Revoking default permission fails in new Office 365 Group - permissions

After a file is uploaded to an Office 365 Group’s OneDrive using the Graph API, we want to revoke the default permissions on the file. However, in groups which have only recently be created, this fails.
By default, a file's permissions are “GroupName Owners”, “GroupName Members” and “GroupName Visitors”. We want to remove these permissions and grant access to specific AD Security Groups.
After uploading a file we are seeing two different results when getting the default permissions (in preparation to delete them).
In one case, we get four permissions – the three listed above, plus a ‘special’ permission which has grantedTo with a user with id matching the group id. We have learned not to delete this permission, as we lose the ability to delete the other permissions.
Here, this ‘special’ permission is the first one listed:
{
"#odata.context": "https://graph.microsoft.com/V1.0/$metadata#drives('b%21Y25ow5oitkOvNToutf7LrYZ-y78P2jBEjoGLzb3oPqnw0a3YKFDwTobjTB4gYxKt')/root/permissions",
"value": [
{
"grantedTo": {
"user": {
"id": "273c2c33-8533-445d-ae65-4b63be296995",
"displayName": "SharePoint Tests"
}
},
"id": "Yzowby5jfGZlZGVyYXRlZGRpcmVjdG9yeWNsYWltcHJvdmlkZXJ8MjczYzJjMzMtODUzMy00NDVkLWFlNjUtNGI2M2JlMjk2OTk1X28",
"roles": [
"write"
]
},
{
"grantedTo": {
"user": {
"displayName": "SharePoint Tests Owners"
}
},
"id": "U2hhcmVQb2ludCBUZXN0cyBPd25lcnM",
"roles": [
"SP.Full Control",
"write"
]
},
{
"grantedTo": {
"user": {
"displayName": "SharePoint Tests Visitors"
}
},
"id": "U2hhcmVQb2ludCBUZXN0cyBWaXNpdG9ycw",
"roles": [
"read"
]
},
{
"grantedTo": {
"user": {
"displayName": "SharePoint Tests Members"
}
},
"id": "U2hhcmVQb2ludCBUZXN0cyBNZW1iZXJz",
"roles": [
"SP.Edit"
]
}
]
}
However, for a period after the group has been created, after uploading a file, we only get 3 permissions back – the special one mentioned above is missing. In this case, trying to delete the other permissions fail with an ‘unauthenticated’ error code. E.g.
DELETE https://graph.microsoft.com/V1.0/drives/b!zn7l0OHTmUa3lGABIbIGQIZ-y78P2jBEjoGLzb3oPqnw0a3YKFDwTobjTB4gYxKt/items/013LUA5IQEPURED3OSURAI27FBHDYLFQJP/permissions/U2FnZSAtIFBBUiBTZWN1cml0eSA0IE93bmVycw
We can still add permissions, just not revoke the default ones.
This condition seems to persist for all files created within a given Office 365 Unified Group until several minutes after it has been created.
Our only option at the moment looks to be to create a dummy file, and see if we get 3 or 4 permissions back (or just try deleting the default permissions). If we only get 3 try again after some time period. But this seems like a fragile hack, and adds significant time (several minutes) to our upload process.
Does anyone have any better suggestions, or an explanation of this behaviour?
Thanks

Peter, Groups files are stored in a SharePoint document library and hence permissions (owners & members) are inherited from the AzureAD and cannot be changed, see this documentation for more information: https://support.office.com/en-us/article/Learn-about-Office-365-groups-b565caa1-5c40-40ef-9915-60fdb2d97fa2?ui=en-US&rs=en-US&ad=US&fromAR=1

You can't break inheritance and please see these additional features we are rolling specific to the SharePoint document library: https://techcommunity.microsoft.com/t5/SharePoint/UPDATE-Create-Office-365-Groups-with-team-sites-from-SharePoint/m-p/48277

