Blog链接:https://blog.51cto.com/13969817
在SharePoint Online中,管理用户权限是确保安全访问敏感信息的一项重要任务。了解分配给特定用户的权限有助于管理用户对网站集的访问。
今天,我们将探讨如何使用PowerShell为网站集中的特定用户生成SharePoint Online权限报告,使用此报告,您可以快速轻松地查看用户的权限,确定任何潜在问题,并就授予或撤销对敏感信息的访问权做出明智的决定。
我们都知道,如果原生功能查询的话,需要管理员到Site Collection下的每个网站去查询该用户的权限,如果site比较多,操作起来也比较繁琐,整理Report也是消耗时间和体力的工作,那么如何快速检索某个用户在SPO Site Collection的所有权限呢,具体操作过程如下所示:
1. 加载SharePoint CSOM Assemblies,执行下面命令:
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
2. 设置相关的参数值
$SiteURL="https://contoso.sharepoint.com/sites/ops"
$UserAccount="i:0#.f|membership|byron@contoso.com"
$ReportFile="C:\Temp\PermissionRpt.csv"
$BatchSize = 500
3. SharePoint Online powershell以获取应用于特定对象的用户权限,代码示例:
Function Get-Permissions([Microsoft.SharePoint.Client.SecurableObject]$Object)
{
Switch($Object.TypedObject.ToString())
{
"Microsoft.SharePoint.Client.Web" { $ObjectType = "Site" ; $ObjectURL = $Object.URL }
"Microsoft.SharePoint.Client.ListItem"
{
$ObjectType = "List Item/Folder"
$Object.ParentList.Retrieve("DefaultDisplayFormUrl")
$Ctx.ExecuteQuery()
$DefaultDisplayFormUrl = $Object.ParentList.DefaultDisplayFormUrl
$ObjectURL = $("{0}{1}?ID={2}" -f $Ctx.Web.Url.Replace($Ctx.Web.ServerRelativeUrl,''), $DefaultDisplayFormUrl,$Object.ID)
}
Default
{
$ObjectType = "List/Library"
$Ctx.Load($Object.RootFolder)
$Ctx.ExecuteQuery()
$ObjectURL = $("{0}{1}" -f $Ctx.Web.Url.Replace($Ctx.Web.ServerRelativeUrl,''), $Object.RootFolder.ServerRelativeUrl)
}
}
$Ctx.Load($Object.RoleAssignments)
$Ctx.ExecuteQuery()
Foreach($RoleAssignment in $Object.RoleAssignments)
{
$Ctx.Load($RoleAssignment.Member)
$Ctx.executeQuery()
if($RoleAssignment.Member.PrincipalType -eq "User")
{
if($RoleAssignment.Member.LoginName -eq $SearchUser.LoginName)
{
Write-Host -f Cyan "Found the User under direct permissions of the $($ObjectType) at $($ObjectURL)"
$UserPermissions=@()
$Ctx.Load($RoleAssignment.RoleDefinitionBindings)
$Ctx.ExecuteQuery()
foreach ($RoleDefinition in $RoleAssignment.RoleDefinitionBindings)
{
$UserPermissions += $RoleDefinition.Name +";"
}
"$($ObjectURL) `t $($ObjectType) `t $($Object.Title)`t Direct Permission `t $($UserPermissions)" | Out-File $ReportFile -Append
}
}
Elseif($RoleAssignment.Member.PrincipalType -eq "SharePointGroup")
{
$Group= $Web.SiteGroups.GetByName($RoleAssignment.Member.LoginName)
$GroupUsers=$Group.Users
$Ctx.Load($GroupUsers)
$Ctx.ExecuteQuery()
Foreach($User in $GroupUsers)
{
if($user.LoginName -eq $SearchUser.LoginName)
{
Write-Host -f Cyan "Found the User under Member of the Group '$($RoleAssignment.Member.LoginName)' on $($ObjectType) at $($ObjectURL)"
$GroupPermissions=@()
$Ctx.Load($RoleAssignment.RoleDefinitionBindings)
$Ctx.ExecuteQuery()
Foreach ($RoleDefinition in $RoleAssignment.RoleDefinitionBindings)
{
$GroupPermissions += $RoleDefinition.Name +";"
}
"$($ObjectURL) `t $($ObjectType) `t $($Object.Title)`t Member of '$($RoleAssignment.Member.LoginName)' Group `t $($GroupPermissions)" | Out-File $ReportFile -Append
}
}
}
}
}
Try {
$Cred= Get-Credential
$Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)
$Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
$Ctx.Credentials = $Credentials
$Web = $Ctx.Web
$Ctx.Load($Web)
$Ctx.ExecuteQuery()
$SearchUser = $Web.EnsureUser($UserAccount)
$Ctx.Load($SearchUser)
$Ctx.ExecuteQuery()
"URL `t Object `t Title `t PermissionType `t Permissions" | out-file $ReportFile
Write-host -f Yellow "Searching in the Site Collection Administrators Group..."
