Get Item Level Permissions in SharePoint using CSOM

In this post, I am going to write C# code sample to get item level permissions for all list items using CSOM in SharePoint On-Premises/SharePoint Online library. Every list items should have permission entries only if they have unique (or explicit) permissions assigned. If an item or document doesn’t have any unique permission entry, then the item’s permissions will be derived from its parent library permission.

Retrieve Item Level Permissions For List Items with CSOM

The below CSOM based C# code find all list items for a given SharePoint Online list (or library) and gets the permissions for every items if an item has unique permission.

public static void Get_Item_Level_Permissions_For_All_List_Items()
{
    string sitrUrl = "https://spotenant.sharepoint.com/sites/mysite";
    using (var ctx = new ClientContext(sitrUrl))
    {
        //ctx.Credentials = Your Credentials
        ctx.Load(ctx.Web, a => a.Lists);
        ctx.ExecuteQuery();
        List list = ctx.Web.Lists.GetByTitle("Documents");
        var listItems = list.GetItems(CamlQuery.CreateAllItemsQuery());
        //load all list items with default properties and HasUniqueRoleAssignments property
        ctx.Load(listItems, a => a.IncludeWithDefaultProperties(b => b.HasUniqueRoleAssignments));
        ctx.ExecuteQuery();
        foreach (var item in listItems)
        {
            Console.WriteLine("List item: " + item["FileRef"].ToString());
            if (item.HasUniqueRoleAssignments)
            {
                //load permissions if item has unique permission
                ctx.Load(item, a => a.RoleAssignments.Include(roleAsg => roleAsg.Member.LoginName,
                    roleAsg => roleAsg.RoleDefinitionBindings.Include(roleDef => roleDef.Name,
                    roleDef => roleDef.Description)));
                ctx.ExecuteQuery();
                foreach (var roleAsg in item.RoleAssignments)
                {
                    Console.WriteLine("User/Group: " + roleAsg.Member.LoginName);
                    List<string> roles = new List<string>();
                    foreach (var role in roleAsg.RoleDefinitionBindings)
                    {
                        roles.Add(role.Description);
                    }
                    Console.WriteLine("Permissions: " + string.Join(",", roles.ToArray()));
                    Console.WriteLine("----------------");
                }
            }
            else
            {
                Console.WriteLine("No unique permission found");
            }
            Console.WriteLine("###############");
        }
    }
}

The above code first fetch the list items and then load the role assignments for every items, so it includes multiple server requests, alternatively we can also load the list items and its permissions in single server request call.

List list = ctx.Web.Lists.GetByTitle("Documents");
var listItems = list.GetItems(CamlQuery.CreateAllItemsQuery());

//load all list items with default properties and HasUniqueRoleAssignments property and also
//load permissions of every items 
ctx.Load(listItems, a => a.IncludeWithDefaultProperties(b => b.HasUniqueRoleAssignments),
    permsn => permsn.Include(a => a.RoleAssignments.Include(roleAsg => roleAsg.Member.LoginName,
            roleAsg => roleAsg.RoleDefinitionBindings.Include(roleDef => roleDef.Name,
            roleDef => roleDef.Description))));
ctx.ExecuteQuery();
foreach (var item in listItems)
{
    Console.WriteLine("List item: " + item["FileRef"].ToString());
    if (item.HasUniqueRoleAssignments)
    {
        foreach (var roleAsg in item.RoleAssignments)
        {
            Console.WriteLine("User/Group: " + roleAsg.Member.LoginName);
            List<string> roles = new List<string>();
            foreach (var role in roleAsg.RoleDefinitionBindings)
            {
                roles.Add(role.Description);
            }
            Console.WriteLine("Permissions: " + string.Join(",", roles.ToArray()));
            Console.WriteLine("----------------");
        }
    }
    else
    {
        Console.WriteLine("No unique permission found");
    }
    Console.WriteLine("###############");
}

Advertisement

4 thoughts on “Get Item Level Permissions in SharePoint using CSOM”

  1. Nice post. Can you please let me know how to set the existing permissions for a lisyt item to "Read" and add additional new users with "Contribute".

    Reply
  2. Thanks Morgan. I am developing some C# CSOM code that sets item level permissions in a SharePoint 2016 on premise document library. I used the code in your https://morgantechspace.com/2016/04/add-or-remove-item-level-permission-sharepoint.html post to successfully assign a group or groups to folders. And many of the folders have sub folders that require different permissions. When I run the code you provide in this post to get the item level permission, even though a folder might only have one group assigned to it, if that folder has sub folders, the parent folder’s RoleAssignments collection will contain all role assignments from all sub folders. So, where I’m expecting to see one role assignment, I’m see several role assignments that are associated with the sub folders. And I don’t know how to interigate the role assignments to figure out which folder they are associated with.

    Can you help me?

    Thanks, frank

    Reply

Leave a Comment