List permissions on a DriveItem

List the effective permissions of on a DriveItem.

The permissions relationship of DriveItem cannot be expanded as part of a call to get DriveItem or a collection of DriveItems. You must access the permissions property directly.

Access to Permissions

The permissions collection includes potentially sensitive information and may not be available for every caller.

  • For the owner of the item, all permissions will be returned. This includes co-owners.
  • For a non-owner caller, only the permissions that apply to the caller are returned.
  • Permission properties that contain secrets (e.g. shareId and webUrl) are only returned for callers that are able to create the Permission.

Prerequisites

One of the following scopes is required to execute this API:

  • Files.Read
  • Files.ReadWrite

HTTP request

GET /me/drive/items/{item-id}/permissions
GET /me/drive/root:/{path}:/permissions
GET /drives/{drive-id}/items/{item-id}/permissions
GET /groups/{group-id}/drive/items/{item-id}/permissions

Request headers

Name Type Description
if-none-match string If this request header is included and the etag provided matches the current etag on the item, an HTTP 304 Not Modified response is returned.

Optional query parameters

This method supports the OData Query Parameters to help customize the response.

Request body

Do not supply a request body for this method.

Response

If successful, this method returns a 200 OK response code and collection of Permission resources in the response body.

Effective permissions of an item can come from two sources:

  • Permissions applied directly on the item itself
  • Permissions inherited from the item's ancestors

Callers can differentiate if the permission is inherited or not by checking the inheritedFrom property. This property is an itemReference resource referencing the ancestor that the permission is inherited from.

Example

Request

Here is an example of the request.

GET https://graph.microsoft.com/beta/me/drive/items/{item-id}/permissions
Response

Here is an example of the response.

HTTP/1.1 200 OK
Content-Type: application/json

{
  "value": [
    {
      "id": "1",
      "roles": ["write"],
      "link": {
        "webUrl": "https://onedrive.live.com/redir?resid=5D33DD65C6932946!70859&authkey=!AL7N1QAfSWcjNU8&ithint=folder%2cgif",
        "type": "edit"
      }
    },
    {
      "id": "2",
      "roles": ["write"],
      "grantedTo": {
        "user": {
          "id": "5D33DD65C6932946",
          "displayName": "John Doe"
        }
      },
      "inheritedFrom": {
        "driveId": "1234567890ABD",
        "id": "1234567890ABC!123",
        "path": "/drive/root:/Documents" }
    },
    {
      "id": "3",
      "roles": ["write"],
      "link": {
        "webUrl": "https://onedrive.live.com/redir?resid=5D33DD65C6932946!70859&authkey=!AL7N1QAfSWcjNU8&ithint=folder%2cgif",
        "type": "edit",
        "application": {
          "id": "12345",
          "displayName": "TimeTravelPlus"
        }
      }
    }
  ]
}

See Get permission for more details on retrieving a single permission resource.