Open seanstory opened 11 months ago
see also: https://github.com/elastic/enterprise-search-team/issues/5958#issuecomment-1749345067
Everyone -> c:0(.s|true
Everyone except external users -> c:0-.f|rolemanager|spo-grid-all-users/<tenant_id>
Group memebers -> c:0o.c|federateddirectoryclaimprovider|<group_guid>
Group Owners -> c:0o.c|federateddirectoryclaimprovider|<group_guid>
"Company Administrator" in Sharepoint Admin console -> c:0t.c|tenant|<UNKNOWN-GUID>
An O365 user ->i:0#.f|membership|<USER-EMAIL>
This issue already mentions the c:0-.f|rolemanager|spo-grid-all-users
and c:0t.c|tenant
prefixes, but the "everyone" groups are something we haven't discussed for DLS.
Bug Description
When syncing our internal SPO, I found that the admin user didn't have access to a number of records.
https://enterprisesearch.sharepoint.com/sites/contentTypeHub
's site document had an empty_allow_access_control
array, meaning nothing would be able to search it. Debugging withGET https://enterprisesearch.sharepoint.com/sites/contentTypeHub/_api/web/roleassignments/?$expand=Member/users,RoleDefinitionBindings
, this seems to be because there are no Role Assignments that we recognize as people or groups. However, SPO says that the admin user should be able to access this site:I believe (but cannot confirm) that this user should be expandable in to a group of administrators
Looks like this group's memberships can be looked up with:
though this requires scopes that our app currently doesn't contain (tested with the graph explorer).
Another user that doesn't result in any ACL entry:
Another role assignment that doesn't result in granting
demo@enterprisesearch.onmicrosoft.com
access:This is interesting, because
ff59b3b8-8cc6-4fab-a038-4b57b1c81ebe_o
isn't actually a valid group ID - the_o
suffix ruins it. I'm wondering if_o
means "owners" becausecontains
demo@enterprisesearch.onmicrosoft.com
, but/members
does not, and the check permissions UI says that it's this RoleBinding that grants the user access tohttps://enterprisesearch.sharepoint.com/sites/sean-test-2/
.https://stackoverflow.com/a/72014467/2479282 seems to agree with this theory.
To Reproduce
Steps to reproduce the behavior:
demo@enterprisesearch.onmicrosoft.com
user can't accessquery for sites the user can't access
grab the permissions array from the user's ACL index document. ``` GET search-test/_search { "query": { "bool": { "must": [ { "term": { "object_type.enum": { "value": "site" } } }, { "bool": { "must_not": [ { "bool": { "filter": { "bool": { "should": [ { "terms": { "_allow_access_control.enum": [ "group:c026624d-cf36-45cf-be33-e2f0faa1315b", "group:51dd9d81-5976-4245-943c-5d0736babd02", "group:155f1c33-4c3b-4108-af69-bb6738f937a9", "group:e4d056b9-5edb-4153-9e39-58bb305d69ff", "group:c185052c-5c1c-4c87-a6f5-fdeaf0d65a5a", "group:b8378e68-9613-4fba-b10f-71b15dd0b62b", "group:206e934c-db31-4779-9363-ca6a141d2c08", "group:fb57df61-b8ec-43d3-bd6c-529199613904", "group:fa55ba51-0c7a-47ee-9f51-b23c2e3d71e8", "group:bd081999-67ce-4036-b5d0-8a2cc6673b93", "group:18a936ed-0ec6-48b8-b9e1-598bc7f0e1fe", "group:d3d8f3e0-388f-4fc8-9b07-15dccabc2c89", "group:3c8ecdf1-e687-4fd7-941b-b2ad2a69acbb", "group:306c4915-0254-4ac6-b387-34c886d94f61", "group:7ce0ff59-995c-4d67-9918-390af827abd7", "group:92ea23dd-226f-41aa-9d3b-29c6aad74be8", "email:demo@enterprisesearch.onmicrosoft.com", "group:62b87e4a-ed76-4a8b-b8a9-9e13c5c5bb66", "group:dff0a8ce-6100-46f1-8eee-e95b223fb98f", "group:3fe1f669-84ea-4aee-9975-017e96691551", "group:2e23fe2d-9e3c-4ecc-8ccd-94eaefda96c7", "group:ad2808b7-4f3c-4cfa-929b-dd8b940f997a", "group:1a864150-702b-4787-b42b-b9409e51d11a", "group:6743d0af-2527-4d29-9cb2-40710f62c84b", "group:b893fe36-0e79-4c86-a87d-93c96045dd7a", "group:05918f39-5c48-4fdb-a438-f7380babfd19", "group:ca7eb827-2a21-4b9a-80a2-2ca2860c7a3e", "group:e787aede-afe3-4778-a1df-93047933ee1a", "user_id:baa37bda-0dd1-4799-ae22-f3476c2cf58d", "group:f2430f7c-f0dd-452a-8360-02a86fd7d9b0", "group:54d551c4-c02b-44d1-b540-6aefa12af4cc", "group:21d2c8c0-cb0a-4209-b4fa-56b71b0bc670", "group:ede26346-3aff-470c-98dc-388032f25ef5", "group:57e6a1e5-84b8-43e2-9f26-7c0d62a01632", "group:f811221d-89de-414c-b3ac-ebae7e85bad1", "group:a1148980-e87b-4ab0-b2dc-01f706402d82", "group:acaa08f6-0f09-4ef0-924d-83d003825fa0", "group:fd5dce67-b434-4663-b0d5-064faf46de06", "group:40c80d09-9e34-4f38-88af-ad67f16019af", "group:ef95ebfa-cb17-41a6-9127-bf55c5e15323", "group:117f2376-d09c-45a7-8535-bf641d0286f9", "group:56eafa5e-f932-4085-b838-bce6d34f4895", "group:44811335-b264-4f66-9001-913f7805d7be", "group:8e1f0ac5-f55e-4282-bc4f-90f838f319ce", "group:634d0f97-5289-4a8c-8ea3-265d1d2c3e0f", "group:2f54b181-9a08-4052-8ca3-eec503523420", "group:48fef3a4-9a3c-4657-a499-e34d78540a76", "group:ba26b5de-3e2f-48c2-b0af-3c9da74ac4a8", "group:730ef41e-8b9e-4975-b9c1-1d23858b9984", "group:68e9fb9e-2e5e-4b54-8425-1173e7999e7c", "group:79cbf128-a609-4b76-b9d5-a0590d9af520", "group:9fb70825-1c68-4682-93df-3390d220654c", "group:11652832-591b-4699-83b5-35156a2e4e0c", "group:12ddeeea-f0af-4d98-a8dc-984511814996", "group:b8b562ce-70ee-4686-b9c7-9bbd33e7dc57", "group:d9cf0037-0942-4f41-9095-cd37b96f1284", "group:b7d6765f-30a1-4b34-815d-107da6f26bb9", "group:0e744efc-7382-4b3c-9bc0-88c0753269b3", "group:2dd20801-173e-4faa-b6c9-5ebcb23c673e", "group:97ba91c7-7fd2-4cea-90c6-350f4a475edf", "group:93811514-5f41-4a0d-b34e-5b98fd3c266e", "group:41129dc5-b333-4888-b6ac-a97abe28acd0", "group:495ad027-277b-45a7-938b-ccc32b832e2c", "group:6fc24322-9bb3-4261-8f5d-1beb708dde40", "group