Get-SPOObjectRoleAssignments.ps1
############################## #.SYNOPSIS #Get Permisisons for SPO CSOM objects. # #.DESCRIPTION #Uses the CSOM API to return initialize the the CSOM collections RoleAssignements, RoleAssignments.RoleDefinitionBindings, and RoleAssignments.Members. #This script also ignores the 'limited permissions' permission as these permissions were probably set at a lower level on a different object. # #.PARAMETER items #The objects to return permissions from. # #.EXAMPLE #Get-SPOObjectRoleAssignments -item $Context.Web.Lists[0] # #.NOTES #This may need to be updated to support different kinds of objects or collections. Easy to do, using Parameter sets. ############################## Function Get-SPOObjectRoleAssignments{ [CmdletBinding()] Param( [Parameter(Mandatory=$true,ValueFromPipeline)] [Microsoft.SharePoint.Client.SecurableObject[]]$Objects ) Begin{ [Microsoft.SharePoint.Client.Principal[]]$results = @() } Process{ Write-Verbose -Message "Steeping through each item and getting the RoleAssignments and RoleDefinition Bindings. (This could take a while)" Foreach($obj in $Objects){ Write-Verbose -Message "Initializing $($obj.Title) RoleAssignments/DefinitionBindings and RoleAssignment members." Initialize-SPOCSOMCollections -CSOMCollection $obj.RoleAssignments $url=$obj.url #Foreach Role Assignment, get the DefinitionBindings and Members. Do not report any definition bindings with "Limited Access" as the only permission Foreach($ra in $obj.RoleAssignments){ Initialize-SPOCSOMCollections -CSOMCollection $ra.RoleDefinitionBindings Initialize-SPOCSOMCollections -CSOMCollection $ra.Member if($ra.RoleDefinitionBindings.Count -eq 1 -And $ra.RoleDefinitionBindings[0].Name -eq "Limited Acces"){ Continue } #Add a URL to the member property so we know which site it belongs to. THis needs to be updated to support other objects other than sites. $ra.member | Add-Member -MemberType NoteProperty -Name "Url" -Value $url -Force $results += $ra.Member } } Return $results } End{ } } |