I was just generally curious how Google tracks the users given permission to access a document and differentiates between those and other users. Any info is greatly appreciated!
Google Drive files and folders have read and write permission levels similar to most file systems:
assigned to the individual author/owner of the file
assigned to the domain the author/owner belongs to (typically the organization registered to use G Suite)
assigned to the group associated with your user account on a per file basis
assigned to the whole world
When individual users are granted access to the files (or folders), they are assigned a role and added to a group that has permission to view or edit the specific file.
If a user is accessing Google drive via an organization's G Suite account, there may be restrictions in place at the organization level that determine what type of sharing is available. Refer to G Suite file sharing
The Google drive Rest API documentation enumerates some of these specifics. See "Role" and "Type" properties on the API page
Related
Is it easy for people to find "public" google sheets/docs?
Context: Storing some semi-sensitive data (individual user info, of non-sensitive nature) for an app beta-test in google sheets. Planning to migrate to some DB in the future, but for now, just using JavaScript to pull the data directly from the google sheets (since there are visualizations being dynamically updated by the sheets).
Yes, it's easy to get information. Search engines may index and cache the information. Then, there are bots, crawlers and scrapers. Do NOT put (semi)sensitive information in public. Implement google-oauth properly with google-sheets-api to get information. You can also use service-accounts
Yes, it can be easily accessed.
According to the official Google article Share files from Google Drive: when you set your file's General Access setting to public:
Anyone can search on Google and get access to your file, without signing in to their Google account.
What you can do:
In the case of your app beta-test in google sheets data, you may want to reconsider to change your file's General Access setting to one of the following (in descending order of security):
Restricted - Only people that you manually give access to can view or edit your files. When you click the share button, a prompt will show and you may manually add the users who can view or edit your files:
Afterwards, you may select a role for those users and then they can be notified afterwards through email.
On the other hand, you can share the link to others. A prompt will show like the one below if you send the url through Google Chat:
You may opt to select Don't give access which will result in the following view on the other user's end:
This would mean that if unauthorized users get hold of the file URL, they will still need to send an access request. If other users submit the request, an email notification will be sent to your mail inbox. Other users who also own the file will also be notified by mail.
Your Organization - If you use a Google Account through work or school, anyone signed in to an account in your organization can open the file. If you are an administrator in a work or school workspace, you may set how members can share content within the organization. The administrator can prevent the sharing of content with group members outside your organization. If external sharing is prohibited, only group members who are in your organization can access the group's shared content.
Anyone with the link - Anyone who has the link can use your file, without signing in to their Google Account. This option is least recommended because if the URL is leaked to unauthorized users, they can easily access the file.
References:
Share files from Google Drive
Share content with a group
Don’t make it public unless you want the public to see it. Use oauth to access.
Is there a way in Microsoft Graph how to check whether signed-in user (device code auth is used) has a specific AAD permission? In my case that would be Microsoft.Directory/groups/members/update - I'd like to notify a user that he/she is not permitted to add service principal to an AD group.
My initial idea was to find DirectoryRoles a user is member of. Then view related DirectoryRoleTemplates and somehow check permissions attached to the template. It looks like this is not possible.
I'm a program manager at Microsoft working on Azure AD access control. Thanks for your question and feedback. As Allen says, we don't have an API for this today. The best we have is what's called the 'wids' claim in the user's access token. Search this article for 'wids' for more information.
The wids claim contains the list of directory role template object ids the user is a member of. Role template object ids are immutable and consistent across the system, so you can hardcode your check against them. There is a role to template id mapping table here.
We're looking at exposing an API that returns the list of underlying permissions of the signed-in user following the syntax Allen mentions from the documentation. However, I don't have a date yet on when that would be available.
Let me know if you have any questions.
Thanks again,
Vince Smith
Currently Microsoft has not exposed an API for obtaining Role permissions corresponding to DirectoryRole.
Based on the official document, microsoft.directory/groups/members/update permission only exists in the following roles:
Directory Writers
Groups Administrator
User Account Administrator
Intune Service Administrator
Partner Tier1 Support
Partner Tier2 Support
A workaround is to customize a config file in your project to set the fixed values. Read them to see if the user's directory role matches one of them.