:a2183e8a-7124-48c3-8ec9-4e6564580281", "group:c731144f-b757-4682-ad38-56785a5b04a0", "group:99efbef7-b757-4690-88fa-50aff4a9f493", "group:b249a1c1-3bf1-45ca-88d5-3216b1bbdc74", "group:072d18e2-ec71-4e6d-a4c9-a0b9a62fe318", "group:c4b18f54-eae5-4784-9c8b-419566081e8e", "group:31eb6abe-1bab-482b-aa17-fd3ab458106d", "group:9a996e01-3889-4928-a13d-95e527a916e2", "group:81f61e39-339f-43a6-931f-ae0cb88ec072", "group:361ba014-23e0-4082-b661-31180b4203a6", "group:f463e767-c160-4b9c-a054-55ea667e7510", "group:c2da25ce-7ebe-4376-8fda-9108cc97d970", "group:731ed647-5796-485f-b0df-4cef55037fcc", "group:b3701ab0-2645-42d7-a63e-713c83b23110", "group:4f04c467-d8fe-43bc-bf05-45d96810c118", "group:eaeda2fa-bcec-448d-a846-370666bf2a10", "group:6e0afe9e-915b-44ca-a90c-1252828f0d47", "group:5ee45c29-53f9-4cf0-9daf-4d43f6c0d4b3", "group:766e89bc-f498-46b9-b036-b49e53110d05", "group:33fd1f9c-2c5b-4c9f-9260-9826eb7a4bc2", "group:0da5d129-435f-4904-8195-447394351f67", "group:5d3aac68-b5ec-4088-8a34-a7ae31cdde54", "user:demo@enterprisesearch.onmicrosoft.com", "group:4d584612-4763-40fd-b641-991ce3d57a2b", "group:ac7646ca-a2e0-4280-bf3c-96b2d5614c1e", "group:94d5db97-58ba-4b11-b9f9-c0afa3914ad8", "group:0b8f23d5-2664-49c3-b8f3-a9da224d9c87", "group:97d055cf-5cdf-4e5e-b383-f01ed3a8844d", "group:08c1ad4e-c01a-4307-ac71-56c74e4b6130", "group:4c304a95-d08b-471a-af34-c47906af1351", "group:2df6206d-0963-4bd7-a8c2-e9e9a08b6b31", "group:c4ab28f1-ba34-4551-b110-1795fb1135d3", "group:98a5a0f5-96d8-4337-94c2-0965885b8982", "group:9f43a243-89b9-4c1e-a785-5c230a80a709", "group:748cd744-08ba-4866-9d05-70eea6cc30ec", "group:9ede5c5f-e34f-404a-875b-42cda61a64cc", "group:3413acd4-ceb8-43a2-a7f4-57aacb805d23", "group:cee8e675-44f2-4e27-b3c6-bccf9e22479e", "group:909bd04f-9070-4543-8a82-ee3ecbfa6971", "group:d74840d6-dab0-428a-bdc8-696f66252788", "group:abd6965d-b777-4b3d-a121-ca005d02477f", "group:f2f81ac7-4edc-4cd5-87ab-3094290c88c6", "group:23b9fc60-45f0-4b86-8c54-c1b564b5eeaa", "group:d75fcfe8-9448-49bf-950c-258a8ec062af", "group:95510376-6058-48b5-b86d-0c8a42d0e20f", "group:b2960488-04e3-4b6c-b9c9-e47599c63ad6", "group:7ae2391f-9ae9-4097-af6b-9eeb6ff4b152", "group:6f55b198-aaf7-4c06-bdc0-d536675bea29", "group:846f1ddb-4590-4c14-9439-da58632b6b0a", "group:595fa123-8ad4-47fc-a676-6245c2da35dc", "group:58807eda-7b50-4491-a3bc-4859166c93d4", "group:0476e6a2-b31e-4b5c-9aa6-daa56ebccefc", "group:d0a40e89-f63b-44c8-a80c-7b6342de9b20" ] } } ] } } } } ] } } ] } }, "_source": ["webUrl"] } ```Expected behavior
demo@enterprissearch.onmicrosoft.com
user should have an ACL list that maps to this groupdemo@enterprisesearch.onmicrosoft.com
user doesn't have access to should result only in entitites that that user can't actually visit in the browserEnvironment
8.11.0-SNAPSHOT