Related

Account list doesn't return account id for "grouped" accounts

I'm using the Xero API to do some integration and I'm using the accounts get feature to return a list of accounts. I'd like to join this to some of the reports, for example the profit and loss report which would allow me to then group the accounts returned by type. All looks good, other than some accounts have an extra "groupID" attribute. When an account has this extra attribute, the "account" attribute that usually contains a GUID which I can link to reports now contains what could be a GUID, only without the dashes, and doesn't link to any other report.
For example, this is an account that all works correctly...
{
"RowType": "Row",
"Cells": [
{
"Value": "General Expenses",
"Attributes": [
{
"Value": "8d631f87-7304-401f-a7cd-d1d42c1b458a",
"Id": "account"
}
]
},
{
"Value": "179.07",
"Attributes": [
{
"Value": "8d631f87-7304-401f-a7cd-d1d42c1b458a",
"Id": "account"
}
]
}
]
},
This one doesn't, and the GUID isn't formatted as a GUID anymore...
{
"RowType": "Row",
"Cells": [
{
"Value": "Directors' Remuneration",
"Attributes": [
{
"Value": "a02584cbb64e4c109b4355b292da0de5",
"Id": "account"
},
{
"Value": "a02584cbb64e4c109b4355b292da0de5",
"Id": "groupID"
}
]
},
{
"Value": "55737.84",
"Attributes": [
{
"Value": "a02584cbb64e4c109b4355b292da0de5",
"Id": "account"
},
{
"Value": "a02584cbb64e4c109b4355b292da0de5",
"Id": "groupID"
}
]
}
]
},
Any idea what would cause that? Is there a way I can list "grouped" accounts?
Thanks in advance.
At the moment, there is no current way to get the accountIDs in the Reports endpoints for accounts that have been grouped together.
But, there are 2 ways you can get that in the response. In the API request, if you send 'standardLayout=true', then that'll give you back the accountIDs.
Or on the Web app, in P&L edit layout mode, if you uncheck the 'Show Summary Only' box for the group of those accounts, that'll also work the same way and you should be able to see the accountIDs in the API response.
Thanks
Keertika
I believe that is due to the org having multi-currency for that account.
However I don't see much other documentation related to how to lookup the account from that. I will update this answer If I can find anything else out internally.
Multi-Currency System Accounts - FXGROUPID
For organisations in most regions, the standard layout of the profit and loss report will group multi currency system accounts into a single line with a Value of FXGROUPID (instead of an AccountID).
This is not the case for US organisations and Australian demo companies. Multi-currency system accounts will be displayed seperately with their respective AccountIDs.
Multi currency support could be seen here: https://go.xero.com/Setup/CurrencyRates.aspx
I think you can also just query the currencies endpoint to find out if an org may support mutiple.

Query TFS to show all releases and whether or not it is set for approval. V 2017.3

I need to run a query in sql that will show all the TFS releases from all projects and whether or not it is setup for pre relase approvals. I see in the defaultcollection db there is the Release.tbl_ReleaseDefinition table, it has a lot of data but not approval info. I do see the Release.tbl_DefinitionEnvironment and I see ApprovalOptions there, but that seems to be showing the approval info for every release created whereas I am needing info on release definitions only.
Just as Daniel pointed out, we highly not recommend you dig into TFS databased directly.
According to your description, you just need the approval info for all release definitions. Suggest you use Rest API to handle this.
For a single release, you could use below Rest API:
GET https://vsrm.dev.azure.com/{organization}/{project}/_apis/release/definitions/{definitionId}?api-version=5.1
It will return both preDeployApprovals and postDeployApprovals, for example:
"preDeployApprovals": {
"approvals": [
{
"rank": 1,
"isAutomated": false,
"isNotificationOn": false,
"approver": {
"displayName": "Chuck Reinhart",
"url": "https://vssps.dev.azure.com/fabrikam/_apis/Identities/aeb95c63-4fac-4948-84ce-711b0a9dda97",
"_links": {
"avatar": {
"href": "https://dev.azure.com/fabrikam/_apis/GraphProfile/MemberAvatars/aad.YjYxMjE5ZWQtODEwYS03OTU3LWJjYzAtMjQ0YTI5ZDk0ZjFl"
}
},
"id": "aeb95c63-4fac-4948-84ce-711b0a9dda97",
"uniqueName": "fabfiber#outlook.com",
"imageUrl": "https://dev.azure.com/fabrikam/_api/_common/identityImage?id=aeb95c63-4fac-4948-84ce-711b0a9dda97",
"descriptor": "aad.YjYxMjE5ZWQtODEwYS03OTU3LWJjYzAtMjQ0YTI5ZDk0ZjFl"
},
"id": 118
}
],
More details please take a look at official doc here: Definitions - Get
For multiple release, you should use list: Definitions - List
Hope this helps.

Why every time I try to enter my publisher name my npm says I need to view user permissions on it?

The present reason I'm asking this question is that my npm CLI server in the Command Prompt doesn't let me register my theme to the Visual Studio Code Marketplace. I did as the VS Code website's tutorial on how to publish an extension read. However, when I typed my Personal Access Token in the cmd as it was shown to me, this is what I get:
>vsce login 'my publisher name'
#Error: Access Denied: 'Username' needs the following permission(s) on
#the resource /publisher name to perform this action: View user permissions
#on a resource
I tried several times, and even gave it full access to all accessible organizations in my Azure DevOps. And for your information, my computer runs on Windows 8.1.
This is the package.json file I tried to register:
{
"name": "blacklady-code-workspace",
"displayName": "Black Lady Theme",
"description": "Modeled after the Black Lady from Sailor Moon R.",
"version": "0.0.1",
"publisher": "ayaimarion",
"repository": {
"url": "https://github.com/ZanJang/blacklady-theme-ver-0.0.1"
},
"engines": {
"vscode": "^1.30.0"
},
"categories": [
"Themes"
],
"contributes": {
"themes": [
{
"label": "Black Lady",
"uiTheme": "vs-dark",
"path": "./themes/Black Lady-color-theme.json"
}
]
}
}
If there's something I did do wrong, let me know.
My Azure DevOps organization: https://dev.azure.com/ayamaki
I had the same issue. I had not yet created the publisher in the Marketplace.
Once I created the new publisher, the vsce login command succeeded.

