Sort Graph permissions with users ahead of groups

[chscott]

The associated forum post URL from https://forum.rclone.org

Discussed in email.

What is your current rclone version (output from rclone version)?

v1.69.1

What problem are you are trying to solve?

Graph has a quirk that manifests when all of these conditions apply:

1. You are adding permissions for both a group and a user.
2. The user is a member of the group.
3. The permissions for the group and user are the same.
4. You are adding the group permission before the user permission.

When all of the above are true, Graph indicates it has added the user permission, but it immediately drops it. For example:

2025/03/21 15:08:01 DEBUG : HTTP REQUEST (req 0xc0005bf040)
2025/03/21 15:08:01 DEBUG : POST /v1.0/drives/b!ssbqQHJ0v0Ki4mBGkrRBXWvDWPc3piNIl8WI29g4XaD8jOMrJ7J6RKVhFAqRVq5-/items/01N4X3HM6FM5BTRUMZGVDKZS7JNQWOAEX3/invite HTTP/1.1
{"recipients":[{"email":"reviewers@cdsconsulting.org"}],"requireSignIn":true,"roles":["write"]}
2025/03/21 15:08:01 DEBUG : HTTP RESPONSE (req 0xc0005bf040)
2025/03/21 15:08:01 DEBUG : HTTP/2.0 200 OK
{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(microsoft.graph.permission)",
    "value": [{
            "id": "Yzowby5jfGZlZGVyYXRlZGRpcmVjdG9yeWNsYWltcHJvdmlkZXJ8ZmVjMjNjZGYtYTZkZS00OTU1LWFkZWItMDE3OTM2NWU2Yjdi",
            "roles": ["write"],
            "grantedTo": {
                "user": {
                    "email": "reviewers@cdsconsultingllc.onmicrosoft.com",
                    "displayName": "Reviewers Members"
                }
            }
        }
    ]
}

2025/03/21 15:08:01 DEBUG : HTTP REQUEST (req 0xc000bb1400)
2025/03/21 15:08:01 DEBUG : POST /v1.0/drives/b!ssbqQHJ0v0Ki4mBGkrRBXWvDWPc3piNIl8WI29g4XaD8jOMrJ7J6RKVhFAqRVq5-/items/01N4X3HM6FM5BTRUMZGVDKZS7JNQWOAEX3/invite HTTP/1.1
{"recipients":[{"email":"angie.scott@cdsconsulting.org"}],"requireSignIn":true,"roles":["write"]}
2025/03/21 15:08:02 DEBUG : HTTP RESPONSE (req 0xc000bb1400)
2025/03/21 15:08:02 DEBUG : HTTP/2.0 200 OK
{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(microsoft.graph.permission)",
    "value": [{
            "id": "aTowIy5mfG1lbWJlcnNoaXB8YW5naWUuc2NvdHRAY2RzY29uc3VsdGluZy5vcmc",
            "roles": ["write"],
            "grantedTo": {
                "user": {
                    "email": "angie@cdsconsulting.org",
                    "id": "4b9c56cb-83b3-4b1a-a66f-5e108a840bf4",
                    "displayName": "Angie Scott"
                }
            }
        }
    ]
}

2025/03/21 15:08:02 DEBUG : HTTP REQUEST (req 0xc0005bfe00)
2025/03/21 15:08:02 DEBUG : GET /v1.0/drives/b!ssbqQHJ0v0Ki4mBGkrRBXWvDWPc3piNIl8WI29g4XaD8jOMrJ7J6RKVhFAqRVq5-/items/01N4X3HM6FM5BTRUMZGVDKZS7JNQWOAEX3/permissions HTTP/1.1
2025/03/21 15:08:02 DEBUG : HTTP RESPONSE (req 0xc0005bfe00)
2025/03/21 15:08:02 DEBUG : HTTP/2.0 200 OK
{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#drives('b%21ssbqQHJ0v0Ki4mBGkrRBXWvDWPc3piNIl8WI29g4XaD8jOMrJ7J6RKVhFAqRVq5-')/items('01N4X3HM6FM5BTRUMZGVDKZS7JNQWOAEX3')/permissions",
    "value": [{
            "id": "Yzowby5jfGZlZGVyYXRlZGRpcmVjdG9yeWNsYWltcHJvdmlkZXJ8ZmVjMjNjZGYtYTZkZS00OTU1LWFkZWItMDE3OTM2NWU2Yjdi",
            "roles": ["write"],
            "shareId": "Yzowby5jfGZlZGVyYXRlZGRpcmVjdG9yeWNsYWltcHJvdmlkZXJ8ZmVjMjNjZGYtYTZkZS00OTU1LWFkZWItMDE3OTM2NWU2Yjdi",
            "grantedToV2": {
                "group": {
                    "@odata.type": "#microsoft.graph.sharePointIdentity",
                    "displayName": "Reviewers Members",
                    "email": "reviewers@cdsconsultingllc.onmicrosoft.com",
                    "id": "fec23cdf-a6de-4955-adeb-0179365e6b7b"
                },
                "siteUser": {
                    "displayName": "Reviewers Members",
                    "email": "reviewers@cdsconsultingllc.onmicrosoft.com",
                    "id": "16",
                    "loginName": "c:0o.c|federateddirectoryclaimprovider|fec23cdf-a6de-4955-adeb-0179365e6b7b"
                }
            },
            "grantedTo": {
                "user": {
                    "displayName": "Reviewers Members",
                    "email": "reviewers@cdsconsultingllc.onmicrosoft.com",
                    "id": "fec23cdf-a6de-4955-adeb-0179365e6b7b"
                }
            }
        }, {
            "id": "aTowIy5mfG1lbWJlcnNoaXB8Y2hhZC5zY290dEBjZHNjb25zdWx0aW5nLm9yZw",
            "roles": ["owner"],
            "shareId": "aTowIy5mfG1lbWJlcnNoaXB8Y2hhZC5zY290dEBjZHNjb25zdWx0aW5nLm9yZw",
            "grantedToV2": {
                "user": {
                    "@odata.type": "#microsoft.graph.sharePointIdentity",
                    "displayName": "Chad Scott",
                    "email": "chad@cdsconsulting.org",
                    "id": "7ecdcdf3-e69a-4194-8ad8-e290ea289fd5"
                },
                "siteUser": {
                    "displayName": "Chad Scott",
                    "email": "chad@cdsconsulting.org",
                    "id": "3",
                    "loginName": "i:0#.f|membership|chad.scott@cdsconsulting.org"
                }
            },
            "grantedTo": {
                "user": {
                    "displayName": "Chad Scott",
                    "email": "chad@cdsconsulting.org",
                    "id": "7ecdcdf3-e69a-4194-8ad8-e290ea289fd5"
                }
            }
        }
    ]
}

