locked
Sharepoint ClientObject Model ctx.Load(group.users) - Access Denied exception RRS feed

  • Question

  • Hey guys,

    I am trying to get the users of a group like this :

    GroupCollection userGroups = ctx.Web.SiteGroups;
    ctx.Load(userGroups,groups => groups.Include(group => group.Title,group => group.Id,group => group.Users.Include(
                              user => user.Title,
                              user => user.Email)));

    At executeQuery, I receive the following error " Microsoft.SharePoint.Client.ServerUnauthorizedAccessException: Access denied. You do not have permission to perform this action or access this resource. "

    The code is ran from a web application that has the app pool identity an user which is in the owner group of the sitecollection.

    I also receive the same error at the following code:

    ListItem li = listItems[0];

    clientContext.Load(li.RoleAssignments); clientContext.ExecuteQuery();

    or

     foreach (var group in userGroups)
    {
                 
     ctx.Load(group.Users);
     ctx.ExecuteQuery();
    
    }

    Only the site owner / system account doesn't receive that error.

    Does anybody have any ideas?

    Thank you,

    Dan



    Friday, July 26, 2013 8:51 PM

Answers

  • Thank you for the suggestion. I do not have a AppManifest.xml in my web application solution. I tried to add one but with no success. How should it look like? (I have vs 2010 & sp 2010)


    Edit:

    I think I have found the solution. I had to go to the central administration - > application management-> manage web applications , chose the application click on User Policy and added the user i wanted to use with Full Read.

    Friday, July 26, 2013 11:50 PM

All replies

  • I can't provide any help, as I'm getting the same error trying to access Folders, using code similar to yours.
    FolderCollection folderList = clientContext.Web.Folders;
    clientContext.Load<FolderCollection>(folderList);
    clientContext.ExecuteQuery();
    I am able to access some of the properties on Web, such as ContentTypes, Features, and others, but some of them I can't access. I don't see anything in the SharePoint docs that sheds any light on this.
    Friday, July 26, 2013 9:10 PM
  • I just realized that the Access Denied error is also available even if I set the application pool id to the Administrator that is the Sharepoint\System account.

    I just cannot get the users in a group:

     foreach (var group in userGroups)
    {
                 
     ctx.Load(group.Users);
     ctx.ExecuteQuery();
    
    }

    Funny thing is that it worked if hosted in the asp.net development server that is running as administrator. I think this shows the credentials are not passed ok somehow from app pool id.

    Edit:

    Ok, found a part of the problem. Without 

      clientContext.Credentials = CredentialCache.DefaultNetworkCredentials;

    The clientcontext did not take the application pools' identity. 

    The main problem still remains. Only the sharepoint administrator (system account) can get the users from a group. Even users that are members of the Owners group cannot access this:

     foreach (var group in userGroups)
    {
                 
     ctx.Load(group.Users);
     ctx.ExecuteQuery();
    
    }




    • Edited by Dan-Gheorghe Friday, July 26, 2013 11:01 PM rectified
    Friday, July 26, 2013 9:49 PM
  • I was able to find a solution to my problem of getting "access denied" on Web.Folders. This is what worked for me:

    1. Open the app manifest (AppManifest.xml) in VS.

    2. Select the Permissions tab.

    3. In the table, in the Scope column, select Web. In the Permission column, select Manage.

    4. Save.

    At first I set the permission to Read, but still got the access denied error, but changing it to Manage fixed my problem.

    Hope that helps.

    Friday, July 26, 2013 11:04 PM
  • Thank you for the suggestion. I do not have a AppManifest.xml in my web application solution. I tried to add one but with no success. How should it look like? (I have vs 2010 & sp 2010)


    Edit:

    I think I have found the solution. I had to go to the central administration - > application management-> manage web applications , chose the application click on User Policy and added the user i wanted to use with Full Read.

    Friday, July 26, 2013 11:50 PM
  • Thanks for the solution

    Thursday, October 23, 2014 8:21 AM