to only that site, but users in that group can still see the Central Administration site. I need to assign separate permissions on each site. Is there a tutorial or something out there that can help a beginner do this?
Sort out Central Administration permission
Go to your user permissions in Central Administration site, should be something like
http://sharepointsite.domain:12345/_layouts/15/user.aspx
Make sure that only you Farm admin groups are listed here. I manually add only the Farm admin accounts to make sure nobody who should not be there find there way in.
If you have a Farm Administrators account, expand it and see what other groups might have permission.
You might find something like "BUILTIN\Administrators".. and there might be a global user group that is included in that account.
A good start is to delete all the accounts you are unsure about, then re-add them while checking each one.
And of course you can use the magic button that will show you permissions get granted to the site.
Please help.
Am newbie and have hit a snag with TFS and Sharepoint combo. Come from old school where in IIS you right click and set permissions of Web Site, and now I can't find the sharepoint sites in IIS 7 to actually give myself permissions.
When opening the localhost/ sites/ project in IE, i get an Error: Access Denied.
This is the sharepoint site that was set up by TFS when I added a project in Visual Studio 2010 to my TFS ProjectCollection.
How do I get access to the web site?
Regards
Permission is not give to the SP sites directly from IIS.
If you are or you know the SP Site collection administrator, ask them to give you the appropriate access to the SP site you are requesting. Otherwise, if there are no site collection administrators then go a level higher to the SP farm administrator, ask the farm admin to grant make you the site collection administrator for the SP Site collection you are trying to access. The team project site is located under a site collection.
From there you can give other users access to the appropriate SP resources using Site Actions > Site Permissions.
You should be given the permissions inside SharePoint by site collection administrator.
Site collection admin should navigate to localhost/sites/{tfscollection}/{tfsproject}, click Site settings and then People and groups link.
From there, you need to be added to the site and given the appropriate permissions.
There's a really nice utility that makes it easy to view/edit permissions on TFS, SharePoint and Report Server at the same time.
http://tfsadmin.codeplex.com/