When I share a file by chat(P2P) in Microsoft Teams app, the file is stored in the OneDrive , so if I interested to remove permission from a specific user that I sent him the file before, I can do this:
Getting the users that have permissions with this request:
GET/ https://graph.microsoft.com/v1.0/users/{userId}/drive/items/{itemId}/permissions
It give me all the users that have the permission,so I choose the one that I want to remove it and use this request:
DELETE/ https://graph.microsoft.com/v1.0/users/{userId}/drive/items/{itemId}/permissions/{permissionId}
It's working wonderful.
Now I'm interested to do the same with a file that has shared through a Team in Microsoft Team app.
But when I check the permissions file with this request:
GET/ https://graph.microsoft.com/v1.0/groups/{groupId}/drive/items/{itemId}/permissions
It's not return me permissions for each member on the Team.
So my question how it is possible to remove file permissions from a specific member on the Team?
Thanks,
While files shared in a P2P chat are stored in OneDrive, files shared within Team spaces are stored in a SharePoint Document Repository. Permissions on the SharePoint document repository are group based, and use the Azure AD group for the Team. If you want to remove an individual's permissions for files shared to a Team, they would need to be removed from the group (which would remove their access to everything else for the Team as well).
Related
I installed the official app Google Cloud to manage and monitor my Google Cloud ressources. I then logged in using an account with an Owner role on the top structure My Organization and an Owner role on all its sub-projects as well. I am super-admin in Google Workspace.
However, I can't seem to access/list any project or ressource in the app. Basically it tells me I lack permissions.
I tried looking for specific IAM permissions for this scenario but without luck.
What am I missing?
To get the permissions that you need to manage access to a project, folder, or organization in Google official cloud you need to have following IAM roles on the resource that you want to manage access for (project, folder, or organization):
To manage access to a project: Project IAM Admin
(roles/resourcemanager.projectIamAdmin)
To manage access to a folder: Folder Admin
(roles/resourcemanager.folderAdmin)
To manage access to projects, folders, and organizations:
Organization Admin (roles/resourcemanager.organizationAdmin)
To manage access to almost all Google Cloud resources: Security Admin
(roles/iam.securityAdmin)
For more information about granting roles, see Required permissions and Manage access and check these roles.
I found the solution:
In Google Workspace Admin console, you must activate the service named Additional services without individual control.
Menu 'Apps' > 'Additional Google services' > 'CHANGE' next to 'Access to additional services without individual control for all organisational units is turned Off' (info icon in the upper zone) > 'ON for everyone'
I am creating an app and I would like have a feature, where users can upload files and access them. If those files are either .docx and .xlsx, I would like to store them in Microsoft OneDrive and allow the user to directly go and edit them via a link directly to Microsoft online. All of these documents would be stored in one OneDrive account (so the user wouldn't have to link their own). That means that I don't want the user to go beyond editing their document.
Is this a possible scenario or do I need to force the user to link their own OneDrive account in order to allow this?
You can upload a file with the graph api
https://learn.microsoft.com/en-us/graph/api/driveitem-put-content
And then create an anonymous share link with this endpoint.
https://learn.microsoft.com/en-us/graph/api/driveitem-createlink
When I sign in an app via Dropbox, it says:
ABC would like access to its own folder, Apps › ABC (emphasis mine)
This is to sign, that the app, ABC, can access only its folder.
However, this folder is normally visible in the Dropbox directory and synced.
Is there a way to achieve this with Google Drive? It seems like using the app-specific data feature prevents users from using the directory in any way except the app. Granting a permission to use the whole Google Drive gives the app way too much permissions. Dropbox has this feature done well. IS there a way to do a sing-up process this way with Google Drive?
When your ABC app calls Google Drive APIs on behalf of a user, you're going to be using oAuth to authorize ABC. From Drive API v3 docs:
The details of the authorization process, or flow for OAuth 2.0 vary somewhat
depending on what kind of application you're writing. The following general process
applies to all application types:
When your application needs access to user data, it asks Google for a
particular scope of access.
Google displays a consent screen to the
user, asking them to authorize your application to request some of
their data.
Google Drive's resource authorization scheme includes a number of "permissive" scopes where your app can (for example) request access to the user's entire Drive and "narrow" scopes. In the latter case your app is restricted to certain Drive files and/or folders. In late 2018 Google announced Project Strobe that promised to tighten restrictions around "permissive" scopes for many Google services, including Drive. In May 2019, they rolled an updated policy for Drive APIs:
With this updated policy, we’ll limit the types of apps that have
broad access to content or data via Drive APIs. Apps should move to a
per-file user consent model, allowing users to more precisely
determine what files an app is allowed to access. This means that only
certain types of apps can request restricted scopes from consumer
Google accounts. As always, G Suite administrators are in control of
their users’ apps.
