SharePoint Online：使用 PnP PowerShell 获取文档库权限并导出为 CSV

要求： SharePoint Online PowerShell 获取文档库权限。

如何获取SharePoint Online文档库权限？

您是否正在寻找一种导出 SharePoint Online 文档库权限的方法，以便确定谁有权访问您的 SharePoint Online 文档库？或者，您可能希望生成对 SharePoint Online 网站中的特定文档库具有权限的所有用户的报告。无论哪种方式，本文将向您展示如何在 SharePoint Online 中获取文档库权限。

1. 使用网站所有者权限登录到 SharePoint Online 网站，然后导航到要查看其权限的文档库。

2. 单击屏幕右上角的设置齿轮，然后单击库设置。这将打开一个库设置页面。单击“文档库权限”链接。

   

3. 这将显示一个页面，其中包含所有用户和组以及分配给他们的权限。

   

PnP PowerShell 在 SharePoint Online 中导出文档库权限

若要使用 PnP PowerShell 导出 SharePoint Online 中的文档库权限，请获取所有 List.RoleAssignments 属性值，然后使用 Export-Csv cmdlet 导出它们。此 PowerShell 脚本导出 SharePoint Online 文档库的所有权限：

# Parameters
$SiteUrl = "https://crescent.sharepoint.com/sites/ICDocuments"
$ReportOutput = "C:\Temp\LibraryPermissions.csv"
$LibraryName = "IC Documents"

#Connect to PnP Online
Connect-PnPOnline -Url $SiteUrl -Interactive # -Credentials (Get-Credential)

# Get the document library
$Library = Get-PnpList -Identity $LibraryName -Includes RoleAssignments

# Get all users and groups who has access
$RoleAssignments = $Library.RoleAssignments
$PermissionCollection = @()
Foreach ($RoleAssignment in $RoleAssignments)
{
    #Get the Permission Levels assigned and Member
    Get-PnPProperty -ClientObject $roleAssignment -Property RoleDefinitionBindings, Member

    #Get the Principal Type: User, SP Group, AD Group
    $PermissionType = $RoleAssignment.Member.PrincipalType
    $PermissionLevels = $RoleAssignment.RoleDefinitionBindings | Select -ExpandProperty Name
    
    #Get all permission levels assigned (Excluding:Limited Access)
    $PermissionLevels = ($PermissionLevels | Where { $_ -ne "Limited Access"}) -join ","
    If($PermissionLevels.Length -eq 0) {Continue}

    #Get SharePoint group members
    If($PermissionType -eq "SharePointGroup")
    {
        #Get Group Members
        $GroupMembers = Get-PnPGroupMember -Identity $RoleAssignment.Member.LoginName                 
        #Leave Empty Groups
        If($GroupMembers.count -eq 0){Continue}

        ForEach($User in $GroupMembers)
        {
            #Add the Data to Object
            $Permissions = New-Object PSObject
            $Permissions | Add-Member NoteProperty User($User.Title)
            $Permissions | Add-Member NoteProperty Type($PermissionType)
            $Permissions | Add-Member NoteProperty Permissions($PermissionLevels)
            $Permissions | Add-Member NoteProperty GrantedThrough("SharePoint Group: $($RoleAssignment.Member.LoginName)")
            $PermissionCollection += $Permissions
        }
    }
    Else
    {
        #Add the Data to Object
        $Permissions = New-Object PSObject
        $Permissions | Add-Member NoteProperty User($RoleAssignment.Member.Title)
        $Permissions | Add-Member NoteProperty Type($PermissionType)
        $Permissions | Add-Member NoteProperty Permissions($PermissionLevels)
        $Permissions | Add-Member NoteProperty GrantedThrough("Direct Permissions")
        $PermissionCollection += $Permissions
    }
}
#Export Permissions to CSV File
$PermissionCollection
$PermissionCollection | Export-CSV $ReportOutput -NoTypeInformation
Write-host -f Green "Permission Report Generated Successfully!"

SharePoint Online PowerShell 获取列表权限

此 PowerShell 脚本还可用于获取 SharePoint Online 中的列表权限。虽然此脚本提取应用于列表的权限，但如果您想获取列表或库的所有基础对象（例如文件夹和文件/列表项）的权限，该怎么办？

