Cree un nuevo accessPackageResourceRoleScope para agregar un rol de recurso a un paquete de acceso. El recurso del paquete de acceso, para un grupo, una aplicación o un sitio de SharePoint Online, ya debe existir en el catálogo de paquetes de acceso y el originId para el rol de recurso recuperado de la lista de roles de recursos. Una vez que agregue el ámbito del rol de recurso al paquete de acceso, el usuario recibirá este rol de recurso a través de cualquier asignación de paquete de acceso actual y futura.
Elija el permiso o los permisos marcados como con privilegios mínimos para esta API. Use un permiso o permisos con privilegios superiores solo si la aplicación lo requiere. Para obtener más información sobre los permisos delegados y de aplicación, consulte Tipos de permisos. Para obtener más información sobre estos permisos, consulte la referencia de permisos.
Tipo de permiso
Permisos con privilegios mínimos
Permisos con privilegios más altos
Delegado (cuenta profesional o educativa)
EntitlementManagement.ReadWrite.All
No disponible.
Delegado (cuenta personal de Microsoft)
No admitida.
No admitida.
Aplicación
EntitlementManagement.ReadWrite.All
No disponible.
Sugerencia
En escenarios delegados con cuentas profesionales o educativas, al usuario que ha iniciado sesión también se le debe asignar un rol de administrador con permisos de rol admitidos mediante una de las siguientes opciones:
En escenarios de solo aplicación, se puede asignar a la aplicación que realiza la llamada uno de los roles admitidos anteriores en lugar del permiso de EntitlementManagement.ReadWrite.All aplicación. El rol administrador de paquetes de Access tiene menos privilegios que el permiso de aplicación EntitlementManagement.ReadWrite.All .
Si se ejecuta correctamente, este método devuelve un código de respuesta de la serie 200 y un nuevo objeto accessPackageResourceRoleScope en el cuerpo de la respuesta.
Ejemplos
Ejemplo 1: Agregar un rol de sitio de SharePoint Online a un paquete de acceso
Solicitud
En el ejemplo siguiente se muestra una solicitud que agrega un rol de sitio de SharePoint Online a la lista de roles de recursos de un paquete de acceso. El recurso de paquete de acceso para el sitio ya debe haberse agregado al catálogo de paquetes de acceso que contiene este paquete de acceso.
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new AccessPackageResourceRoleScope
{
Role = new AccessPackageResourceRole
{
DisplayName = "Contributors",
OriginSystem = "SharePointOnline",
OriginId = "4",
Resource = new AccessPackageResource
{
Id = "53c71803-a0a8-4777-aecc-075de8ee3991",
},
},
Scope = new AccessPackageResourceScope
{
DisplayName = "Root",
Description = "Root Scope",
OriginId = "https://contoso.sharepoint.com/portals/Community",
OriginSystem = "SharePointOnline",
IsRootScope = true,
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.IdentityGovernance.EntitlementManagement.AccessPackages["{accessPackage-id}"].ResourceRoleScopes.PostAsync(requestBody);
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
AccessPackageResourceRoleScope accessPackageResourceRoleScope = new AccessPackageResourceRoleScope();
AccessPackageResourceRole role = new AccessPackageResourceRole();
role.setDisplayName("Contributors");
role.setOriginSystem("SharePointOnline");
role.setOriginId("4");
AccessPackageResource resource = new AccessPackageResource();
resource.setId("53c71803-a0a8-4777-aecc-075de8ee3991");
role.setResource(resource);
accessPackageResourceRoleScope.setRole(role);
AccessPackageResourceScope scope = new AccessPackageResourceScope();
scope.setDisplayName("Root");
scope.setDescription("Root Scope");
scope.setOriginId("https://contoso.sharepoint.com/portals/Community");
scope.setOriginSystem("SharePointOnline");
scope.setIsRootScope(true);
accessPackageResourceRoleScope.setScope(scope);
AccessPackageResourceRoleScope result = graphClient.identityGovernance().entitlementManagement().accessPackages().byAccessPackageId("{accessPackage-id}").resourceRoleScopes().post(accessPackageResourceRoleScope);
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\AccessPackageResourceRoleScope;