How do you think rclone should be changed to solve that?

Attempt to apply user permissions before group permissions, which works around the issue. Note that you can force this to be the case today by returning a sorted permissions object from the mapper, but it's probably not obvious that this is required.

How to use GitHub

• Please use the 👍 reaction to show that you are affected by the same issue.
• Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
• Subscribe to receive notifications on status change and new comments.

[ncw]

Heads up @rclone/support - the "Support Contract" label was applied to this issue.

[chscott]

@ncw This is what I emailed about earlier today. It appears to be a Graph issue and not a bug, and there is a workaround available. Still, I think it would be good to address this in rclone, as it could lead to loss of access in the following scenario:

1. A user has individual and group permissions to a file.
2. The user is removed from the group.
3. The user no longer has access to the file because Graph dropped the individual permission.

Whether intentional or not, Graph is assuming group memberships are static, and that's anything but true in the real world.

[ncw]

@chscott I had a go at ordering the permission updates so anything with a user in it comes first. I think this should fix the problem.

Can you give it a try?

v1.70.0-beta.8641.2af1e8f46.fix-8465-onedrive-metadata on branch fix-8465-onedrive-metadata (uploaded in 15-30 mins)

Thanks

[chscott]

@ncw The fix didn't work for me. Here's are two log excerpts. The first is with the fix and no changes on my side. The second is with v1.69.1 and a change on my side to sort the permissions that are returned to rclone.

2025/03/26 08:44:57 DEBUG : rclone: Version "v1.70.0-beta.8641.2af1e8f46.fix-8465-onedrive-metadata" starting with parameters
2025/03/26 08:44:59 DEBUG : Metadata mapper sent: 
{
	"SrcFs": "Source{UEqtu}:Test",
	"SrcFsType": "drive",
	"DstFs": "Target{VZpyf}:Test",
	"DstFsType": "onedrive",
	"Remote": "sample.txt",
	"Size": 22,
	"MimeType": "text/plain",
	"ModTime": "2025-03-26T13:41:56.572Z",
	"IsDir": false,
	"ID": "1vTdEO9GWMQzHJfN0l3Fcs5SZCvem0-5J",
	"Metadata": {
		"btime": "2025-03-25T20:30:38.560Z",
		"content-type": "text/plain",
		"copy-requires-writer-permission": "false",
		"mtime": "2025-03-26T13:41:56.572Z",
		"owner": "chad@cdsconsulting.co",
		"permissions": "[{\"emailAddress\":\"reviewers@cdsconsulting.co\",\"id\":\"09466358200964241419\",\"role\":\"writer\",\"type\":\"group\"},{\"emailAddress\":\"angie@cdsconsulting.co\",\"id\":\"14885772533033484759\",\"role\":\"writer\",\"type\":\"user\"},{\"emailAddress\":\"chad@cdsconsulting.co\",\"id\":\"09287294999424909072\",\"role\":\"owner\",\"type\":\"user\"}]",
		"starred": "false",
		"viewed-by-me": "true",
		"writers-can-share": "true"
	}
}
2025/03/26 08:44:59 DEBUG : Metadata mapper received: 
{"Metadata":{"permissions":"[{\"grantedToV2\":{\"group\":{\"id\":\"reviewers@cdsconsulting.org\"}},\"roles\":[\"write\"]},{\"grantedToV2\":{\"user\":{\"id\":\"angie.scott@cdsconsulting.org\"}},\"roles\":[\"write\"]}]"}}

