Sharepoint - Retrieve Permissions at folder and file level in Powershell
This is the method using PnP Online. Retrieve the additional properties using
Get-PnPProperty
Connect-PnPOnline -Url $siteUrl
$context = Get-PnPContext
For Files
$file = Get-PnPFile -Url $filePath -AsListItem
Get-PnPProperty -ClientObject $file -Property HasUniqueRoleAssignments, RoleAssignments
if($file.HasUniqueRoleAssignments -eq $True)
{
foreach($roleAssignments in $file.RoleAssignments )
{
Get-PnPProperty -ClientObject $roleAssignments -Property RoleDefinitionBindings, Member
$permission.LoginName = $roleAssignments.Member.LoginName
$permission.LoginTitle = $roleAssignments.Member.Title
$permission.PrincipalType = $roleAssignments.Member.PrincipalType.ToString()
$permission.Permission = ""
#Get the Permissions assigned to user
foreach ($RoleDefinition in $roleAssignments.RoleDefinitionBindings)
{
$permission.Permission = $permission.Permission + "," + $RoleDefinition.Name
}
}
}
For folders
$file = Get-PnPFolder -Url $filePath -Includes ListItemAllFields.RoleAssignments, ListItemAllFields.HasUniqueRoleAssignments
$context.Load($file);
$context.ExecuteQuery();
if($file.ListItemAllFields.HasUniqueRoleAssignments -eq $True)
{
foreach($roleAssignments in $file.ListItemAllFields.RoleAssignments)
{
Get-PnPProperty -ClientObject $roleAssignments -Property RoleDefinitionBindings, Member
$permission.LoginName = $roleAssignments.Member.LoginName
$permission.LoginTitle = $roleAssignments.Member.Title
$permission.PrincipalType = $roleAssignments.Member.PrincipalType.ToString()
$permission.Permission = ""
#Get the Permissions assigned to user/group
foreach ($RoleDefinition in $roleAssignments.RoleDefinitionBindings){
$permission.Permission = $permission.Permission + "," + $RoleDefinition.Name
}
}
}
In case you just want to use pnp-powershell, All you need to do for each one of those folders / files:
FILE
$result = Get-PnPProperty -ClientObject $file -Property RoleAssignments
Get-PnPProperty -ClientObject $file.RoleAssignments -Property Groups
foreach ($role in $file.RoleAssignments) {
$result = Get-PnPProperty -ClientObject $role -Property RoleDefinitionBindings, Member
}
$result = Get-PnPProperty -ClientObject $folder -Property RoleAssignments
Get-PnPProperty -ClientObject $folder.RoleAssignments -Property Groups
foreach ($role in $file.RoleAssignments) {
$result = Get-PnPProperty -ClientObject $role -Property RoleDefinitionBindings, Member
}
After that, you will find all the assigned permissions details under the "roleassignments" property.
This script should help you:
https://gallery.technet.microsoft.com/office/SharePoint-Permissions-f42ea9db
Check this bit:
foreach($List in $Web.lists)
{
if($List.HasUniqueRoleAssignments -eq $True -and ($List.Hidden -eq $false))
{
#Get all the users granted permissions to the list
foreach($ListRoleAssignment in $List.RoleAssignments )
{
#Is it a User Account?
if($ListRoleAssignment.Member.userlogin)
{
#Get the Permissions assigned to user
$ListUserPermissions=@()
foreach ($RoleDefinition in $ListRoleAssignment.RoleDefinitionBindings)
{
$ListUserPermissions += $RoleDefinition.Name +";"
}
#Send the Data to Log file
"$($List.ParentWeb.Url)/$($List.RootFolder.Url)`tList`t$($List.Title)`tDirect Permission`t$($ListUserPermissions) `t$($ListRoleAssignment.Member)" | Out-File $FileUrl -Append
}
#Its a SharePoint Group, So search inside the group and check if the user is member of that group
else
{
foreach($user in $ListRoleAssignment.member.users)
{
#Get the Group's Permissions on site
$ListGroupPermissions=@()
foreach ($RoleDefinition in $ListRoleAssignment.RoleDefinitionBindings)
{
$ListGroupPermissions += $RoleDefinition.Name +";"
}
#Send the Data to Log file
"$($List.ParentWeb.Url)/$($List.RootFolder.Url)`tList`t$($List.Title)`tMember of $($ListRoleAssignment.Member.Name) Group`t$($ListGroupPermissions)`t$($user.LoginName)" | Out-File $FileUrl -Append
}
}
}
}
#Get Folder level permissions
foreach($Folder in $List.folders)
{
if($Folder.HasUniqueRoleAssignments -eq $True)
{
#Get all the users granted permissions to the folder
foreach($FolderRoleAssignment in $Folder.RoleAssignments )
{
#Is it a User Account?
