What is a one sentence summary of your feature request?
Enhance the “SharePoint Online Object Permissions” by providing the ability to include child objects
Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.
I would like the “SharePoint Online Object Permissions” report to be enhanced, providing the ability to include child objects of the specified “Object Path” parameter.
The issue is that audits of SharePoint, the Document Center in my specific use case, are not possible with Netwrix because there is no single report that accounts for ALL the following:
1.) Permissions on the object specified in the “Object Path” parameter. In this use case it is an area (folder) in our Document Center.
2.) Permissions on child objects assigned by breaking inheritance.
3.) Permissions on child objects assigned by Sharing the object (internal or external).
I need to generate a single report that I can hand to the Owners of each respective area that show them who has access to everything in their specific area. I have been unable to find a way to accomplish this with the existing reports in Auditor.
How do you currently solve the challenges you have by not having this feature?
At the moment, I am trying to hack up the TSQL generated by this report but I am not having much luck. Other than that, I don’t have a way to accomplish what I need to do.
That’s a great idea! I’m curious how you picture it working in practice.
One option could be to add a link in the report details to a separate report listing all objects whose parent is the specified object, and then let the user click on any child object to jump back into the Object Permissions report for that child.
We’d also need to think about performance and usability. For example, if a single parent has a very large number of child objects, the report might struggle to display them all. Maybe we could limit it to the first 2,000 objects, or perhaps you have another approach in mind?
I’d love to hear your thoughts.
The challenge is that bject Permissions report is quite complex and not so easy to replicate
For a report like this, I would just have it export to a simple Excel file or a CSV. I would not even worry about a nice looking SSRS report because the use case for this involves looking at data in bulk and being able to filter by multiple columns. For example, I am going to apply the Filter feature in Excel and then look at the dropdown to see if there are any users that I am not anticipating having access to anything in my area. If I find any, I am going to filter by user to see what they have access to and how.
I was able to modify the report to have it give me what I need and I just copied the results from SSMS to Excel, ordered by ObjectPath and AccountName, and called it a day. Honestly, a nicely formatted SSRS rep[ort would not do me any good in this case.
As far as performance, that is what I am looking into, now that I have the results that I need.
I ended up modifying the report TSQL to output 2 datasets:
1.) A list of all users with access to the specified location (which includes all child objects) and a count of the number of items that they have access to.
2.) A detail report that contains a record for each object and each user that has access to that object. ** Because of the potential volume, this dataset does NOT contain Document or List Item objects.
The process I put together is to run this report for each site, use the first dataset to identify suspicious accounts with access, then use the 2nd dataset to see what they have access to. If the person doing the audit wants more detail on a user, or they do not show up in the 2nd dataset because the only have access to Document and/or List Item objects, they can run a canned report for just that user/location.
This was all fine and well until I found out that this report does NOT include permissions granted via sharing, only permissions granted directly. So now I am working on modifying the TSQL for “Account Permissions in SharePoint Online” so that it can include ALL users, as support told me that report DOES include permissions granted via Sharing.
In any event, that is going to be the process. User report, and a detail report that excludes Documents and List Items to keep the volume low, then use the detail reports to drill down further as needed.