2025/03/26 08:45:01 DEBUG : POST /v1.0/drives/b!ssbqQHJ0v0Ki4mBGkrRBXWvDWPc3piNIl8WI29g4XaD8jOMrJ7J6RKVhFAqRVq5-/items/01N4X3HM36IPUADM7D4RGLAYEKM2E5HS52/invite HTTP/1.1
{"recipients":[{"email":"reviewers@cdsconsulting.org"}],"requireSignIn":true,"roles":["write"]}
2025/03/26 08:45:02 DEBUG : HTTP/2.0 200 OK
{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(microsoft.graph.permission)",
    "value": [{
            "id": "Yzowby5jfGZlZGVyYXRlZGRpcmVjdG9yeWNsYWltcHJvdmlkZXJ8ZmVjMjNjZGYtYTZkZS00OTU1LWFkZWItMDE3OTM2NWU2Yjdi",
            "roles": ["write"],
            "grantedTo": {
                "user": {
                    "email": "reviewers@cdsconsultingllc.onmicrosoft.com",
                    "displayName": "Reviewers Members"
                }
            }
        }
    ]
}

2025/03/26 08:45:02 DEBUG : POST /v1.0/drives/b!ssbqQHJ0v0Ki4mBGkrRBXWvDWPc3piNIl8WI29g4XaD8jOMrJ7J6RKVhFAqRVq5-/items/01N4X3HM36IPUADM7D4RGLAYEKM2E5HS52/invite HTTP/1.1
{"recipients":[{"email":"angie.scott@cdsconsulting.org"}],"requireSignIn":true,"roles":["write"]}
2025/03/26 08:45:02 DEBUG : HTTP/2.0 200 OK
{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(microsoft.graph.permission)",
    "value": [{
            "id": "aTowIy5mfG1lbWJlcnNoaXB8YW5naWUuc2NvdHRAY2RzY29uc3VsdGluZy5vcmc",
            "roles": ["write"],
            "grantedTo": {
                "user": {
                    "email": "angie@cdsconsulting.org",
                    "id": "4b9c56cb-83b3-4b1a-a66f-5e108a840bf4",
                    "displayName": "Angie Scott"
                }
            }
        }
    ]
}

2025/03/26 08:45:02 DEBUG : GET /v1.0/drives/b!ssbqQHJ0v0Ki4mBGkrRBXWvDWPc3piNIl8WI29g4XaD8jOMrJ7J6RKVhFAqRVq5-/items/01N4X3HM36IPUADM7D4RGLAYEKM2E5HS52/permissions HTTP/1.1
2025/03/26 08:45:03 DEBUG : HTTP/2.0 200 OK
{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#drives('b%21ssbqQHJ0v0Ki4mBGkrRBXWvDWPc3piNIl8WI29g4XaD8jOMrJ7J6RKVhFAqRVq5-')/items('01N4X3HM36IPUADM7D4RGLAYEKM2E5HS52')/permissions",
    "value": [{
            "id": "Yzowby5jfGZlZGVyYXRlZGRpcmVjdG9yeWNsYWltcHJvdmlkZXJ8ZmVjMjNjZGYtYTZkZS00OTU1LWFkZWItMDE3OTM2NWU2Yjdi",
            "roles": ["write"],
            "shareId": "Yzowby5jfGZlZGVyYXRlZGRpcmVjdG9yeWNsYWltcHJvdmlkZXJ8ZmVjMjNjZGYtYTZkZS00OTU1LWFkZWItMDE3OTM2NWU2Yjdi",
            "grantedToV2": {
                "group": {
                    "@odata.type": "#microsoft.graph.sharePointIdentity",
                    "displayName": "Reviewers Members",
                    "email": "reviewers@cdsconsultingllc.onmicrosoft.com",
                    "id": "fec23cdf-a6de-4955-adeb-0179365e6b7b"
                },
                "siteUser": {
                    "displayName": "Reviewers Members",
                    "email": "reviewers@cdsconsultingllc.onmicrosoft.com",
                    "id": "16",
                    "loginName": "c:0o.c|federateddirectoryclaimprovider|fec23cdf-a6de-4955-adeb-0179365e6b7b"
                }
            },
            "grantedTo": {
                "user": {
                    "displayName": "Reviewers Members",
                    "email": "reviewers@cdsconsultingllc.onmicrosoft.com",
                    "id": "fec23cdf-a6de-4955-adeb-0179365e6b7b"
                }
            }
        }, {
            "id": "aTowIy5mfG1lbWJlcnNoaXB8Y2hhZC5zY290dEBjZHNjb25zdWx0aW5nLm9yZw",
            "roles": ["owner"],
            "shareId": "aTowIy5mfG1lbWJlcnNoaXB8Y2hhZC5zY290dEBjZHNjb25zdWx0aW5nLm9yZw",
            "grantedToV2": {
                "user": {
                    "@odata.type": "#microsoft.graph.sharePointIdentity",
                    "displayName": "Chad Scott",
                    "email": "chad@cdsconsulting.org",
                    "id": "7ecdcdf3-e69a-4194-8ad8-e290ea289fd5"
                },
                "siteUser": {
                    "displayName": "Chad Scott",
                    "email": "chad@cdsconsulting.org",
                    "id": "3",
                    "loginName": "i:0#.f|membership|chad.scott@cdsconsulting.org"
                }
            },
            "grantedTo": {
                "user": {
                    "displayName": "Chad Scott",
                    "email": "chad@cdsconsulting.org",
                    "id": "7ecdcdf3-e69a-4194-8ad8-e290ea289fd5"
                }
            }
        }
    ]
}