If($SearchUser.IsSiteAdmin -eq $True)
{
Write-host -f Cyan "Found the User under Site Collection Administrators Group!"
"$($Web.URL) `t Site Collection `t $($Web.Title)`t Site Collection Administrator `t Site Collection Administrator" | Out-File $ReportFile -Append
}
Function Check-SPOListItemsPermission([Microsoft.SharePoint.Client.List]$List)
{
Write-host -f Yellow "Searching in List Items of the List '$($List.Title)..."
$Query = New-Object Microsoft.SharePoint.Client.CamlQuery
$Query.ViewXml = "<View Scope='RecursiveAll'><Query><OrderBy><FieldRef Name='ID' Ascending='TRUE'/></OrderBy></Query><RowLimit Paged='TRUE'>$BatchSize</RowLimit></View>"
$Counter = 0
Do {
$ListItems = $List.GetItems($Query)
$Ctx.Load($ListItems)
$Ctx.ExecuteQuery()
$Query.ListItemCollectionPosition = $ListItems.ListItemCollectionPosition
ForEach($ListItem in $ListItems)
{
$ListItem.Retrieve("HasUniqueRoleAssignments")
$Ctx.ExecuteQuery()
if ($ListItem.HasUniqueRoleAssignments -eq $true)
{
Get-Permissions -Object $ListItem
}
$Counter++
Write-Progress -PercentComplete ($Counter / ($List.ItemCount) * 100) -Activity "Processing Items $Counter of $($List.ItemCount)" -Status "Searching Unique Permissions in List Items of '$($List.Title)'"
}
} While ($Query.ListItemCollectionPosition -ne $null)
}
Function Check-SPOListPermission([Microsoft.SharePoint.Client.Web]$Web)
{
$Lists = $Web.Lists
$Ctx.Load($Lists)
$Ctx.ExecuteQuery()
ForEach($List in $Lists)
{
If($List.Hidden -eq $False)
{
Check-SPOListItemsPermission $List
$List.Retrieve("HasUniqueRoleAssignments")
$Ctx.ExecuteQuery()
If( $List.HasUniqueRoleAssignments -eq $True)
{
Get-Permissions -Object $List
}
}
}
}
Function Check-SPOWebPermission([Microsoft.SharePoint.Client.Web]$Web)
{
$Ctx.Load($web.Webs)
$Ctx.executeQuery()
Write-host -f Yellow "Searching in the Web "$Web.URL"..."
$Web.Retrieve("HasUniqueRoleAssignments")
$Ctx.ExecuteQuery()
If($web.HasUniqueRoleAssignments -eq $true)
{
Get-Permissions -Object $Web
}
Write-host -f Yellow "Searching in the Lists and Libraries of "$Web.URL"..."
Check-SPOListPermission($Web)
Foreach ($Subweb in $web.Webs)
{
Check-SPOWebPermission($SubWeb)
}
}
Check-SPOWebPermission $Web
Write-host -f Green "User Permission Report Generated Successfully!"
}
Catch {
write-host -f Red "Error Generating User Permission Report!" $_.Exception.Message
}谢谢大家的阅读,希望本文的分享能帮助你生成权限报告,确保对敏感信息的安全访问,并维护SharePoint环境的完整性。