#Function to Get Permissions on a particular on List, Folder or List Item
Function Get-PnPPermissions([Microsoft.SharePoint.Client.SecurableObject]$Object)
{
    #Determine the type of the object
    Switch($Object.TypedObject.ToString())
    {
        "Microsoft.SharePoint.Client.ListItem"
        { 
            If($Object.FileSystemObjectType -eq "Folder")
            {
                $ObjectType = "Folder"
                #Get the URL of the Folder 
                $Folder = Get-PnPProperty -ClientObject $Object -Property Folder
                $ObjectTitle = $Object.Folder.Name
                $ObjectURL = $("{0}{1}" -f $Web.Url.Replace($Web.ServerRelativeUrl,''),$Object.Folder.ServerRelativeUrl)
            }
            Else #File or List Item
            {
                #Get the URL of the Object
                Get-PnPProperty -ClientObject $Object -Property File, ParentList
                If($Object.File.Name -ne $Null)
                {
                    $ObjectType = "File"
                    $ObjectTitle = $Object.File.Name
                    $ObjectURL = $("{0}{1}" -f $Web.Url.Replace($Web.ServerRelativeUrl,''),$Object.File.ServerRelativeUrl)
                }
                else
                {
                    $ObjectType = "List Item"
                    $ObjectTitle = $Object["Title"]
                    #Get the URL of the List Item
                    $DefaultDisplayFormUrl = Get-PnPProperty -ClientObject $Object.ParentList -Property DefaultDisplayFormUrl                     
                    $ObjectURL = $("{0}{1}?ID={2}" -f $Web.Url.Replace($Web.ServerRelativeUrl,''), $DefaultDisplayFormUrl,$Object.ID)
                }
            }
        }
        Default 
        { 
            $ObjectType = "List or Library"
            $ObjectTitle = $Object.Title
            #Get the URL of the List or Library
            $RootFolder = Get-PnPProperty -ClientObject $Object -Property RootFolder     
            $ObjectURL = $("{0}{1}" -f $Web.Url.Replace($Web.ServerRelativeUrl,''), $RootFolder.ServerRelativeUrl)
        }
    }
   
    #Get permissions assigned to the object
    Get-PnPProperty -ClientObject $Object -Property HasUniqueRoleAssignments, RoleAssignments
 
    #Check if Object has unique permissions
    $HasUniquePermissions = $Object.HasUniqueRoleAssignments
     
    #Loop through each permission assigned and extract details
    $PermissionCollection = @()
    Foreach($RoleAssignment in $Object.RoleAssignments)
    { 
        #Get the Permission Levels assigned and Member
        Get-PnPProperty -ClientObject $RoleAssignment -Property RoleDefinitionBindings, Member
 
        #Get the Principal Type: User, SP Group, AD Group
        $PermissionType = $RoleAssignment.Member.PrincipalType
    
        #Get the Permission Levels assigned
        $PermissionLevels = $RoleAssignment.RoleDefinitionBindings | Select -ExpandProperty Name
 
        #Remove Limited Access
        $PermissionLevels = ($PermissionLevels | Where { $_ -ne "Limited Access"}) -join ","
 
        #Leave Principals with no Permissions
        If($PermissionLevels.Length -eq 0) {Continue}
 
        #Get SharePoint group members
        If($PermissionType -eq "SharePointGroup")
        {
            #Get Group Members
            $GroupMembers = Get-PnPGroupMember -Identity $RoleAssignment.Member.LoginName
                 
            #Leave Empty Groups
            If($GroupMembers.count -eq 0){Continue}
            $GroupUsers = ($GroupMembers | Select -ExpandProperty Title) -join "; "
 
            #Add the Data to Object
            $Permissions = New-Object PSObject
            $Permissions | Add-Member NoteProperty Object($ObjectType)
            $Permissions | Add-Member NoteProperty Title($ObjectTitle)
            $Permissions | Add-Member NoteProperty URL($ObjectURL)
            $Permissions | Add-Member NoteProperty HasUniquePermissions($HasUniquePermissions)
            $Permissions | Add-Member NoteProperty Users($GroupUsers)
            $Permissions | Add-Member NoteProperty Email($RoleAssignment.Member.Email)
            $Permissions | Add-Member NoteProperty Type($PermissionType)
            $Permissions | Add-Member NoteProperty Permissions($PermissionLevels)
            $Permissions | Add-Member NoteProperty GrantedThrough("SharePoint Group: $($RoleAssignment.Member.LoginName)")
            $PermissionCollection += $Permissions
        }
        Else
        {
            #Add the Data to Object
            $Permissions = New-Object PSObject
            $Permissions | Add-Member NoteProperty Object($ObjectType)
            $Permissions | Add-Member NoteProperty Title($ObjectTitle)
            $Permissions | Add-Member NoteProperty URL($ObjectURL)
            $Permissions | Add-Member NoteProperty HasUniquePermissions($HasUniquePermissions)
            $Permissions | Add-Member NoteProperty Users($RoleAssignment.Member.Title)
            $Permissions | Add-Member NoteProperty Email($RoleAssignment.Member.Email)
            $Permissions | Add-Member NoteProperty Type($PermissionType)
            $Permissions | Add-Member NoteProperty Permissions($PermissionLevels)
            $Permissions | Add-Member NoteProperty GrantedThrough("Direct Permissions")
            $PermissionCollection += $Permissions
        }
    }
    #Export Permissions to CSV File
    $PermissionCollection | Export-CSV $ReportFile -NoTypeInformation -Append
}
   