2025/03/26 08:52:36 DEBUG : rclone: Version "v1.69.1" starting with parameters 
2025/03/26 08:52:37 DEBUG : Metadata mapper sent: 
{
	"SrcFs": "Source{UEqtu}:Test",
	"SrcFsType": "drive",
	"DstFs": "Target{VZpyf}:Test",
	"DstFsType": "onedrive",
	"Remote": "sample.txt",
	"Size": 22,
	"MimeType": "text/plain",
	"ModTime": "2025-03-26T13:41:56.572Z",
	"IsDir": false,
	"ID": "1vTdEO9GWMQzHJfN0l3Fcs5SZCvem0-5J",
	"Metadata": {
		"btime": "2025-03-25T20:30:38.560Z",
		"content-type": "text/plain",
		"copy-requires-writer-permission": "false",
		"mtime": "2025-03-26T13:41:56.572Z",
		"owner": "chad@cdsconsulting.co",
		"permissions": "[{\"emailAddress\":\"reviewers@cdsconsulting.co\",\"id\":\"09466358200964241419\",\"role\":\"writer\",\"type\":\"group\"},{\"emailAddress\":\"angie@cdsconsulting.co\",\"id\":\"14885772533033484759\",\"role\":\"writer\",\"type\":\"user\"},{\"emailAddress\":\"chad@cdsconsulting.co\",\"id\":\"09287294999424909072\",\"role\":\"owner\",\"type\":\"user\"}]",
		"starred": "false",
		"viewed-by-me": "true",
		"writers-can-share": "true"
	}
}
2025/03/26 08:52:38 DEBUG : Metadata mapper received: 
{"Metadata":{"permissions":"[{\"grantedToV2\":{\"user\":{\"id\":\"angie.scott@cdsconsulting.org\"}},\"roles\":[\"write\"]},{\"grantedToV2\":{\"group\":{\"id\":\"reviewers@cdsconsulting.org\"}},\"roles\":[\"write\"]}]"}}

2025/03/26 08:52:40 DEBUG : POST /v1.0/drives/b!ssbqQHJ0v0Ki4mBGkrRBXWvDWPc3piNIl8WI29g4XaD8jOMrJ7J6RKVhFAqRVq5-/items/01N4X3HM6YFBSNPFDSWJGZAWXNLGDPFDPO/invite HTTP/1.1
{"recipients":[{"email":"angie.scott@cdsconsulting.org"}],"requireSignIn":true,"roles":["write"]}
2025/03/26 08:52:40 DEBUG : HTTP/2.0 200 OK
{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(microsoft.graph.permission)",
    "value": [{
            "id": "aTowIy5mfG1lbWJlcnNoaXB8YW5naWUuc2NvdHRAY2RzY29uc3VsdGluZy5vcmc",
            "roles": ["write"],
            "grantedTo": {
                "user": {
                    "email": "angie@cdsconsulting.org",
                    "id": "4b9c56cb-83b3-4b1a-a66f-5e108a840bf4",
                    "displayName": "Angie Scott"
                }
            }
        }
    ]
}

2025/03/26 08:52:40 DEBUG : POST /v1.0/drives/b!ssbqQHJ0v0Ki4mBGkrRBXWvDWPc3piNIl8WI29g4XaD8jOMrJ7J6RKVhFAqRVq5-/items/01N4X3HM6YFBSNPFDSWJGZAWXNLGDPFDPO/invite HTTP/1.1
{"recipients":[{"email":"reviewers@cdsconsulting.org"}],"requireSignIn":true,"roles":["write"]}
2025/03/26 08:52:41 DEBUG : HTTP/2.0 200 OK
{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(microsoft.graph.permission)",
    "value": [{
            "id": "Yzowby5jfGZlZGVyYXRlZGRpcmVjdG9yeWNsYWltcHJvdmlkZXJ8ZmVjMjNjZGYtYTZkZS00OTU1LWFkZWItMDE3OTM2NWU2Yjdi",
            "roles": ["write"],
            "grantedTo": {
                "user": {
                    "email": "reviewers@cdsconsultingllc.onmicrosoft.com",
                    "displayName": "Reviewers Members"
                }
            }
        }
    ]
}

