Summary
The SharePoint REST API method createDefaultAssociatedGroups throws exception "Access Denied" for modern sites (if the setting "No Script Site" is set to true, which is the default).
This is a duplicate of https://github.com/pnp/pnpjs/issues/1575, please kindly read the discussion there before closing this one. It's not about pnp-js, it's about core share point API, reproducible with any client library (powershell, pnp, csom). I'm highlighting this because the previous issue has been closed as unrelated, and I have been told it's okay to create another one with proper example in REST API, so here it is basically.
Steps to reproduce (REST API)
#### create a site
POST /_api/web/webs/add
{"parameters":{
"__metadata":{"type":"SP.WebCreationInformation"},
"Url":"child",
"Title":"My Site",
"Description":"My Description",
"Language":1033,
"UseSamePermissionsAsParentSite":false,
"WebTemplate":"STS#3"
}
}
#### create default groups
POST /child/_api/web/createDefaultAssociatedGroups(userLogin='',userLogin2='',groupNameSeed='') <<< 403 here
Basically, the issue is that the call to createDefaultAssociatedGroups results in 403: Access denied for farm admin.
Important notice: If you allow custom scripts (???), the call works.
The CSOM calls also behaves the same way:
Web newWeb = ctx.Web.CreateWeb("My Site", "child", "My Description", "STS#3", 1033, false);
ctx.ExecuteQuery();
newWeb.CreateDefaultAssociatedGroups("", "", "");
ctx.ExecuteQuery(); // <<< 403 here
For the pnp-js example please check the linked issue.
Expected behavior
The call to create default groups for a site works regardless of the scripting setting. For the farm (global) admin, at least.
If you do it from UI manually (using /_layouts/permsetup.aspx page) then it works regardless of the "custom scripts" setting.
Category
Describe the bug
Summary The SharePoint REST API method createDefaultAssociatedGroups throws exception "Access Denied" for modern sites (if the setting "No Script Site" is set to true, which is the default).
This is a duplicate of https://github.com/pnp/pnpjs/issues/1575, please kindly read the discussion there before closing this one. It's not about pnp-js, it's about core share point API, reproducible with any client library (powershell, pnp, csom). I'm highlighting this because the previous issue has been closed as unrelated, and I have been told it's okay to create another one with proper example in REST API, so here it is basically.
Steps to reproduce (REST API)
Basically, the issue is that the call to
createDefaultAssociatedGroups
results in 403: Access denied for farm admin. Important notice: If you allow custom scripts (???), the call works.The CSOM calls also behaves the same way:
For the pnp-js example please check the linked issue.
Expected behavior
The call to create default groups for a site works regardless of the scripting setting. For the farm (global) admin, at least.
If you do it from UI manually (using /_layouts/permsetup.aspx page) then it works regardless of the "custom scripts" setting.
Environment details (development & target environment)
Additional information
Related issue on stackoverflow (for CSOM access) https://sharepoint.stackexchange.com/questions/240933/why-would-createdefaultassociatedgroups-stop-to-serverunauthorizedaccessexceptio