The more user-friendly, narrower scopes are tagged and referred to as Recommended throughout Google API docs. For Drive you have 3 recommended scopes :
https://www.googleapis.com/auth/drive.appfolder Allows access to the
Application Data folder
https://www.googleapis.com/auth/drive.file Per-file access to files
created or opened by the app. File authorization is granted on a
per-user basis and is revoked when the user deauthorizes the
app.
https://www.googleapis.com/auth/drive.install Special
scope used to let users approve installation of an app, and scope
needs to be requested
Your use case could fall into either drive.appfolder or drive.file scope. drive.appfolder works well if you're looking to store app-specific data that the user won't and shouldn't touch:
The application data folder is a special hidden folder that your app
can use to store application-specific data, such as configuration
files. The application data folder is automatically created when you
attempt to create a file in it. Use this folder to store any files
that the user shouldn't directly interact with. This folder is only
accessible by your application and its contents are hidden from the
user and from other Drive apps.
The application data folder is deleted when a user uninstalls your app from their
MyDrive. Users can also delete your app's data folder manually.
drive.file is applicable if your use case has to do with some data being created by your app on behalf of the user and the user or other users should be able to see/edit/share these documents. The issue with drive.file is that it only applies to "objects" your app creates. If your ABC app creates folder Foo and then creates some files within that folder, your app will be able to access the folder and these and only these files.
With drive.file there's no parent/child ownership semantics and no propagation of permissions from parent to child. The user (in their own browser without your app) could create more files in the Foo folder but your app won't be able to read them.
It's worth noting that drive.file is not granting access to a particular folder...but it sort of amounts to an equivalent end result for a to-be-created (by your app) folder or folders.
If you're looking for a way to get access to an existing folder, you may want to look into one of the Sensitive or Restricted scopes. Using one of these scopes requires your app to go through a security review.
Most apps only have permission to store data in the Application Data folder
There is more information about API permissions at About Authorization
The drive.file scope might work for some since it appears to give access to individual files that the user OK'd. How does the user OK a file? According to the post below, they would send a file from the Drive app to my app.
So, unlike Dropbox or OneDrive, Google Drive has only 2 types of permissions: Drive or Drive.File. Simple!
I have a private group with a site where we have a document library. (I have access to this group/site)
I am currently trying to access the files within this directory.
Document Library:
https://support.office.com/en-us/article/what-is-a-document-library-3b5976dd-65cf-4c9e-bf5a-713c10ca2872
I registered an application in the azure portal and I think, I set all necessary permissions.
Microsoft Graph:
Read all groups
Read directory data
Access directory as the signed in user
Read all files that user can access
Read items in all site collections
Office 365 SharePoint Online:
Read user profiles
Read user files
Read items in all site collections
Read managed metadata
Windows Azure Active Directory:
All permissions given
I am able to get a token via OAuth authentication, but:
Accessing
https://graph.microsoft.com/v1.0/
Tells me
InvalidAuthenticationToken
Accessing
https://tenantname.sharepoint.com/_api/v1.0/
Is working, but I did not find a way to access the document library from there
In the end, I want to access (List&Read) the files in an iOS application. It would be great, to use the onedrive-sdk for this, as the office365-sdk seems broken for Swift4 at the moment.
I may have left out some information, in that case just ask for them
For either OneDrive personal or business is it possible to have a single folder in OneDrive my app has access to without having access to all of OneDrive. Currently I am requesting permission from user to access all of Onedrive and setting this up manually, but users typically do not like giving access to all of OneDrive if its not a specific OneDrive app.
I feel like I have read about AppFolder permissions but I cannot find supporting documentation or examples of it being used.
The permission you're looking for is Files.ReadWrite.AppFolder and it's documented in the file permissions category.
Description: Have full access to the application's folder (preview) and (Preview) Allows the app to read, create, update, and delete files in the application's folder.
Once your application has an access token with this permission, your app folder is located at https://graph.microsoft.com/v1.0/me/drive/special/approot/.
Uploading, downloading and listing the files is just like any other folder from this point. For example, listing the items in this folder is done with GET https://graph.microsoft.com/v1.0/me/drive/special/approot/children.
Uploading a file:
PUT https://graph.microsoft.com/v1.0/me/drive/special/approot:/foo.txt:/content