2025/03/26 08:52:41 DEBUG : GET /v1.0/drives/b!ssbqQHJ0v0Ki4mBGkrRBXWvDWPc3piNIl8WI29g4XaD8jOMrJ7J6RKVhFAqRVq5-/items/01N4X3HM6YFBSNPFDSWJGZAWXNLGDPFDPO/permissions HTTP/1.1
2025/03/26 08:52:41 DEBUG : HTTP/2.0 200 OK
{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#drives('b%21ssbqQHJ0v0Ki4mBGkrRBXWvDWPc3piNIl8WI29g4XaD8jOMrJ7J6RKVhFAqRVq5-')/items('01N4X3HM6YFBSNPFDSWJGZAWXNLGDPFDPO')/permissions",
    "value": [{
            "id": "aTowIy5mfG1lbWJlcnNoaXB8YW5naWUuc2NvdHRAY2RzY29uc3VsdGluZy5vcmc",
            "roles": ["write"],
            "shareId": "aTowIy5mfG1lbWJlcnNoaXB8YW5naWUuc2NvdHRAY2RzY29uc3VsdGluZy5vcmc",
            "grantedToV2": {
                "user": {
                    "@odata.type": "#microsoft.graph.sharePointIdentity",
                    "displayName": "Angie Scott",
                    "email": "angie@cdsconsulting.org",
                    "id": "4b9c56cb-83b3-4b1a-a66f-5e108a840bf4"
                },
                "siteUser": {
                    "displayName": "Angie Scott",
                    "email": "angie@cdsconsulting.org",
                    "id": "7",
                    "loginName": "i:0#.f|membership|angie.scott@cdsconsulting.org"
                }
            },
            "grantedTo": {
                "user": {
                    "displayName": "Angie Scott",
                    "email": "angie@cdsconsulting.org",
                    "id": "4b9c56cb-83b3-4b1a-a66f-5e108a840bf4"
                }
            }
        }, {
            "id": "Yzowby5jfGZlZGVyYXRlZGRpcmVjdG9yeWNsYWltcHJvdmlkZXJ8ZmVjMjNjZGYtYTZkZS00OTU1LWFkZWItMDE3OTM2NWU2Yjdi",
            "roles": ["write"],
            "shareId": "Yzowby5jfGZlZGVyYXRlZGRpcmVjdG9yeWNsYWltcHJvdmlkZXJ8ZmVjMjNjZGYtYTZkZS00OTU1LWFkZWItMDE3OTM2NWU2Yjdi",
            "grantedToV2": {
                "group": {
                    "@odata.type": "#microsoft.graph.sharePointIdentity",
                    "displayName": "Reviewers Members",
                    "email": "reviewers@cdsconsultingllc.onmicrosoft.com",
                    "id": "fec23cdf-a6de-4955-adeb-0179365e6b7b"
                },
                "siteUser": {
                    "displayName": "Reviewers Members",
                    "email": "reviewers@cdsconsultingllc.onmicrosoft.com",
                    "id": "16",
                    "loginName": "c:0o.c|federateddirectoryclaimprovider|fec23cdf-a6de-4955-adeb-0179365e6b7b"
                }
            },
            "grantedTo": {
                "user": {
                    "displayName": "Reviewers Members",
                    "email": "reviewers@cdsconsultingllc.onmicrosoft.com",
                    "id": "fec23cdf-a6de-4955-adeb-0179365e6b7b"
                }
            }
        }, {
            "id": "aTowIy5mfG1lbWJlcnNoaXB8Y2hhZC5zY290dEBjZHNjb25zdWx0aW5nLm9yZw",
            "roles": ["owner"],
            "shareId": "aTowIy5mfG1lbWJlcnNoaXB8Y2hhZC5zY290dEBjZHNjb25zdWx0aW5nLm9yZw",
            "grantedToV2": {
                "user": {
                    "@odata.type": "#microsoft.graph.sharePointIdentity",
                    "displayName": "Chad Scott",
                    "email": "chad@cdsconsulting.org",
                    "id": "7ecdcdf3-e69a-4194-8ad8-e290ea289fd5"
                },
                "siteUser": {
                    "displayName": "Chad Scott",
                    "email": "chad@cdsconsulting.org",
                    "id": "3",
                    "loginName": "i:0#.f|membership|chad.scott@cdsconsulting.org"
                }
            },
            "grantedTo": {
                "user": {
                    "displayName": "Chad Scott",
                    "email": "chad@cdsconsulting.org",
                    "id": "7ecdcdf3-e69a-4194-8ad8-e290ea289fd5"
                }
            }
        }
    ]
}

[ncw]

@chscott

There is something which is puzzling me above. The POSTs have grantedTo not grantedToV2 like I would expect for a onedrive business. Is that what the metadata mapper is sending?

I think it probably needs to send grantedTo for onedrive personal and grantedToV2 for business, same for grantedToIdentities

[chscott]

The mapper is sending grantedToV2 in both cases. The first line in each pair below is from my code. The second is from rclone.

[1vTdEO9GWMQzHJfN0l3Fcs5SZCvem0-5J] Object to rclone: {"Metadata":{"permissions":"[{\"grantedToV2\":{\"group\":{\"id\":\"reviewers@cdsconsulting.org\"}},\"roles\":[\"write\"]},{\"grantedToV2\":{\"user\":{\"id\":\"angie.scott@cdsconsulting.org\"}},\"roles\":[\"write\"]}]"}}

2025/03/26 08:44:59 DEBUG : Metadata mapper received: 
{"Metadata":{"permissions":"[{\"grantedToV2\":{\"group\":{\"id\":\"reviewers@cdsconsulting.org\"}},\"roles\":[\"write\"]},{\"grantedToV2\":{\"user\":{\"id\":\"angie.scott@cdsconsulting.org\"}},\"roles\":[\"write\"]}]"}}

