[SPO] some role assignments don't result in access control

[seanstory]

Bug Description

When syncing our internal SPO, I found that the admin user didn't have access to a number of records.

• https://enterprisesearch.sharepoint.com/sites/contentTypeHub's site document had an empty _allow_access_control array, meaning nothing would be able to search it. Debugging with GET https://enterprisesearch.sharepoint.com/sites/contentTypeHub/_api/web/roleassignments/?$expand=Member/users,RoleDefinitionBindings, this seems to be because there are no Role Assignments that we recognize as people or groups. However, SPO says that the admin user should be able to access this site:

I believe (but cannot confirm) that this user should be expandable in to a group of administrators

{
                        "odata.type": "SP.User",
                        "odata.id": "https://enterprisesearch.sharepoint.com/sites/contentTypeHub/_api/Web/GetUserById(7)",
                        "odata.editLink": "Web/GetUserById(7)",
                        "Id": 7,
                        "IsHiddenInUI": false,
                        "LoginName": "c:0t.c|tenant|ede26346-3aff-470c-98dc-388032f25ef5",
                        "Title": "Company Administrator",
                        "PrincipalType": 4,
                        "Email": "",
                        "Expiration": "",
                        "IsEmailAuthenticationGuestUser": false,
                        "IsShareByEmailGuestUser": false,
                        "IsSiteAdmin": true,
                        "UserId": null,
                        "UserPrincipalName": null
                    },

Looks like this group's memberships can be looked up with:

GET https://graph.microsoft.com/v1.0/directoryRoles/ede26346-3aff-470c-98dc-388032f25ef5/members

though this requires scopes that our app currently doesn't contain (tested with the graph explorer).

• Another user that doesn't result in any ACL entry:

                 {
                      "odata.type": "SP.User",
                      "odata.id": "https://enterprisesearch.sharepoint.com/sites/Chenhui'steamsite/_api/Web/GetUserById(8)",
                      "odata.editLink": "Web/GetUserById(8)",
                      "Id": 8,
                      "IsHiddenInUI": false,
                      "LoginName": "c:0-.f|rolemanager|spo-grid-all-users/666f0eab-4b15-4544-a5a8-08c01ac6caec",
                      "Title": "Everyone except external users",
                      "PrincipalType": 4,
                      "Email": "",
                      "Expiration": "",
                      "IsEmailAuthenticationGuestUser": false,
                      "IsShareByEmailGuestUser": false,
                      "IsSiteAdmin": false,
                      "UserId": null,
                      "UserPrincipalName": null
                  }

• Another role assignment that doesn't result in granting demo@enterprisesearch.onmicrosoft.com access:

{
                        "odata.type": "SP.User",
                        "odata.id": "https://enterprisesearch.sharepoint.com/sites/sean-test-2/_api/Web/GetUserById(6)",
                        "odata.editLink": "Web/GetUserById(6)",
                        "Id": 6,
                        "IsHiddenInUI": true,
                        "LoginName": "c:0o.c|federateddirectoryclaimprovider|ff59b3b8-8cc6-4fab-a038-4b57b1c81ebe_o",
                        "Title": "sean-test-2 Owners",
                        "PrincipalType": 4,
                        "Email": "sean-test-2@enterprisesearch.onmicrosoft.com",
                        "Expiration": "",
                        "IsEmailAuthenticationGuestUser": false,
                        "IsShareByEmailGuestUser": false,
                        "IsSiteAdmin": true,
                        "UserId": null,
                        "UserPrincipalName": null
                    },

This is interesting, because ff59b3b8-8cc6-4fab-a038-4b57b1c81ebe_o isn't actually a valid group ID - the _o suffix ruins it. I'm wondering if _o means "owners" because

 GET https://graph.microsoft.com/v1.0/groups/ff59b3b8-8cc6-4fab-a038-4b57b1c81ebe/owners

contains demo@enterprisesearch.onmicrosoft.com, but /members does not, and the check permissions UI says that it's this RoleBinding that grants the user access to https://enterprisesearch.sharepoint.com/sites/sean-test-2/.

https://stackoverflow.com/a/72014467/2479282 seems to agree with this theory.

To Reproduce

Steps to reproduce the behavior:

