Skip to main content

Security Trimming and REST

Security trimming is an important feature in SharePoint. The permissions defined in a site is "respected" throughout the site including the APIs. So once you define a permission, wherever you navigate, the permissions are applied and accordingly you will (not) see the data.

What does it also mean that if you are using REST API to fetch data from a SharePoint site, the API returns data with security trimmed. So you don't have to apply any additional filter to the query. The same query might return 10 items for one user, 20 items for another user based on the user's permission on items.

Also, let us say, you are trying to get a list of Apps (Libraries and Lists) from a site using REST and you are displaying that on a page. Also assume that you have not given permission to 5 out of 10 Apps to the user "User A".

How many Apps User A get to see in a page? It's not 5 but all. Remember, this is similar to the case where user navigate to Site Contents page and user can see the complete list of Apps regardless of having permission to an App or not. Only when user clicks on an App where user does not have access, it shows Access Denied message.

So even in this case REST works as expected. Hope this will clear any doubts around security trimming in REST API.

Comments

Popular posts from this blog

How to update Person field with multiple values using REST API

Person or Group field in SharePoint is similar to a Lookup field. When you are updating this field using REST API, you need to append "Id" to the name of the column in the body construct. For example, the body construct looks like this:

data: { "__metadata": { "type": "SP.Data.ListNameListItem" }, "Title": "First Item", "PeopleFieldId": "4" };

The highlighted portions should be replaced by the actual List Name and Column Name. In the above example, the REST call is updating a List item with Title and People columns.

How to get the value for user ID ("4" in the above example) needs a separate explanation and that will be my next post!

The above example works fine if Person field is configured to accept only one value. If we change the Person field to accept multiple values, how do we pass more than one value in the REST call? Since we normally separate user names with semicolon in people picker, I…

All about SharePoint List View Styles

Sometimes, there are out of the box features which we tend to ignore and later when we do apply, we are more than happy about the feature which is readily available in SharePoint. One such feature is List View Style. I never thought I would write a post on this. However, whenever I spoke about this with users, people were excited to see the result. That prompted me to write this post.

Instead of getting into only theory part, I will basically take use cases where these styles can be applied and also touch up on on some minor limitations with certain style.

When you are creating/modifying a List view, you will get an option to select View Style. As shown below, there are 8 options available and Default is always set if you ignore this style.


I will take typical Contact List and Announcement List to explian about these styles. Let us go one by one.

Default:
This view, as name suggest, is the default style in a view. This is one of the widely seen style in SharePoint site. This is how it…

Difference between Choice and Lookup fields in SharePoint

When you have to provide users an option of selecting a value from a list, you can go for a Choice field or a Lookup field. Have you ever wondered which one to use and when? Which option should be chosen over other? To address these questions, one need to understand the differences between these two data types in SharePoint. This post outlines these differences to help users decide the appropriate column type based on their needs.

FactorChoiceLookupPermissionTo add values to a Choice field, you need minimum Design permissionTo add values to a Lookup field, you need minimum Contribute/Add permissionChanging existing ValuesIf you change a value in a Choice field, it does not affect the existing values. For example, let us say one of the values was NY and there are items with this value. If you change it to New York in the field schema, it only affects the new values. All existing values will retain NY.If you change a value in a Lookup field, all the existing rows reflect the new value,…