Hello,
I am trying to find a way to get the list of AD users and AD Groups that have access to a folder or file that has broken inheritance. I don't need to know how to find the inheritance broken, I have gotten that part but I am having issues finding each
user or group that has access. I do not want to see what users are within the AD group, I just want to see the name of the group that is accessing the folder. The use case behind this is that we do not want secured folders shared to single users.
All of this must be controlled by AD groups only (site owners do not have access to add users to a secure folder). Also need to find out if there are any files within the folder that do not inherit from the folder and are also shared to individual users
instead of AD groups (hope this makes sense). Here is what I have so far and it works to a point, but for some reason it is returning users that have access to the site elsewhere and also users who have limited access that I have to clean up later.
Here's the code I have written so far that sort of works. It takes in the item object of the file or folder and a reference to a string. It scans the access and then builds a list of users separated by semicolon and returns true if one of the spuser objects
is a user and not a group:
/// <summary>
/// Provides list of users\groups that have access to a List Item.
/// </summary>
/// <param name="spListItem">Item to check access of</param>
/// <returns>semi colon delimited list of users\groups with access in a referenced list and boolean value indicating if a direct user exists</returns>
public bool GetListItemUserAccess(SPListItem spListItem, ref string accountsWithAccess)
{
//string accountsWithAccess = string.Empty;
bool IsFirstIteration = true;
bool domainUserExits = false;
SPRoleAssignmentCollection spItemRoles = spListItem.RoleAssignments;
SPRoleDefinitionCollection rolesInWeb = spListItem.Web.RoleDefinitions;
foreach(SPRoleAssignment spRole in spItemRoles)
{
SPPrincipal spPrincipal = spRole.Member;
//cast as SPGroup or SPUser to determine if is a SPGroup or User
if((spPrincipal as SPGroup) != null)
{
SPGroup spGroup = spPrincipal as SPGroup;
SPUserCollection usersInGroup = spGroup.Users;
//report on each user in group
foreach(SPUser spUser in usersInGroup)
{
//check to see if it is a user group
if(!spUser.IsDomainGroup)
{
domainUserExits = true;
}
//add to list for report.
if(IsFirstIteration)
{
IsFirstIteration = false;
}
else
{
accountsWithAccess += ";";
}
//depending on the account type sometimes the Login name has the credentials and sometimes it has
//a UID
if (spUser.LoginName.ToLower().Contains("<company name>"))
{
accountsWithAccess += this.ParseUserIDFromClaim(spUser.LoginName);
}
else
{
accountsWithAccess += this.ParseUserIDFromClaim(spUser.Name);
}
}
}
else if((spPrincipal as SPUser) != null)
{
//check to see if the user has limited access only (we don't report on this as this occurs when user has access to something in site)
if(!spListItem.DoesUserHavePermissions(spPrincipal as SPUser, SPBasePermissions.ViewListItems))
{
continue;
}
//check to see if it is a user group
if (!(spPrincipal as SPUser).IsDomainGroup)
{
domainUserExits = true;
}
//add to list for report.
if(IsFirstIteration)
{
IsFirstIteration = false;
}
else
{
accountsWithAccess += ";";
}
//depending on the account type sometimes the Login name has the credentials and sometimes it has
//a UID
if (spPrincipal.LoginName.ToLower().Contains("<company name>"))
{
accountsWithAccess += this.ParseUserIDFromClaim(spPrincipal.LoginName);
}
else
{
accountsWithAccess += this.ParseUserIDFromClaim(spPrincipal.Name);
}
}
}
return domainUserExits;
}