1. Sync SPO
2. look for sites with no access control
3. look for anything that the demo@enterprisesearch.onmicrosoft.com user can't access

query for sites the user can't access

grab the permissions array from the user's ACL index document. ``` GET search-test/_search { "query": { "bool": { "must": [ { "term": { "object_type.enum": { "value": "site" } } }, { "bool": { "must_not": [ { "bool": { "filter": { "bool": { "should": [ { "terms": { "_allow_access_control.enum": [ "group:c026624d-cf36-45cf-be33-e2f0faa1315b", "group:51dd9d81-5976-4245-943c-5d0736babd02", "group:155f1c33-4c3b-4108-af69-bb6738f937a9", "group:e4d056b9-5edb-4153-9e39-58bb305d69ff", "group:c185052c-5c1c-4c87-a6f5-fdeaf0d65a5a", "group:b8378e68-9613-4fba-b10f-71b15dd0b62b", "group:206e934c-db31-4779-9363-ca6a141d2c08", "group:fb57df61-b8ec-43d3-bd6c-529199613904", "group:fa55ba51-0c7a-47ee-9f51-b23c2e3d71e8", "group:bd081999-67ce-4036-b5d0-8a2cc6673b93", "group:18a936ed-0ec6-48b8-b9e1-598bc7f0e1fe", "group:d3d8f3e0-388f-4fc8-9b07-15dccabc2c89", "group:3c8ecdf1-e687-4fd7-941b-b2ad2a69acbb", "group:306c4915-0254-4ac6-b387-34c886d94f61", "group:7ce0ff59-995c-4d67-9918-390af827abd7", "group:92ea23dd-226f-41aa-9d3b-29c6aad74be8", "email:demo@enterprisesearch.onmicrosoft.com", "group:62b87e4a-ed76-4a8b-b8a9-9e13c5c5bb66", "group:dff0a8ce-6100-46f1-8eee-e95b223fb98f", "group:3fe1f669-84ea-4aee-9975-017e96691551", "group:2e23fe2d-9e3c-4ecc-8ccd-94eaefda96c7", "group:ad2808b7-4f3c-4cfa-929b-dd8b940f997a", "group:1a864150-702b-4787-b42b-b9409e51d11a", "group:6743d0af-2527-4d29-9cb2-40710f62c84b", "group:b893fe36-0e79-4c86-a87d-93c96045dd7a", "group:05918f39-5c48-4fdb-a438-f7380babfd19", "group:ca7eb827-2a21-4b9a-80a2-2ca2860c7a3e", "group:e787aede-afe3-4778-a1df-93047933ee1a", "user_id:baa37bda-0dd1-4799-ae22-f3476c2cf58d", "group:f2430f7c-f0dd-452a-8360-02a86fd7d9b0", "group:54d551c4-c02b-44d1-b540-6aefa12af4cc", "group:21d2c8c0-cb0a-4209-b4fa-56b71b0bc670", "group:ede26346-3aff-470c-98dc-388032f25ef5", "group:57e6a1e5-84b8-43e2-9f26-7c0d62a01632", "group:f811221d-89de-414c-b3ac-ebae7e85bad1", "group:a1148980-e87b-4ab0-b2dc-01f706402d82", "group:acaa08f6-0f09-4ef0-924d-83d003825fa0", "group:fd5dce67-b434-4663-b0d5-064faf46de06", "group:40c80d09-9e34-4f38-88af-ad67f16019af", "group:ef95ebfa-cb17-41a6-9127-bf55c5e15323", "group:117f2376-d09c-45a7-8535-bf641d0286f9", "group:56eafa5e-f932-4085-b838-bce6d34f4895", "group:44811335-b264-4f66-9001-913f7805d7be", "group:8e1f0ac5-f55e-4282-bc4f-90f838f319ce", "group:634d0f97-5289-4a8c-8ea3-265d1d2c3e0f", "group:2f54b181-9a08-4052-8ca3-eec503523420", "group:48fef3a4-9a3c-4657-a499-e34d78540a76", "group:ba26b5de-3e2f-48c2-b0af-3c9da74ac4a8", "group:730ef41e-8b9e-4975-b9c1-1d23858b9984", "group:68e9fb9e-2e5e-4b54-8425-1173e7999e7c", "group:79cbf128-a609-4b76-b9d5-a0590d9af520", "group:9fb70825-1c68-4682-93df-3390d220654c", "group:11652832-591b-4699-83b5-35156a2e4e0c", "group:12ddeeea-f0af-4d98-a8dc-984511814996", "group:b8b562ce-70ee-4686-b9c7-9bbd33e7dc57", "group:d9cf0037-0942-4f41-9095-cd37b96f1284", "group:b7d6765f-30a1-4b34-815d-107da6f26bb9", "group:0e744efc-7382-4b3c-9bc0-88c0753269b3", "group:2dd20801-173e-4faa-b6c9-5ebcb23c673e", "group:97ba91c7-7fd2-4cea-90c6-350f4a475edf", "group:93811514-5f41-4a0d-b34e-5b98fd3c266e", "group:41129dc5-b333-4888-b6ac-a97abe28acd0", "group:495ad027-277b-45a7-938b-ccc32b832e2c", "group:6fc24322-9bb3-4261-8f5d-1beb708dde40", "group:a2183e8a-7124-48c3-8ec9-4e6564580281", "group:c731144f-b757-4682-