Query list items based on what permissions they have

Don't know how to google for such, but is there a way to query all the items where

• Permissions are unique to listitem
开发者_开发技巧
• These unique permissions contains assignment for specific group X.

Old post, but still getting plenty of views and I can't find anywhere more relevant to say this. There are some shortcuts available now, and you can use CAML to return only items with unique permissions, just not using the HasUniqueRoleAssignments property.

Sharing/setting unique permissions on a list item adds hidden "Field" nodes ("SharedWithDetails" & "SharedWithUsers") to it's SchemaXml property, which you can filter with CAML:

<View><Query><Where><IsNotNull><FieldRef Name='SharedWithDetails' /></IsNotNull></Where></Query></View>

Incidentally, setting a unique permission on an Item also seems to add a flag to the List itself, which is presumably how the /_layouts/15/uniqperm.aspx page manages to return answers on biiiig sites so quickly (and the cryptically vague "Lists that may contain items with unique permissions" message). You use this additional XML to identify lists that (probably) contain Items with unique permissions, which is vastly more efficient than enumerating every Item in the List to find out if any of them had unique permissions. This is particularly valuable if your Site contains many Lists, or any large Lists.

This PnP PowerShell code returns all lists that (probably) have items with unique permissions:

Get-PnPList -Includes SchemaXml | ? {$_.SchemaXML -match "SharedWithDetails"}

And once you have the list, you can use Get-PnPListItem and the above CAML query to efficiently return only the Items with unique permissions without having to enumerate/load every item in the List:

Get-PnPListItem -List [YourList] -Query "<View><Query><Where><IsNotNull><FieldRef Name='SharedWithDetails' /></IsNotNull></Where></Query></View>"

You will have to loop through the items and inspect the permissions item per item and update them if relevant. The more items you have the longer it takes. So not really a great solution.

An other solution is using the credentials of a user that is only member of group x. SharePoint automatically takes permissions into account. So if you connect to the list using that user, you should only get the items on which the user has permissions. Use the NetworkCredentials class for doing this.

Then use a CAML query to update your items.

--W

I don't think you can do this by shaping a CAML query and using the SPQuery object to get the items in this way.

My thinking would be to get all items, and loop through them testing for the HasUniqueRoleAssignments and RoleAssignments properties.