As you can see my question above, I was wondering if it is possible to retrieve the assigned groups of an Azure Active Directory (AAD) based user via Microsoft GraphAPI.
My situation is, that I have an ASP.NET MVC project with Microsoft Azure enabled. My goal is, that an Azure user can login on my website with it's Azure account.
The idea is, that an azure user is an admin or an user (depending on the azure groups) and depending of this role group, the user can view more or less of my webpage.
For example:
When Peter logs in with his azure account on my webpage, he should only be able to see:
Add new Document
Edit Document
Remove Document
because he is only assigned as "User" in Azure Active Directory.
But when Sabrina logs in with her azure account on my webpage, then she should be able to do the same as Peter, but she also can see:
Manage Products
Add new customer
etc.
because she is been assigned as an admin in Azure Active Directory.
My problem is, that I did not find out how I retrieve the assigned group of an user with Microsoft GraphAPI. The part, which user can see or not after I got the roles is not a big deal.
I already tried this API call:
https://graph.microsoft.com/v1.0/me/
But it seems, that the response of this call does not include the actual assigned group of that user.
Do you think it is possible to retrieve the assigned group of an azure user? Is this even possible? Or do I have to do something else to retrieve these information?
I hope you understand my point and I am also looking forward for any response. Thanks in advance!
Add /memberOf to the URL to receive the groups a user is member of.
https://graph.microsoft.com/v1.0/me/memberOf
Here's a link to the specific graph api - https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_getmembergroups
Take a look at this sample application on Github. It does something very similar with a task tracker application, where different users are able to perform different actions based on the group they belong to -
https://github.com/Azure-Samples/active-directory-dotnet-webapp-groupclaims/blob/master/README.md
Also, in cases where a user is a member of too many groups, you get back an overage indicator and have to make a separate call to get all groups. Read about “hasgroups” and “groups:src1” claims here - https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-id-and-access-tokens
According to your system architecture, if some user has too many joined groups, the API https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_getmembergroups will return too many groups.
But if the groups with permissions in your system are not too much, you can use this API: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_checkmembergroups to check if the current user is the member of specified groups.
It is not good idea to use this API: https://graph.microsoft.com/v1.0/me/memberOf. Because it returns only the groups that the user is a direct member of, but security group can be member of security group.
Basically, I just want to use Microsoft Graph to get a list of active directory users and their email addresses.
Ideally, I could get all the admin users for a certain subscription.
How do I do that? I couldn't find any good examples online.
Assuming you have the correct access to a tenant, and an authenticated token granting you access to the Microsoft Graph, you can use the following REST API calls to get the data you are looking for:
List Users - Documentation
GET https://graph.microsoft.com/v1.0/users
List Admins (via directory roles) - Documentation
This is a multi-step process. First you must find the directory role for the Company Administrator, which will always have the roleTemplateId of 62e90394-69f5-4237-9190-012177145e10. This should not be confused by the actual directory role id, which will be different per directory.
GET https://graph.microsoft.com/v1.0/directoryRoles
Then you want to list the users who are a part of that directory role:
GET https://graph.microsoft.com/v1.0/directoryRoles/<id>/members
If you really need to get started from scratch, I recommend you look at this PowerShell sample I made which simplifies authentication, and allows you to make queries to resource endpoints like the Microsoft Graph.
https://github.com/shawntabrizi/Microsoft-Authentication-with-PowerShell-and-MSAL
Does anyone know if I can have a single one drive folder and then assign via the API different people, and then they would see only the folders that they are allowed to see.
I am trying to re-create the "views" functionality of dropbox enterprise
Yes, the simplest way to do so is to use the Microsoft Graph API which has an entire set of endpoints that work with a OneDrive account.
The endpoints that will best serve you are the Create Sharing Link and the Add Permission.
Note: Using the sharing link that doesn't require account authentication means anyone with that link can access the OneDrive folder/file that it is assigned to. If the user(s) have Microsoft Accounts or Microsoft Organizational Accounts (also known as work/school account) then the Add Permission endpoint is likely your best bet.