ad38-56785a5b04a0", "group:99efbef7-b757-4690-88fa-50aff4a9f493", "group:b249a1c1-3bf1-45ca-88d5-3216b1bbdc74", "group:072d18e2-ec71-4e6d-a4c9-a0b9a62fe318", "group:c4b18f54-eae5-4784-9c8b-419566081e8e", "group:31eb6abe-1bab-482b-aa17-fd3ab458106d", "group:9a996e01-3889-4928-a13d-95e527a916e2", "group:81f61e39-339f-43a6-931f-ae0cb88ec072", "group:361ba014-23e0-4082-b661-31180b4203a6", "group:f463e767-c160-4b9c-a054-55ea667e7510", "group:c2da25ce-7ebe-4376-8fda-9108cc97d970", "group:731ed647-5796-485f-b0df-4cef55037fcc", "group:b3701ab0-2645-42d7-a63e-713c83b23110", "group:4f04c467-d8fe-43bc-bf05-45d96810c118", "group:eaeda2fa-bcec-448d-a846-370666bf2a10", "group:6e0afe9e-915b-44ca-a90c-1252828f0d47", "group:5ee45c29-53f9-4cf0-9daf-4d43f6c0d4b3", "group:766e89bc-f498-46b9-b036-b49e53110d05", "group:33fd1f9c-2c5b-4c9f-9260-9826eb7a4bc2", "group:0da5d129-435f-4904-8195-447394351f67", "group:5d3aac68-b5ec-4088-8a34-a7ae31cdde54", "user:demo@enterprisesearch.onmicrosoft.com", "group:4d584612-4763-40fd-b641-991ce3d57a2b", "group:ac7646ca-a2e0-4280-bf3c-96b2d5614c1e", "group:94d5db97-58ba-4b11-b9f9-c0afa3914ad8", "group:0b8f23d5-2664-49c3-b8f3-a9da224d9c87", "group:97d055cf-5cdf-4e5e-b383-f01ed3a8844d", "group:08c1ad4e-c01a-4307-ac71-56c74e4b6130", "group:4c304a95-d08b-471a-af34-c47906af1351", "group:2df6206d-0963-4bd7-a8c2-e9e9a08b6b31", "group:c4ab28f1-ba34-4551-b110-1795fb1135d3", "group:98a5a0f5-96d8-4337-94c2-0965885b8982", "group:9f43a243-89b9-4c1e-a785-5c230a80a709", "group:748cd744-08ba-4866-9d05-70eea6cc30ec", "group:9ede5c5f-e34f-404a-875b-42cda61a64cc", "group:3413acd4-ceb8-43a2-a7f4-57aacb805d23", "group:cee8e675-44f2-4e27-b3c6-bccf9e22479e", "group:909bd04f-9070-4543-8a82-ee3ecbfa6971", "group:d74840d6-dab0-428a-bdc8-696f66252788", "group:abd6965d-b777-4b3d-a121-ca005d02477f", "group:f2f81ac7-4edc-4cd5-87ab-3094290c88c6", "group:23b9fc60-45f0-4b86-8c54-c1b564b5eeaa", "group:d75fcfe8-9448-49bf-950c-258a8ec062af", "group:95510376-6058-48b5-b86d-0c8a42d0e20f", "group:b2960488-04e3-4b6c-b9c9-e47599c63ad6", "group:7ae2391f-9ae9-4097-af6b-9eeb6ff4b152", "group:6f55b198-aaf7-4c06-bdc0-d536675bea29", "group:846f1ddb-4590-4c14-9439-da58632b6b0a", "group:595fa123-8ad4-47fc-a676-6245c2da35dc", "group:58807eda-7b50-4491-a3bc-4859166c93d4", "group:0476e6a2-b31e-4b5c-9aa6-daa56ebccefc", "group:d0a40e89-f63b-44c8-a80c-7b6342de9b20" ] } } ] } } } } ] } } ] } }, "_source": ["webUrl"] } ```

Expected behavior

• [ ] the demo@enterprissearch.onmicrosoft.com user should have an ACL list that maps to this group
• [ ] this site should have an ACL list that maps to this group and/or its members
• [ ] Querying for documents that the demo@enterprisesearch.onmicrosoft.com user doesn't have access to should result only in entitites that that user can't actually visit in the browser

Environment

8.11.0-SNAPSHOT

[seanstory]

see also: https://github.com/elastic/enterprise-search-team/issues/5958#issuecomment-1749345067

Everyone -> c:0(.s|true
Everyone except external users -> c:0-.f|rolemanager|spo-grid-all-users/<tenant_id>
Group memebers -> c:0o.c|federateddirectoryclaimprovider|<group_guid>
Group Owners -> c:0o.c|federateddirectoryclaimprovider|<group_guid>
"Company Administrator" in Sharepoint Admin console -> c:0t.c|tenant|<UNKNOWN-GUID>
An O365 user ->i:0#.f|membership|<USER-EMAIL>

This issue already mentions the c:0-.f|rolemanager|spo-grid-all-users and c:0t.c|tenant prefixes, but the "everyone" groups are something we haven't discussed for DLS.