none
Sharepoint Online Search CSOM/REST switch user RRS feed

  • Question

  • Hi,

    I want to query Sharepoint Online search with our custom search solution, as SP Online content is just a small part of it.
    I created a service that translates the query we use in our system and sends request to SP Online (REST or CSOM API), then parses response and return it in our internal format.

    I have a problem with Security Trimming,. All queries to SP Online are made using Full Access account so everyone gets all the data. Is it possible to impersonate a original user that did the query to get only data accessible by him? I have it as one of search query parameter. Of course I don't know his password.
    Or is it possible to add something to the query or filters that will do the trimming?

    Wednesday, April 13, 2016 12:17 PM

Answers

  • If your Java app is getting invoked from SP-Online, then you'll be able to use "User+Addin" policy and create context on behalf of user logged-in in SP-Online site. When you perform REST search api calls, it should be security trimmed. 

    If your Java app is standalone, then only option is to pass the username and password to create the context, I don't favor that.


    ---
    Rajesh | Blog

    • Marked as answer by MatttH Thursday, April 14, 2016 7:23 PM
    Wednesday, April 13, 2016 10:15 PM

All replies

  • Is it a web service? and do you call the service from a Sharepoint site, the you can try the below Register the app in acs and use client Id and secret In your service, instead of using the service account or elevated account, you need to use user-addin policy. You can find many references on provider hosted app/addin and user-addin policies.
    Wednesday, April 13, 2016 12:58 PM
  • Thanks for reply.

    Well, the SP Online<->our system translator is a Web Service.

    But the search solution is not a Sharepoint, it's written in Java. I am just able to pass username as a parameter.

    Wednesday, April 13, 2016 1:30 PM
  • If your Java app is getting invoked from SP-Online, then you'll be able to use "User+Addin" policy and create context on behalf of user logged-in in SP-Online site. When you perform REST search api calls, it should be security trimmed. 

    If your Java app is standalone, then only option is to pass the username and password to create the context, I don't favor that.


    ---
    Rajesh | Blog

    • Marked as answer by MatttH Thursday, April 14, 2016 7:23 PM
    Wednesday, April 13, 2016 10:15 PM