[1vTdEO9GWMQzHJfN0l3Fcs5SZCvem0-5J] Object to rclone: {"Metadata":{"permissions":"[{\"grantedToV2\":{\"user\":{\"id\":\"angie.scott@cdsconsulting.org\"}},\"roles\":[\"write\"]},{\"grantedToV2\":{\"group\":{\"id\":\"reviewers@cdsconsulting.org\"}},\"roles\":[\"write\"]}]"}}

2025/03/26 08:52:38 DEBUG : Metadata mapper received: 
{"Metadata":{"permissions":"[{\"grantedToV2\":{\"user\":{\"id\":\"angie.scott@cdsconsulting.org\"}},\"roles\":[\"write\"]},{\"grantedToV2\":{\"group\":{\"id\":\"reviewers@cdsconsulting.org\"}},\"roles\":[\"write\"]}]"}}

[ncw]

Yes I see the mapper is sending grantedToV2 now, sorry.

What is confusing me is this which appears to send or receive grantedTo not grantedToV2. I'm not sure whether rclone is sending this or receiving this though.

Can you send me what rclone sent and what it received from onedrive for this call? I want to know if rclone sent grantedTo rather than grantedToV2 but I don't think that is in your log.

The reason I'm worried about this is that we sort the entries according to grantedTo or grantedToV2 depending on personal or business onedrive and if rclone is confused about which it should be using then the sorting will go wrong.

2025/03/26 08:45:01 DEBUG : POST /v1.0/drives/b!ssbqQHJ0v0Ki4mBGkrRBXWvDWPc3piNIl8WI29g4XaD8jOMrJ7J6RKVhFAqRVq5-/items/01N4X3HM36IPUADM7D4RGLAYEKM2E5HS52/invite HTTP/1.1
{"recipients":[{"email":"reviewers@cdsconsulting.org"}],"requireSignIn":true,"roles":["write"]}
2025/03/26 08:45:02 DEBUG : HTTP/2.0 200 OK
{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(microsoft.graph.permission)",
    "value": [{
            "id": "Yzowby5jfGZlZGVyYXRlZGRpcmVjdG9yeWNsYWltcHJvdmlkZXJ8ZmVjMjNjZGYtYTZkZS00OTU1LWFkZWItMDE3OTM2NWU2Yjdi",
            "roles": ["write"],
            "grantedTo": {
                "user": {
                    "email": "reviewers@cdsconsultingllc.onmicrosoft.com",
                    "displayName": "Reviewers Members"
                }
            }
        }
    ]
}

Thank you

[chscott]

@ncw Do you want data different from what is in #8465 (comment), or is that what you're looking for?

2025/03/26 08:44:59 DEBUG : Metadata mapper sent: 
{
	"SrcFs": "Source{UEqtu}:Test",
	"SrcFsType": "drive",
	"DstFs": "Target{VZpyf}:Test",
	"DstFsType": "onedrive",
	"Remote": "sample.txt",
	"Size": 22,
	"MimeType": "text/plain",
	"ModTime": "2025-03-26T13:41:56.572Z",
	"IsDir": false,
	"ID": "1vTdEO9GWMQzHJfN0l3Fcs5SZCvem0-5J",
	"Metadata": {
		"btime": "2025-03-25T20:30:38.560Z",
		"content-type": "text/plain",
		"copy-requires-writer-permission": "false",
		"mtime": "2025-03-26T13:41:56.572Z",
		"owner": "chad@cdsconsulting.co",
		"permissions": "[{\"emailAddress\":\"reviewers@cdsconsulting.co\",\"id\":\"09466358200964241419\",\"role\":\"writer\",\"type\":\"group\"},{\"emailAddress\":\"angie@cdsconsulting.co\",\"id\":\"14885772533033484759\",\"role\":\"writer\",\"type\":\"user\"},{\"emailAddress\":\"chad@cdsconsulting.co\",\"id\":\"09287294999424909072\",\"role\":\"owner\",\"type\":\"user\"}]",
		"starred": "false",
		"viewed-by-me": "true",
		"writers-can-share": "true"
	}
}
2025/03/26 08:44:59 DEBUG : Metadata mapper received: 
{"Metadata":{"permissions":"[{\"grantedToV2\":{\"group\":{\"id\":\"reviewers@cdsconsulting.org\"}},\"roles\":[\"write\"]},{\"grantedToV2\":{\"user\":{\"id\":\"angie.scott@cdsconsulting.org\"}},\"roles\":[\"write\"]}]"}}

2025/03/26 08:45:01 DEBUG : POST /v1.0/drives/b!ssbqQHJ0v0Ki4mBGkrRBXWvDWPc3piNIl8WI29g4XaD8jOMrJ7J6RKVhFAqRVq5-/items/01N4X3HM36IPUADM7D4RGLAYEKM2E5HS52/invite HTTP/1.1
{"recipients":[{"email":"reviewers@cdsconsulting.org"}],"requireSignIn":true,"roles":["write"]}
2025/03/26 08:45:02 DEBUG : HTTP/2.0 200 OK
{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(microsoft.graph.permission)",
    "value": [{
            "id": "Yzowby5jfGZlZGVyYXRlZGRpcmVjdG9yeWNsYWltcHJvdmlkZXJ8ZmVjMjNjZGYtYTZkZS00OTU1LWFkZWItMDE3OTM2NWU2Yjdi",
            "roles": ["write"],
            "grantedTo": {
                "user": {
                    "email": "reviewers@cdsconsultingllc.onmicrosoft.com",
                    "displayName": "Reviewers Members"
                }
            }
        }
    ]
}

