Skip to main content
Docs
Feature Requests Onboarding Trust Center Status Page

Community

SharePoint - Files.SelectedOperations.Selected Support

Answered
Nicholas Bauer User

Which connector?:

SharePoint 

Additional details:

With the SharePoint connector, we have the ability to access via a Service Principal using Sites.Selected, however, there are some sites where we'd like to have Fivetran access only specific files. 

I have tested that granting the Service Principal access to Files.SelectedOperations.Selected works great when hitting the Graph API, however, failures happen in Fivetran when attempting to set this up.  Wondering if "SelectedOperations" will be supported now that Microsoft has released these more granular permissions?

Please sign in to leave a comment.

Comments

2 comments

Date Votes
  • Official comment
    Parmeet Kohli Fivetranner

    Hi Nicholas,

    Thank you for outlining your SharePoint scenario with Files.SelectedOperations.Selected.

    At this time, the connector does not support this level of granular access. To help us better assess your use case, could you clarify whether you want the Service Principal to have access to specific files or to a specific folder? Based on our current understanding, the connector would likely still need permission to traverse an encompassing folder in order to locate and sync the intended files.

    If you can share a bit more about how permissions are currently configured, that will help us better understand the gap and evaluate possible options. We are also keeping an eye on Microsoft’s enhancements in this area and will assess support for SelectedOperations based on customer demand and technical feasibility.

    Thanks,
    Parmeet

  • Nicholas Bauer User

    Hi Parmeet!  

    Since Microsoft supports scoping the permissions to either the file or the folder, I'd love to say it would be beneficial to have both, but we could probably get by with just folder as a consolation.

    Full setup:
    1) Created a new app registration
    2) Added Files.SelectedOperations.Selected, applied consent
    3) Found the IDs of the site/list/list item and (using the Graph Explorer) issued a post (using a user with appropriate privileges on the SharePoint file itself) to add the principal to the permissions.

    POST https://graph.microsoft.com/v1.0/sites/{SITE_GUID}/lists/{LIST_GUID}/items/14/driveItem/permissions

    {

        "roles": [

            "read"

        ],

        "grantedTo": {

            "application": {

                "id": "{SERVICE PRINCIPAL APP ID}"

            }

        }

    }

    Right now, I have granted both to a file and a folder for testing purposes.  When calling the Graph API to enumerate files as the principal (using PowerShell's Get-MgSiteListItem and supplying the site id/list id, I'm able to successfully enumerate ONLY the files & folder the principal has access to inside of the list.  I don't have an easy to test this using a file/folder's share URL, similar to how fivetran is setup today, but the graph API itself seems to be returning the appropriate information.

    Not sure if that helps or not, feel free to reach out if you're looking for any more info!