use Microsoft\Graph\Generated\Models\AccessPackageResourceRole;
use Microsoft\Graph\Generated\Models\AccessPackageResource;
use Microsoft\Graph\Generated\Models\AccessPackageResourceScope;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new AccessPackageResourceRoleScope();
$role = new AccessPackageResourceRole();
$role->setDisplayName('Contributors');
$role->setOriginSystem('SharePointOnline');
$role->setOriginId('4');
$roleResource = new AccessPackageResource();
$roleResource->setId('53c71803-a0a8-4777-aecc-075de8ee3991');
$role->setResource($roleResource);
$requestBody->setRole($role);
$scope = new AccessPackageResourceScope();
$scope->setDisplayName('Root');
$scope->setDescription('Root Scope');
$scope->setOriginId('https://contoso.sharepoint.com/portals/Community');
$scope->setOriginSystem('SharePointOnline');
$scope->setIsRootScope(true);
$requestBody->setScope($scope);
$result = $graphServiceClient->identityGovernance()->entitlementManagement()->accessPackages()->byAccessPackageId('accessPackage-id')->resourceRoleScopes()->post($requestBody)->wait();
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.access_package_resource_role_scope import AccessPackageResourceRoleScope
from msgraph.generated.models.access_package_resource_role import AccessPackageResourceRole
from msgraph.generated.models.access_package_resource import AccessPackageResource
from msgraph.generated.models.access_package_resource_scope import AccessPackageResourceScope
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = AccessPackageResourceRoleScope(
role = AccessPackageResourceRole(
display_name = "Contributors",
origin_system = "SharePointOnline",
origin_id = "4",
resource = AccessPackageResource(
id = "53c71803-a0a8-4777-aecc-075de8ee3991",
),
),
scope = AccessPackageResourceScope(
display_name = "Root",
description = "Root Scope",
origin_id = "https://contoso.sharepoint.com/portals/Community",
origin_system = "SharePointOnline",
is_root_scope = True,
),
)
result = await graph_client.identity_governance.entitlement_management.access_packages.by_access_package_id('accessPackage-id').resource_role_scopes.post(request_body)
Ejemplo 2: Agregar un rol de aplicación a un paquete de acceso
Solicitud
En el ejemplo siguiente se muestra una solicitud que agrega el rol de una aplicación a la lista de roles de recursos de un paquete de acceso. El recurso de paquete de acceso para la aplicación ya debe haberse agregado al catálogo de paquetes de acceso que contiene este paquete de acceso. y roleresourcescope se puede obtener mediante una lista de los recursos de un catálogo.
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new AccessPackageResourceRoleScope
{
Role = new AccessPackageResourceRole
{
Id = "cde82ecb-e461-496b-98fb-4f807c7ca640",
DisplayName = "Standard User",
Description = "Standard User",
OriginSystem = "AadApplication",
OriginId = "a29a7690-b3c4-4ed5-96c6-f640cde06fb8",
Resource = new AccessPackageResource
{
Id = "5f80c0c7-a180-4521-b585-18200048a0d8",
OriginId = "e81d7f57-0840-45e1-894b-f505c1bdcc1f",
OriginSystem = "AadApplication",
},
},
Scope = new AccessPackageResourceScope
{
Id = "dbeb8772-9907-4e95-a28e-a8d70dbcda69",
OriginId = "e81d7f57-0840-45e1-894b-f505c1bdcc1f",
OriginSystem = "AadApplication",
IsRootScope = true,
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.IdentityGovernance.EntitlementManagement.AccessPackages["{accessPackage-id}"].ResourceRoleScopes.PostAsync(requestBody);
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
AccessPackageResourceRoleScope accessPackageResourceRoleScope = new AccessPackageResourceRoleScope();
AccessPackageResourceRole role = new AccessPackageResourceRole();
role.setId("cde82ecb-e461-496b-98fb-4f807c7ca640");
role.setDisplayName("Standard User");
role.setDescription("Standard User");
role.setOriginSystem("AadApplication");
role.setOriginId("a29a7690-b3c4-4ed5-96c6-f640cde06fb8");
AccessPackageResource resource = new AccessPackageResource();
resource.setId("5f80c0c7-a180-4521-b585-18200048a0d8");
resource.setOriginId("e81d7f57-0840-45e1-894b-f505c1bdcc1f");
resource.setOriginSystem("AadApplication");
role.setResource(resource);
