In this post, I am going to write C# code sample to get item level permissions for all list items using CSOM in SharePoint On-Premises/SharePoint Online library. Every list items should have permission entries only if they have unique (or explicit) permissions assigned. If an item or document doesn’t have any unique permission entry, then the item’s permissions will be derived from its parent library permission.
Retrieve Item Level Permissions For List Items with CSOM
The below CSOM based C# code find all list items for a given SharePoint Online list (or library) and gets the permissions for every items if an item has unique permission.
public static void Get_Item_Level_Permissions_For_All_List_Items()
{
string sitrUrl = "https://spotenant.sharepoint.com/sites/mysite";
using (var ctx = new ClientContext(sitrUrl))
{
//ctx.Credentials = Your Credentials
ctx.Load(ctx.Web, a => a.Lists);
ctx.ExecuteQuery();
List list = ctx.Web.Lists.GetByTitle("Documents");
var listItems = list.GetItems(CamlQuery.CreateAllItemsQuery());
//load all list items with default properties and HasUniqueRoleAssignments property
ctx.Load(listItems, a => a.IncludeWithDefaultProperties(b => b.HasUniqueRoleAssignments));
ctx.ExecuteQuery();
foreach (var item in listItems)
{
Console.WriteLine("List item: " + item["FileRef"].ToString());
if (item.HasUniqueRoleAssignments)
{
//load permissions if item has unique permission
ctx.Load(item, a => a.RoleAssignments.Include(roleAsg => roleAsg.Member.LoginName,
roleAsg => roleAsg.RoleDefinitionBindings.Include(roleDef => roleDef.Name,
roleDef => roleDef.Description)));
ctx.ExecuteQuery();
foreach (var roleAsg in item.RoleAssignments)
{
Console.WriteLine("User/Group: " + roleAsg.Member.LoginName);
List<string> roles = new List<string>();
foreach (var role in roleAsg.RoleDefinitionBindings)
{
roles.Add(role.Description);
}
Console.WriteLine("Permissions: " + string.Join(",", roles.ToArray()));
Console.WriteLine("----------------");
}
}
else
{
Console.WriteLine("No unique permission found");
}
Console.WriteLine("###############");
}
}
}
The above code first fetch the list items and then load the role assignments for every items, so it includes multiple server requests, alternatively we can also load the list items and its permissions in single server request call.
List list = ctx.Web.Lists.GetByTitle("Documents");
var listItems = list.GetItems(CamlQuery.CreateAllItemsQuery());
//load all list items with default properties and HasUniqueRoleAssignments property and also
//load permissions of every items
ctx.Load(listItems, a => a.IncludeWithDefaultProperties(b => b.HasUniqueRoleAssignments),
permsn => permsn.Include(a => a.RoleAssignments.Include(roleAsg => roleAsg.Member.LoginName,
roleAsg => roleAsg.RoleDefinitionBindings.Include(roleDef => roleDef.Name,
roleDef => roleDef.Description))));
ctx.ExecuteQuery();
foreach (var item in listItems)
{
Console.WriteLine("List item: " + item["FileRef"].ToString());
if (item.HasUniqueRoleAssignments)
{
foreach (var roleAsg in item.RoleAssignments)
{
Console.WriteLine("User/Group: " + roleAsg.Member.LoginName);
List<string> roles = new List<string>();
foreach (var role in roleAsg.RoleDefinitionBindings)
{
roles.Add(role.Description);
}
Console.WriteLine("Permissions: " + string.Join(",", roles.ToArray()));
Console.WriteLine("----------------");
}
}
else
{
Console.WriteLine("No unique permission found");
}
Console.WriteLine("###############");
}
Nice post. Can you please let me know how to set the existing permissions for a lisyt item to "Read" and add additional new users with "Contribute".
Can you please look at this post : https://www.morgantechspace.com/2016/04/add-or-remove-item-level-permission-sharepoint.html
Thanks Morgan. I am developing some C# CSOM code that sets item level permissions in a SharePoint 2016 on premise document library. I used the code in your https://morgantechspace.com/2016/04/add-or-remove-item-level-permission-sharepoint.html post to successfully assign a group or groups to folders. And many of the folders have sub folders that require different permissions. When I run the code you provide in this post to get the item level permission, even though a folder might only have one group assigned to it, if that folder has sub folders, the parent folder’s RoleAssignments collection will contain all role assignments from all sub folders. So, where I’m expecting to see one role assignment, I’m see several role assignments that are associated with the sub folders. And I don’t know how to interigate the role assignments to figure out which folder they are associated with.
Can you help me?
Thanks, frank
By default, SharePoint folder permissions will be inherited to all nested sub folders. If you want to set unique permission for a particular sub folder, then you have to break the inheritance for that folder and set required role assignments to the sub folder. Please refer this post : https://morgantechspace.com/2016/04/break-permission-inheritance-in-sharepoint-csom.html