#Function to get sharepoint online list permissions report
Function Generate-PnPListPermissionRpt()
{
[cmdletbinding()]
    Param  
    (    
        [Parameter(Mandatory=$false)] [String] $SiteURL, 
        [Parameter(Mandatory=$false)] [String] $ListName,         
        [Parameter(Mandatory=$false)] [String] $ReportFile,
        [Parameter(Mandatory=$false)] [switch] $ScanItemLevel,
        [Parameter(Mandatory=$false)] [switch] $IncludeInheritedPermissions
    )
    Try {
        #Function to Get Permissions of All List Items of a given List
        Function Get-PnPListItemsPermission([Microsoft.SharePoint.Client.List]$List)
        {
            Write-host -f Yellow "`t `t Getting Permissions of List Items in the List:"$List.Title
  
            #Get All Items from List in batches
            $ListItems = Get-PnPListItem -List $List -PageSize 500
  
            $ItemCounter = 0
            #Loop through each List item
            ForEach($ListItem in $ListItems)
            {
                #Get Objects with Unique Permissions or Inherited Permissions based on 'IncludeInheritedPermissions' switch
                If($IncludeInheritedPermissions)
                {
                    Get-PnPPermissions -Object $ListItem
                }
                Else
                {
                    #Check if List Item has unique permissions
                    $HasUniquePermissions = Get-PnPProperty -ClientObject $ListItem -Property HasUniqueRoleAssignments
                    If($HasUniquePermissions -eq $True)
                    {
                        #Call the function to generate Permission report
                        Get-PnPPermissions -Object $ListItem
                    }
                }
                $ItemCounter++
                Write-Progress -PercentComplete ($ItemCounter / ($List.ItemCount) * 100) -Activity "Processing Items $ItemCounter of $($List.ItemCount)" -Status "Searching Unique Permissions in List Items of '$($List.Title)'"
            }
        }

            #Get the List
            $List = Get-PnpList -Identity $ListName -Includes RoleAssignments
            
            Write-host -f Yellow "Getting Permissions of the List '$ListName'..."
            #Get List Permissions
            Get-PnPPermissions -Object $List

            #Get Item Level Permissions if 'ScanItemLevel' switch present
            If($ScanItemLevel)
            {
                #Get List Items Permissions
                Get-PnPListItemsPermission -List $List
            }
        Write-host -f Green "`t List Permission Report Generated Successfully!"  
     }
    Catch {
        write-host -f Red "Error Generating List Permission Report!" $_.Exception.Message
   }
}

#region ***Parameters***
$SiteURL="https://crescent.sharepoint.com/sites/marketing"
$ListName = "Branding"
$ReportFile="C:\Temp\ListPermissionRpt.csv"
#endregion

#Remove the Output report if exists
If (Test-Path $ReportFile) { Remove-Item $ReportFile }

#Connect to the Site
Connect-PnPOnline -URL $SiteURL -Credentials (Get-Credential)

#Get the Web
$Web = Get-PnPWeb
 
#Call the function to generate list permission report
Generate-PnPListPermissionRpt -SiteURL $SiteURL -ListName $ListName -ReportFile $ReportFile -ScanItemLevel
#Generate-PnPListPermissionRpt -SiteURL $SiteURL -ListName $ListName -ReportFile $ReportFile -ScanItemLevel -IncludeInheritedPermissions    

以下是 PowerShell 生成的 SharePoint Online 文档库权限报告：

为网站上的所有文档库开发一份权限报告怎么样？只需为所有库调用函数Generate-PnPListPermissionRpt！具体方法如下：

#region ***Parameters***
$SiteURL="https://crescent.sharepoint.com/sites/marketing"
$ReportsPath="C:\Temp\"
#endregion

#Connect to PnP Online
Connect-PnPOnline -Url $SiteURL -Credentials (Get-Credential)

#Get the Web
$Web = Get-PnPWeb
    
#Get all document libraries - Exclude Hidden Libraries
$DocumentLibraries = Get-PnPList | Where-Object {$_.BaseType -eq "DocumentLibrary" -and $_.Hidden -eq $false}

ForEach($Library in $DocumentLibraries)
{
    #Remove the Output report if exists
    $ReportFile = [string]::Concat($ReportsPath, $Library.title)
    If (Test-Path $ReportFile) { Remove-Item $ReportFile }
  
    #Call the function to generate list permission report
    Generate-PnPListPermissionRpt -SiteURL $SiteURL -ListName $Library.Title -ReportFile $ReportFile
}

包起来

总之，使用 PnP PowerShell 检索文档库权限并将其导出到 CSV 文件是管理 SharePoint Online 网站的有用且高效的方法。通过执行本文中概述的步骤，您可以快速轻松地检索文档库的权限并将其导出到 CSV 文件以供进一步分析或管理。这可以帮助组织跟踪谁有权访问特定资源，还可以用于识别潜在的安全风险并确保只有授权用户才能访问敏感信息。通过利用 PnP PowerShell，您可以简化在 SharePoint Online 中管理文档库权限的过程，并帮助确保组织的数据保持安全。

如果要为网站上的所有内容创建权限报告，请使用：使用 PowerShell 的 SharePoint Online 网站权限报告