accessPackageResourceRoleScope.setRole(role);
AccessPackageResourceScope scope = new AccessPackageResourceScope();
scope.setId("dbeb8772-9907-4e95-a28e-a8d70dbcda69");
scope.setOriginId("e81d7f57-0840-45e1-894b-f505c1bdcc1f");
scope.setOriginSystem("AadApplication");
scope.setIsRootScope(true);
accessPackageResourceRoleScope.setScope(scope);
AccessPackageResourceRoleScope result = graphClient.identityGovernance().entitlementManagement().accessPackages().byAccessPackageId("{accessPackage-id}").resourceRoleScopes().post(accessPackageResourceRoleScope);
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.access_package_resource_role_scope import AccessPackageResourceRoleScope
from msgraph.generated.models.access_package_resource_role import AccessPackageResourceRole
from msgraph.generated.models.access_package_resource import AccessPackageResource
from msgraph.generated.models.access_package_resource_scope import AccessPackageResourceScope
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = AccessPackageResourceRoleScope(
role = AccessPackageResourceRole(
id = "cde82ecb-e461-496b-98fb-4f807c7ca640",
display_name = "Standard User",
description = "Standard User",
origin_system = "AadApplication",
origin_id = "a29a7690-b3c4-4ed5-96c6-f640cde06fb8",
resource = AccessPackageResource(
id = "5f80c0c7-a180-4521-b585-18200048a0d8",
origin_id = "e81d7f57-0840-45e1-894b-f505c1bdcc1f",
origin_system = "AadApplication",
),
),
scope = AccessPackageResourceScope(
id = "dbeb8772-9907-4e95-a28e-a8d70dbcda69",
origin_id = "e81d7f57-0840-45e1-894b-f505c1bdcc1f",
origin_system = "AadApplication",
is_root_scope = True,
),
)
result = await graph_client.identity_governance.entitlement_management.access_packages.by_access_package_id('accessPackage-id').resource_role_scopes.post(request_body)
Ejemplo 3: Agregar pertenencia a grupos a un paquete de acceso
Solicitud
En el ejemplo siguiente se muestra una solicitud que agrega la pertenencia de un grupo a la lista de roles de recursos de un paquete de acceso. El recurso de paquete de acceso para el grupo ya debe haberse agregado al catálogo de paquetes de acceso que contiene este paquete de acceso. y roleresourcescope se puede obtener mediante una lista de los recursos de un catálogo.
POST https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/accessPackages/cdd5f06b-752a-4c9f-97a6-82f4eda6c76d/resourceRoleScopes
Content-type: application/json
{
"role": {
"id": "748f8431-c7c6-404d-8564-df67aa8cfc5e",
"displayName": "Member",
"originSystem": "AadGroup",
"originId": "Member_0282e19d-bf41-435d-92a4-99bab93af305",
"resource": {
"id": "b16e0e71-17b4-4ebd-a3cd-8a468542e418",
"displayName": "example group",
"description": "a group whose members are to be assigned via an access package",
"originId": "0282e19d-bf41-435d-92a4-99bab93af305",
"originSystem": "AadGroup"
}
},
"scope": {
"id": "83b3e3e9-c8b3-481b-ad80-53e29d1eda9c",
"displayName": "Root",
"description": "Root Scope",
"originId": "0282e19d-bf41-435d-92a4-99bab93af305",
"originSystem": "AadGroup",
"isRootScope": true
}
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new AccessPackageResourceRoleScope
{
Role = new AccessPackageResourceRole
{
Id = "748f8431-c7c6-404d-8564-df67aa8cfc5e",
DisplayName = "Member",
OriginSystem = "AadGroup",
OriginId = "Member_0282e19d-bf41-435d-92a4-99bab93af305",
Resource = new AccessPackageResource
{
Id = "b16e0e71-17b4-4ebd-a3cd-8a468542e418",
DisplayName = "example group",
Description = "a group whose members are to be assigned via an access package",
OriginId = "0282e19d-bf41-435d-92a4-99bab93af305",
OriginSystem = "AadGroup",
},
},
Scope = new AccessPackageResourceScope
{
Id = "83b3e3e9-c8b3-481b-ad80-53e29d1eda9c",
DisplayName = "Root",
Description = "Root Scope",
OriginId = "0282e19d-bf41-435d-92a4-99bab93af305",
OriginSystem = "AadGroup",
IsRootScope = true,
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.IdentityGovernance.EntitlementManagement.AccessPackages["{accessPackage-id}"].ResourceRoleScopes.PostAsync(requestBody);
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
AccessPackageResourceRoleScope accessPackageResourceRoleScope = new AccessPackageResourceRoleScope();
