I use Graph Explorer to test it.
API: GET /users/{userPrincipalName}/insights/shared, return 403.
API: GET /users/{userPrincipalName}/insights/used, return 200 and used documents.
Both API required same permission:
Sites.Read.All, Sites.ReadWrite.All
Anyone can help on it?
If you call GET /users/{id | userPrincipalName}/insights/shared, please make sure you have the Sites.Read.All or Sites.ReadWrite.All application permissions (don't forget to grant admin consent for this permission), because no users are logged in at the /users endpoint. Then you need to use the client credential flow to get the access token.
Update:
When you use Graph Explorer to test, because you need to log in as a user, you actually use the token obtained by the userName/Password flow. according to the document: Only the user can make requests using the user's id or principal name.
When you log in to a user, you can only use the id or principal name of the logged in user. You cannot use the id of other users, otherwise, a 403 error will be reported. But when you use other tools such as postman for testing, because you do not log in as a user, but use the application as the service principal to make a request, so, you can get a list of shared documents from other users.
Summarized in one sentence: As long as you are logged in as a user, you can only get the list of shared documents of the logged-in user. If you want to get the list of shared documents from other users, , don't log in users.
Related
I have 3 applications:
An IdentityServer4 API which provides Google authentication and also provides an access token to authorize the resource API.
A simple Resource API which provides some data from DB.
A simple Client in React which have 4 buttons:
Login, for Google auth
Logout
Get data - a simple request with the access token to the Resource API and gets the data from Db
Get user data - returns user profile and token (for debug purpose)
I didn't put any sample code because my problem is not code related, it's knowledge that I'm missing and I ask for guidance.
The workflow is working just fine: the user press the Login button, it is redirected to IdentityServer4 API for Google Auth. From there it is redirected to a Callback Page from the Client and from there to the Index page. I receive the user data and the token, I can request data from the Resource API and it's working.
My problem is: How do I give a Role to the Google Users ?
I don't have users saved in DB. I want three types of Users: SuperAdmin, Admin, Viewer and each of these roles have limited Endpoints which can access.
For limiting their access I saw that I can use Claims-based authorization or Role-based authorization.
So, my question is how ca I give a Google User who wants to login in my app, a specific Claim/Role ? What is the workflow ? I must save it first in DB ? Or there exists a service from Google where I can add an email address and select a Role for that address ?
Thank you very much !
After you get the response from Google in your callback you can handle the user and do what ever you want to do with it. Below are the some typical tasks that you can do in callback that I took from documentation page of identityserver4 link:
Handling the callback and signing in the user
On the callback page your typical tasks are:
inspect the identity returned by the external provider.
make a decision how you want to deal with that user. This might be
different based on the fact if this is a new user or a returning
user.
new users might need additional steps and UI before they are allowed
in.
probably create a new internal user account that is linked to the
external provider.
store the external claims that you want to keep.
delete the temporary cookie
sign-in the user
What I would do is creating an new internal user account that is linked to the external provider and add a role to that user.
If you don't want to save users in db, you can add an extra claim to user in callback method and use that claim in token. and i think this link will help with that.
I try to get reports from power bi api. There is app with permissions, enter image description here. My request enter image description here. If i insert "openid" to scopes or any of Microsoft Graph scopes, request return access token. This token dont let me access to reports. If i insert "Report.Read.All" or any of Power BI scopes, i recieve invalid_grant error: 'The user or administrator has not consented to use the application with ID named 'Интеграция с Битрикс24'. Send an interactive authorization request for this user and resource.'. Request from error message was send was sent by me many times. enter image description here. Please tell me what could be the mistake. What setting could I forget?
need to insert full url scope in request body to access power bi token. https://analysis.windows.net/powerbi/api/Report.Read.All instead of Report.Read.All
I could help you with an alternative where you can update the Graph Client to a Newer version. The admin of the subscription can grant the consent through the portal as shown below from Home > App > API Permissions.
We have done the following steps:
Using the following Steps:
Revoke all admin consent.
Remove all permissions
Add removed permissions back.
Grant admin consent.
Here is the Microsoft Document which you can refer to : Construct the URL for granting tenant-wide admin consent
Hey I am a beginner in React and Graph.
To explain, I have to create a little web site in React using Microsoft Graph to get Active Directory data ( like all the users and their information of the company which uses AAD ).
I am actually a little lost of how I can get this list of users.
Can you help me ?
Once logged into your app that have proper access right to read all users data, you should be able to retrieve users with a http get on that url
GET https://graph.microsoft.com/v1.0/users
Don't forget to add bearer token in your HTTP headers.
To get users in azure AD, you can call the List Users GET HTTP request.
GET https://graph.microsoft.com/v1.0/users
To get the number of users returned you can use the $top query parameter to specify the page size of the result set. See docs here.
https://learn.microsoft.com/en-us/graph/query-parameters#top-parameter
GET https://graph.microsoft.com/v1.0/users?$top=200
We have an app that allows a user to connect to Salesforce and import data using OAUTH. Works fine for Dev edition users, but Enterprise edition users sometimes get a 401 Forbidden when the app makes a call to describe after they're successfully logged in.
I did manage to find this nugget in Saleforce's documentation for describeSObjects() that says:
Your client application must be logged in with sufficient access
rights to retrieve metadata about your organization’s data.
Does anybody know what exactly those sufficient access rights are? For Enterprise edition users, does the Salesforce admin need to grant specific permissions to the user, so that user can retrieve metadata?
Any help is much appreciated.
Needed to have full access permissions set on the Connected App.
The salesforce admin controls which users have access to which sobjects via the CRUD settings on the users profile.
Typically you'll want to call describeGlobal first, which'll give you info about which the sobjects the user has access to.
You shouldn't see a 401 from the SOAP API, as SOAP 1.1 requires errors to be returned with a 500 status code. So i'm guessing you're using the REST API, but 401 is Unauthorized, not Forbidden, if you're really getting a 401, it sounds like you might be using an expired access token. The response body should have more info on why you got an error response.
I'm a Salesforce system administrator and I would like to use the Web Services API on behalf of (ie: impersonate) a Salesforce user that is part of my company.
More precisely, I'm looking for a feature similar to what Google Docs already provides: https://developers.google.com/google-apps/documents-list/#using_google_apps_administrative_access_to_impersonate_other_domain_users
Can this be done ?
Thanks !
The only way to do this is to authenticate with the API using the other user's credentials. This is a security feature that cannot be avoided.
This is should be possible if you have login access for that user and a tool to inspect a browser cookies.
When you're logged in as the test user open a cookie browser and grab the value in the "sid" cookie. This is a session id for that user and can be set in the headers of an api request instead of doing a login call.
I've haven't tried this. It's possible that this session id may only be valid for the browser and not the API. In that case you should probably just create a test user with the same profile and your email. If all else fails just ask the user to temporarily change their password and share it with you.