[ncw]

I'd like to see what rclone sent if possible - I think (but I'm not 100% sure) that the above is what onedrive sent. That will need --dump bodies. Thanks

[chscott]

A full log is attached. I think the bit you're looking for is here:

2025/04/01 08:38:01 DEBUG : HTTP REQUEST (req 0xc000755180)
2025/04/01 08:38:01 DEBUG : POST /v1.0/drives/b!RI7jTE_7VEWvQfQFOGxQOFg6zGE89vBPg_ISUx_CLGNzm-ky8cLeQrzJ6fhJvcxd/items/014TQUZBEF3KFB577R5NBYOXBGZ4XPB5MR/invite HTTP/1.1
Host: graph.microsoft.com
User-Agent: ISV|Transend Corporation|TMCTools/1.0
Content-Length: 109
Authorization: Bearer REDACTED
Content-Type: application/json
Accept-Encoding: gzip

{"recipients":[{"email":"reviewers@transendtesting.onmicrosoft.com"}],"requireSignIn":true,"roles":["write"]}
2025/04/01 08:38:01 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2025/04/01 08:38:01 INFO  : 2025/04/01 08:38:01 -          22 B / 22 B, 100%, 5 B/s, ETA 0s
2025/04/01 08:38:03 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
2025/04/01 08:38:03 DEBUG : HTTP RESPONSE (req 0xc000755180)
2025/04/01 08:38:03 DEBUG : HTTP/2.0 200 OK
Cache-Control: no-store, no-cache
Client-Request-Id: 16529a50-207d-4857-9076-f775d96f256d
Content-Type: application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8
Date: Tue, 01 Apr 2025 13:38:02 GMT
Deprecation: Fri, 03 Sep 2021 23:59:59 GMT
Link: <https://developer.microsoft-tst.com/en-us/graph/changes?$filterby=v1.0,Removal&from=2021-09-01&to=2021-10-01>;rel="deprecation";type="text/html"
Link: <https://developer.microsoft-tst.com/en-us/graph/changes?$filterby=v1.0,Removal&from=2021-09-01&to=2021-10-01>;rel="deprecation";type="text/html"
Location: https://graph.microsoft.com
Odata-Version: 4.0
Request-Id: 16529a50-207d-4857-9076-f775d96f256d
Strict-Transport-Security: max-age=31536000
Sunset: Sun, 01 Oct 2023 23:59:59 GMT
Vary: Accept-Encoding
X-Ms-Ags-Diagnostic: {"ServerInfo":{"DataCenter":"South Central US","Slice":"E","Ring":"5","ScaleUnit":"000","RoleInstance":"SA2PEPF00002E05"}}

{"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#Collection(microsoft.graph.permission)","value":[{"id":"Yzowby5jfGZlZGVyYXRlZGRpcmVjdG9yeWNsYWltcHJvdmlkZXJ8ODVhZDY2ZTItYzJlYS00ZTMxLWEwNjQtMmU5NThlZGVjYzNm","roles":["write"],"grantedTo":{"user":{"email":"reviewers@transendtesting.onmicrosoft.com","displayName":"Reviewers Members"}}}]}

I believe what we are seeing was raised as an issue in https://learn.microsoft.com/en-us/answers/questions/1332382/microsoft-graph-api-drives-((drive-id))-items-((it, though I suspect grantedTo/grantedToV2 in the response is more of a quirk than the problem. The Microsoft answer linking to further discussion on that point doesn't seem related to the problem. I think the actual issue is described in Ed Freeman's response:

In my case, I deduced that it was because the user/group I was trying to assign permissions already had permissions on the item through some other means.

I think this is a bug on the Microsoft side, but the workaround of adding users before groups will help mitigate it, with no real downside I can think of. Presumably, there will still be cases that can be impacted, like groups that contain other groups.

chad@cdsconsulting.co.log

[ncw]

Thanks for that. I think you are right the grantedTo/grantedToV2 response is a quirk. I just checked the code and we don't actually use those returns for anything so I'm not too worried about it.

I've just been through the log you sent.

It looks like the user was sent before the group even though the metadata mapper sent them the other way round.