if($FolderRoleAssignment.Member.userlogin)
{
#Get the Permissions assigned to user
$FolderUserPermissions=@()
foreach ($RoleDefinition in $FolderRoleAssignment.RoleDefinitionBindings)
{
$FolderUserPermissions += $RoleDefinition.Name +";"
}
#Send the Data to Log file
"$($Folder.Web.Url)/$($Folder.Url)`tFolder`t$($Folder.Title)`tDirect Permission`t$($FolderUserPermissions) `t$($FolderRoleAssignment.Member)" | Out-File $FileUrl -Append
}
#Its a SharePoint Group, So search inside the group and check if the user is member of that group
else
{
foreach($user in $FolderRoleAssignment.member.users)
{
#Get the Group's Permissions on site
$FolderGroupPermissions=@()
foreach ($RoleDefinition in $FolderRoleAssignment.RoleDefinitionBindings)
{
$FolderGroupPermissions += $RoleDefinition.Name +";"
}
#Send the Data to Log file
"$($Folder.Web.Url)/$($Folder.Url)`tFolder`t$($Folder.Title)`tMember of $($FolderRoleAssignment.Member.Name) Group`t$($FolderGroupPermissions)`t$($user.LoginName)" | Out-File $FileUrl -Append
}
}
}
}
}
#Get Item level permissions
foreach($Item in $List.items)
{
if($Item.HasUniqueRoleAssignments -eq $True)
{
#Get all the users granted permissions to the item
foreach($ItemRoleAssignment in $Item.RoleAssignments )
{
#Is it a User Account?
if($ItemRoleAssignment.Member.userlogin)
{
#Get the Permissions assigned to user
$ItemUserPermissions=@()
foreach ($RoleDefinition in $ItemRoleAssignment.RoleDefinitionBindings)
{
$ItemUserPermissions += $RoleDefinition.Name +";"
}
#Prepare item's absolute Url and Name
$ItemDispForm = $Item.ParentList.Forms | where { $_.Type -eq "PAGE_DISPLAYFORM" } | Select-Object -first 1
if ($ItemDispForm.Url)
{
$ItemUrl = "$($Item.Web.Url)/$($ItemDispForm.Url)?ID=$($Item.ID)"
}
else
{
$ItemUrl = "$($Item.Url)"
}
if ($Item.Name)
{
$ItemTitle = $Item.Name
}
else
{
$ItemTitle = $Item.Title
}
#Send the Data to Log file
"$($ItemUrl)`tItem`t$($ItemTitle)`tDirect Permission`t$($ItemUserPermissions) `t$($ItemRoleAssignment.Member)" | Out-File $FileUrl -Append
}
#Its a SharePoint Group, So search inside the group and check if the user is member of that group
else
{
foreach($user in $ItemRoleAssignment.member.users)
{
#Get the Group's Permissions on site
$ItemGroupPermissions=@()
foreach ($RoleDefinition in $ItemRoleAssignment.RoleDefinitionBindings)
{
$ItemGroupPermissions += $RoleDefinition.Name +";"
}
#Prepare item's absolute Url and Name
$ItemDispForm = $Item.ParentList.Forms | where { $_.Type -eq "PAGE_DISPLAYFORM" } | Select-Object -first 1
if ($ItemDispForm.Url)
{
$ItemUrl = "$($Item.Web.Url)/$($ItemDispForm.Url)?ID=$($Item.ID)"
}
else
{
$ItemUrl = "$($Item.Url)"
}
if ($Item.Name)
{
$ItemTitle = $Item.Name
}
else
{
$ItemTitle = $Item.Title
}
#Send the Data to Log file
"$($ItemUrl)`tItem`t$($ItemTitle)`tMember of $($ItemRoleAssignment.Member.Name) Group`t$($ItemGroupPermissions)`t$($user.LoginName)" | Out-File $FileUrl -Append
}
}
}
}
}