In this post, I am going to write C# code sample to get item level permissions for all list items using CSOM in SharePoint On-Premises/SharePoint Online library. Every list items should have permission entries only if they have unique (or explicit) permissions assigned. If an item or document doesn’t have any unique permission entry, then the item’s permissions will be derived from its parent library permission.
Retrieve Item Level Permissions For List Items with CSOM
The below CSOM based C# code find all list items for a given SharePoint Online list (or library) and gets the permissions for every items if an item has unique permission.
public static void Get_Item_Level_Permissions_For_All_List_Items()
{
string sitrUrl = "https://spotenant.sharepoint.com/sites/mysite";
using (var ctx = new ClientContext(sitrUrl))
{
//ctx.Credentials = Your Credentials
ctx.Load(ctx.Web, a => a.Lists);
ctx.ExecuteQuery();
List list = ctx.Web.Lists.GetByTitle("Documents");
var listItems = list.GetItems(CamlQuery.CreateAllItemsQuery());
//load all list items with default properties and HasUniqueRoleAssignments property
ctx.Load(listItems, a => a.IncludeWithDefaultProperties(b => b.HasUniqueRoleAssignments));
ctx.ExecuteQuery();
foreach (var item in listItems)
{
Console.WriteLine("List item: " + item["FileRef"].ToString());
if (item.HasUniqueRoleAssignments)
{
//load permissions if item has unique permission
ctx.Load(item, a => a.RoleAssignments.Include(roleAsg => roleAsg.Member.LoginName,
roleAsg => roleAsg.RoleDefinitionBindings.Include(roleDef => roleDef.Name,
roleDef => roleDef.Description)));
ctx.ExecuteQuery();
foreach (var roleAsg in item.RoleAssignments)
{
Console.WriteLine("User/Group: " + roleAsg.Member.LoginName);
List<string> roles = new List<string>();
foreach (var role in roleAsg.RoleDefinitionBindings)
{
roles.Add(role.Description);
}
Console.WriteLine("Permissions: " + string.Join(",", roles.ToArray()));
Console.WriteLine("----------------");
}
}
else
{
Console.WriteLine("No unique permission found");
}
Console.WriteLine("###############");
}
}
}
The above code first fetch the list items and then load the role assignments for every items, so it includes multiple server requests, alternatively we can also load the list items and its permissions in single server request call.
List list = ctx.Web.Lists.GetByTitle("Documents");
var listItems = list.GetItems(CamlQuery.CreateAllItemsQuery());
//load all list items with default properties and HasUniqueRoleAssignments property and also
//load permissions of every items
ctx.Load(listItems, a => a.IncludeWithDefaultProperties(b => b.HasUniqueRoleAssignments),
permsn => permsn.Include(a => a.RoleAssignments.Include(roleAsg => roleAsg.Member.LoginName,
roleAsg => roleAsg.RoleDefinitionBindings.Include(roleDef => roleDef.Name,
roleDef => roleDef.Description))));
ctx.ExecuteQuery();
foreach (var item in listItems)
{
Console.WriteLine("List item: " + item["FileRef"].ToString());
if (item.HasUniqueRoleAssignments)
{
foreach (var roleAsg in item.RoleAssignments)
{
Console.WriteLine("User/Group: " + roleAsg.Member.LoginName);
List<string> roles = new List<string>();
foreach (var role in roleAsg.RoleDefinitionBindings)
{
roles.Add(role.Description);
}
Console.WriteLine("Permissions: " + string.Join(",", roles.ToArray()));
Console.WriteLine("----------------");
}
}
else
{
Console.WriteLine("No unique permission found");
}
Console.WriteLine("###############");
}