Security Query for the Users ina SharePoint Site - security

I am updating a SharePoint 2007 solution to SharePoint 2013. The solution creates a list of permissions for each site in a site collection. In SharePoint 2007 I used SOAP to query the ROLE object and got back the Groups and Users security objects for a site. In SharePoint 2013 ROLE and SOAP is deprecated. I am trying to use the REST API to recreate the solution. I am able to get the groups object for each site, but I am unable to find the way to get the Users security object for the sites. I can get Site Users for the site collection and get the Users in a SharePoint Group, but I find no way to get the Users Security Object for a site. Has anyone been able to accomplish get the Users for a site?

Sample REST api to check user permission for site.
You need encode the URL from(suppose your use default NTLM authentication)
/_api/web/getusereffectivepermissions(#user)?#user='i:0#.w|contoso\userb'
TO
/_api/web/getusereffectivepermissions(#user)?#user='i%3A0%23.w%7Ccontoso%5Cuserb'
About the return value, check below thread.
http://www.lifeonplanetgroove.com/checking-user-permissions-from-the-sharepoint-2013-rest-api/?doing_wp_cron=1449727796.2080190181732177734375

Related

How to obtain ACLs for different sharepoint sites

Using the graph API or sharepoint REST APIs, is there a way to obtain, for each site, the list of users/o365 groups that are allowed read access to the site?
We are able to obtain the list of sites using the graph API GET /sites?search=* but cannot find a way to get the list of users allowed to access each site (except for Sharepoint team sites associates with o365 groups that we can enumerate using GET /groups/{group-id}/sites API call.
We are building a server side application so need to do this from the server using application-level permissions, and not from the client.
Pointers for how to do this are greatly appreciated!
Looks like there is no such endpoint that gets the site permissions and there are few uservoices here that are close to your scenario. Please upvote them so that it could be developed by the product team in future.

Permissions for Azure app using Microsoft Graph to read SharePoint Online

This seems like a simple question but I'm struggling to find an answer anywhere. Help! ;-)
I'm trying to use Microsoft Graph to read SharePoint lists/libraries in a SharePoint site, however this is just for one site (for our department) amongst many on our SharePoint online. I've registered an Azure AD app (with secret etc...) and requested 'application' permissions for the Microsoft Graph ('Create, edit, and delete items and lists in all site collections') and its saying 'admin consent required' is 'yes' and its currently flagged as 'not granted for *****'.
My boss is now asking - with a worried tone ;-)
will this mean the app can basically read/write/delete on all sites in
the organisations SharePoint (not just our site) if our IT department
'consent'?
I said I don't know actually... I guess I'm not entirely clear on which permissions this is for, is it just to call the Microsoft Graph API or is it for this app to access SharePoint itself? I've searched for answers to this but I'm struggling to find anywhere that says anything about giving your app permissions in SharePoint, it all seems to be about getting permissions for the Microsoft Graph to access SharePoint.
I just want the app to have permissions to read/write lists/files in this one SharePoint site, not any others (we have loads of sites for other departments). I feel like we should be adding permissions for this app (its service principal?) somewhere on the SharePoint site we want to access, but what permissions do I need to setup and where so this app can only access this one site?
Azure AD app registration now allows for granular access to SharePoint site collection, there is a new option Sites.Selected under Azure AD App Registration - Request API Permissions - refer to https://developer.microsoft.com/en-us/graph/blogs/controlling-app-access-on-specific-sharepoint-site-collections/
Unfortunately, this feature is still missing. It is not possible to limit the permissions to only one SharePoint site. It's either access to all SharePoint sites in the organisation or none. Check out the user vote for more information: here. Microsoft is still working on providing a way to limit the access to specific resources.

Secure CRUD SharePoint rest apis

Is it possible to secure SharePoint rest APIs?
I have a SharePoint portal that allows users to create accounts an get access to the portal.
The portal uses SharePoint client object model, if any of the users try to access let's say getuserbyid method or retrieving items for lists and changes the ID value, he will be able to retrieve information for other users on the portal.
So it is possible or is their any way to restrict access to the rest APIs outside the portal itself? Because with manipulation using Fiddler or burp suite the request can be replayed with different information or values.
The operations performed by the Client Side Object Model respect the SharePoint site permissions in the SharePoint site you are interacting with. You need to set/customize the site permissions such that you get the results that you want.

Create AND add user to sharepoint site via code

I'm curious about the best/most efficient way to do this.
I've already set up my sharepoint 2010 site, and it is configured to use FBA. What i'd like to do is allow users to create their own accounts by filling out a form (the form will sit on a public sharepoint site, and filling it out creates a user in the membership database which is used for validation to enter the FBA sharepoint site).
I'm familiar with using the asp CreateWizard tool to build user accounts as part of a .Net web application, but I'm not sure on how to develop this as a webpart for use in a sharepoint site, as a webpart doesn't have the config file to store connection string and membership/role provider info.
Can this user creation form be put in a webpart and deployed to other sites, or is there another/better way to add this functionality to sharepoint (allowing users to register/create their own FBA accounts for access)?
There's nothing not much difference between SharePoint and regular ASP.Net for this.
The membership provider will need to be configured in the SharePoint web.config, including connection strings. However, it does not actually need to be used for login, so you can still create users in that membership provide from a different site.
I use a slightly different approach though - set up an anonymously accessible page in your site (in layouts is probably easiest, though a page within a site may be better for branding) and put controls on that page to create (and log in) a new user. You will need to call EnsureUser and possibly CreateUserProfile to give the new user access to anything, but aside from that it's all standard .net.

Get Item Level Security using SharePoint WebServices

I am able to get the Permissions associated with a List or a Site using Permissions.GetPermissionCollection (ObjectName, ObjectType). The ObjectType parameter will accept either a Site or a List. Is there any way with the out-of-the-box webservices to get the Permissions associated with a ListItem?
I mean if I have NOT inherited the List permissions and have specified a set of specific permissions to a List Item or a document in a document Library then how can I get the permissions specified?
The answer is the same as for documents. See the question Permission for a SharePoint document using MOSS web services.
You cannot with the out-of-the-box web services but there is a custom web service available for free download and source code.

Resources