Set a custom domain for an azure Storage Account through an ARM template

I'm trying to setup an ARM template to set a custom domain for an Azure storage account. I am only running this portion of my ARM template after the storage account is initially setup and a DNS record has been created, but it still fails with this error:
: The custom domain name could not be verified. CNAME mapping from myStorage.mydomain.com to .blob.core.windows.net does not exist.
I've replaced my domain in the error, but the rest is exact. I notice that it looks suspicious since it doesn't list the name of my storage account, but the storage account is named, so I can't figure out how to affect that. Here's the resource definition (again, the account name and domain are replaced, but all else is the same)
"resources": [
{
"name": "myStorageAccount",
"type": "Microsoft.Storage/storageAccounts",
"location": "[resourceGroup().location]",
"apiVersion": "2017-06-01",
"sku": {
"name": "Standard_LRS"
},
"dependsOn": [],
"tags": {
"displayName": "Storage Account"
},
"kind": "BlobStorage",
"properties":{
"customDomain":{
"name":"myStorage.mydomain.com",
"useSubDomain":false
}
}
}
]
I can set it to the same custom domain through the Azure portal. It validates fine there. I'm sure I could do it through a separate PowerShell script, but I prefer to do it in the ARM, so as to minimize the need for additional scripts when setting up my environment.
Any thoughts would be appreciated.

Xbmc Database Path

I am working with XBMC. I have installed XBMC in my system(Windows 7, 32 bit). Xbmc is working fine in my system. I have developed an application in order to control the Xbmc remotely from Ipad. In order to retrieve the music files or video files from Xbmc, I am unable to. By searching the forums of xbmc, I found that we can write an sql query to get them out. But, the thing is I am unable to make out where the database is located in my system. Someone help me out where I can find it.
Regards,
Sushma.
The database itself
By default the location of the database is that described on the wiki page XBMC databases
but the actual location can be changed by the user, or a different database technology can be used entirely.
The settings that would affect this are located in advancedsettings.xml.
But in general it is advised by the XBMC developers to never access the database directly.
JSONRPC
In order to help with interacting with the database XBMC has supported the JSONRPC queries, the one downside of these is that XBMC needs to be running at the time to respond to these queries. The major advantage is that it XBMC will find the database for you and expose access to it with a common interface.
JSONRPC support was first added to XBMC in "Darhma" (v10), became really useful in "Eden" (v11) and will support almost everything possible in "Frodo" (v12). Information about the use of JSONRPC can be found in the wiki.
An example
In this example I'm assuming that you are targeting "Eden", the current stable release of XBMC. Also I have formatted the following with new lines, these are not required and are not present in the response from XBMC.
Request
If you were to use JSONRPC the request you would need to send would look something like:
{
"jsonrpc": "2.0",
"method": "VideoLibrary.GetMovies",
"params": {
"properties": [
"title",
"year",
"file"
],
"limits": {
"start": 0,
"end": 2
}
},
"id": 1
}
Note: If you wanted different information about each movie you could use other properties listed here.
*Note: You probably want to omit the "limits" part to get all movies.*
Responce
The response to this would be something like:
{
"id": 1,
"jsonrpc": "2.0",
"result": {
"limits": {
"end": 2,
"start": 0,
"total": 47
},
"movies": [
{
"label": "Label for movie",
"movieid": 1,
"title": "Title of movie",
"year": 2012
},
{
"label": "Label for another movie",
"movieid": 2,
"title": "Title of another movie",
"year": 2010
},
{
"label": "Label for a third movie",
"movieid": 3,
"title": "Title of a third movie",
"year": 2012
}
]
}
}
What to do now?
You have a choice at this point, you can either:
Add "file" to the list of properties, this will return the "file" property, the location of the video file.
Use JSONRPC to tell xbmc to play a movie.
Using this method is best when you don't want to play the file locally (on the iPad) but instead on XBMC.
Playing a movie on XBMC via JSONRPC
This is quite simple, use the "movieid" you received earlier in the following request:
{
"jsonrpc": "2.0",
"method": "Player.Open",
"params": {
"item": {
"movieid": 2
}
},
"id": 1
}
Lastly I would note that there are equivalent commands for TV episodes as shown for movies.