AccessPackageResourceRole role = new AccessPackageResourceRole();
role.setId("748f8431-c7c6-404d-8564-df67aa8cfc5e");
role.setDisplayName("Member");
role.setOriginSystem("AadGroup");
role.setOriginId("Member_0282e19d-bf41-435d-92a4-99bab93af305");
AccessPackageResource resource = new AccessPackageResource();
resource.setId("b16e0e71-17b4-4ebd-a3cd-8a468542e418");
resource.setDisplayName("example group");
resource.setDescription("a group whose members are to be assigned via an access package");
resource.setOriginId("0282e19d-bf41-435d-92a4-99bab93af305");
resource.setOriginSystem("AadGroup");
role.setResource(resource);
accessPackageResourceRoleScope.setRole(role);
AccessPackageResourceScope scope = new AccessPackageResourceScope();
scope.setId("83b3e3e9-c8b3-481b-ad80-53e29d1eda9c");
scope.setDisplayName("Root");
scope.setDescription("Root Scope");
scope.setOriginId("0282e19d-bf41-435d-92a4-99bab93af305");
scope.setOriginSystem("AadGroup");
scope.setIsRootScope(true);
accessPackageResourceRoleScope.setScope(scope);
AccessPackageResourceRoleScope result = graphClient.identityGovernance().entitlementManagement().accessPackages().byAccessPackageId("{accessPackage-id}").resourceRoleScopes().post(accessPackageResourceRoleScope);
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\AccessPackageResourceRoleScope;
use Microsoft\Graph\Generated\Models\AccessPackageResourceRole;
use Microsoft\Graph\Generated\Models\AccessPackageResource;
use Microsoft\Graph\Generated\Models\AccessPackageResourceScope;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new AccessPackageResourceRoleScope();
$role = new AccessPackageResourceRole();
$role->setId('748f8431-c7c6-404d-8564-df67aa8cfc5e');
$role->setDisplayName('Member');
$role->setOriginSystem('AadGroup');
$role->setOriginId('Member_0282e19d-bf41-435d-92a4-99bab93af305');
$roleResource = new AccessPackageResource();
$roleResource->setId('b16e0e71-17b4-4ebd-a3cd-8a468542e418');
$roleResource->setDisplayName('example group');
$roleResource->setDescription('a group whose members are to be assigned via an access package');
$roleResource->setOriginId('0282e19d-bf41-435d-92a4-99bab93af305');
$roleResource->setOriginSystem('AadGroup');
$role->setResource($roleResource);
$requestBody->setRole($role);
$scope = new AccessPackageResourceScope();
$scope->setId('83b3e3e9-c8b3-481b-ad80-53e29d1eda9c');
$scope->setDisplayName('Root');
$scope->setDescription('Root Scope');
$scope->setOriginId('0282e19d-bf41-435d-92a4-99bab93af305');
$scope->setOriginSystem('AadGroup');
$scope->setIsRootScope(true);
$requestBody->setScope($scope);
$result = $graphServiceClient->identityGovernance()->entitlementManagement()->accessPackages()->byAccessPackageId('accessPackage-id')->resourceRoleScopes()->post($requestBody)->wait();
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.access_package_resource_role_scope import AccessPackageResourceRoleScope
from msgraph.generated.models.access_package_resource_role import AccessPackageResourceRole
from msgraph.generated.models.access_package_resource import AccessPackageResource
from msgraph.generated.models.access_package_resource_scope import AccessPackageResourceScope
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = AccessPackageResourceRoleScope(
role = AccessPackageResourceRole(
id = "748f8431-c7c6-404d-8564-df67aa8cfc5e",
display_name = "Member",
origin_system = "AadGroup",
origin_id = "Member_0282e19d-bf41-435d-92a4-99bab93af305",
resource = AccessPackageResource(
id = "b16e0e71-17b4-4ebd-a3cd-8a468542e418",
display_name = "example group",
description = "a group whose members are to be assigned via an access package",
origin_id = "0282e19d-bf41-435d-92a4-99bab93af305",
origin_system = "AadGroup",
),
),
scope = AccessPackageResourceScope(
id = "83b3e3e9-c8b3-481b-ad80-53e29d1eda9c",
display_name = "Root",
description = "Root Scope",
origin_id = "0282e19d-bf41-435d-92a4-99bab93af305",
origin_system = "AadGroup",
is_root_scope = True,
),
)
result = await graph_client.identity_governance.entitlement_management.access_packages.by_access_package_id('accessPackage-id').resource_role_scopes.post(request_body)