2025/04/01 08:38:01 DEBUG : POST /v1.0/drives/b!RI7jTE_7VEWvQfQFOGxQOFg6zGE89vBPg_ISUx_CLGNzm-ky8cLeQrzJ6fhJvcxd/items/014TQUZBEF3KFB577R5NBYOXBGZ4XPB5MR/invite HTTP/1.1
Host: graph.microsoft.com
User-Agent: ISV|Transend Corporation|TMCTools/1.0
Content-Length: 106
Authorization: Bearer REDACTED
Content-Type: application/json
Accept-Encoding: gzip

{
  "recipients": [
    {
      "email": "cuser2@transendtesting.onmicrosoft.com"
    }
  ],
  "requireSignIn": true,
  "roles": [
    "write"
  ]
}

is followed by

2025/04/01 08:38:01 DEBUG : POST /v1.0/drives/b!RI7jTE_7VEWvQfQFOGxQOFg6zGE89vBPg_ISUx_CLGNzm-ky8cLeQrzJ6fhJvcxd/items/014TQUZBEF3KFB577R5NBYOXBGZ4XPB5MR/invite HTTP/1.1
Host: graph.microsoft.com
User-Agent: ISV|Transend Corporation|TMCTools/1.0
Content-Length: 109
Authorization: Bearer REDACTED
Content-Type: application/json
Accept-Encoding: gzip

{
  "recipients": [
    {
      "email": "reviewers@transendtesting.onmicrosoft.com"
    }
  ],
  "requireSignIn": true,
  "roles": [
    "write"
  ]
}

So in this case the new code appears to have done its job.

Both the users are visible in the final output

Final output

```json { "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#drives('b%21RI7jTE_7VEWvQfQFOGxQOFg6zGE89vBPg_ISUx_CLGNzm-ky8cLeQrzJ6fhJvcxd')/items('014TQUZBEF3KFB577R5NBYOXBGZ4XPB5MR')/permissions", "value": [ { "id": "aTowIy5mfG1lbWJlcnNoaXB8Y3VzZXIyQHRyYW5zZW5kdGVzdGluZy5vbm1pY3Jvc29mdC5jb20", "roles": [ "write" ], "shareId": "aTowIy5mfG1lbWJlcnNoaXB8Y3VzZXIyQHRyYW5zZW5kdGVzdGluZy5vbm1pY3Jvc29mdC5jb20", "grantedToV2": { "user": { "@odata.type": "#microsoft.graph.sharePointIdentity", "displayName": "Cloud User2", "email": "cuser2@transendtesting.onmicrosoft.com", "id": "57c26025-316f-4a71-a464-bf3adb0a6ac4" }, "siteUser": { "displayName": "Cloud User2", "email": "cuser2@transendtesting.onmicrosoft.com", "id": "7", "loginName": "i:0#.f|membership|cuser2@transendtesting.onmicrosoft.com" } }, "grantedTo": { "user": { "displayName": "Cloud User2", "email": "cuser2@transendtesting.onmicrosoft.com", "id": "57c26025-316f-4a71-a464-bf3adb0a6ac4" } } }, { "id": "Yzowby5jfGZlZGVyYXRlZGRpcmVjdG9yeWNsYWltcHJvdmlkZXJ8ODVhZDY2ZTItYzJlYS00ZTMxLWEwNjQtMmU5NThlZGVjYzNm", "roles": [ "write" ], "shareId": "Yzowby5jfGZlZGVyYXRlZGRpcmVjdG9yeWNsYWltcHJvdmlkZXJ8ODVhZDY2ZTItYzJlYS00ZTMxLWEwNjQtMmU5NThlZGVjYzNm", "grantedToV2": { "group": { "@odata.type": "#microsoft.graph.sharePointIdentity", "displayName": "Reviewers Members", "email": "reviewers@transendtesting.onmicrosoft.com", "id": "85ad66e2-c2ea-4e31-a064-2e958edecc3f" }, "siteUser": { "displayName": "Reviewers Members", "email": "reviewers@transendtesting.onmicrosoft.com", "id": "8", "loginName": "c:0o.c|federateddirectoryclaimprovider|85ad66e2-c2ea-4e31-a064-2e958edecc3f" } }, "grantedTo": { "user": { "displayName": "Reviewers Members", "email": "reviewers@transendtesting.onmicrosoft.com", "id": "85ad66e2-c2ea-4e31-a064-2e958edecc3f" } } }, { "id": "aTowIy5mfG1lbWJlcnNoaXB8Y3VzZXIxQHRyYW5zZW5kdGVzdGluZy5vbm1pY3Jvc29mdC5jb20", "roles": [ "owner" ], "shareId": "aTowIy5mfG1lbWJlcnNoaXB8Y3VzZXIxQHRyYW5zZW5kdGVzdGluZy5vbm1pY3Jvc29mdC5jb20", "grantedToV2": { "user": { "@odata.type": "#microsoft.graph.sharePointIdentity", "displayName": "Cloud User1", "email": "cuser1@transendtesting.onmicrosoft.com", "id": "e05ce5e6-bd01-4a63-981f-23719dc7e625" }, "siteUser": { "displayName": "Cloud User1", "email": "cuser1@transendtesting.onmicrosoft.com", "id": "3", "loginName": "i:0#.f|membership|cuser1@transendtesting.onmicrosoft.com" } }, "grantedTo": { "user": { "displayName": "Cloud User1", "email": "cuser1@transendtesting.onmicrosoft.com", "id": "e05ce5e6-bd01-4a63-981f-23719dc7e625" } } } ] } ```

What do you think @chscott did the new code work OK in this circumstance? If so why didn't it work above? 😕

[chscott]

In the most recent test, I was only trying to get the requests and responses, so I didn't back out my code change to return the permissions to Rclone in sorted (users, then groups) order. When I remove that change, the results I get are as in #8465 (comment).