Construct XML to Update Access Control Lists

To update the Access Control Lists of items in OneDrive, you must construct some XML that specifies the identifiers of the items to update, and provides information about how to change the ACL.

<identifiersXML>
    <identifier value="...">
        <acl_update>
            ...
        </acl_update> 
    </identifier> 
</identifiersXML>

In the identifier value attribute, replace "..." with the document identifier of the item that you want to update. A document identifier can be found in the AUTN_IDENTIFIER field of an indexed document.

You can update the ACLs of several items by including more than one identifier element in your XML:

<identifiersXML>
    <identifier value="...">
        <acl_update>
            ...
        </acl_update>
    </identifier>
    <identifier value="...">
        <acl_update>
            ...
        </acl_update>
    </identifier>
</identifiersXML>

The following table describes the XML elements that you can use in the acl_update element to specify how to change the ACL.

XML Element Description Permitted Occurrences
<ace action="...">

Add or remove an entry from the ACL. The action attribute must be specified and accepts the value add or remove.

The following child elements must all appear exactly once:

  • principal - the user or group whose permissions you want to modify in the ACL. The value you set must correspond to principalType.
  • principalType - the type of principal specified by the principal element:

    • Email - an e-mail address.
    • UserId - a user ID.
  • level - a comma-separated list of permissions to add or remove:

    • read
    • write
    • * - allowed only when removing permissions.

NOTE: To grant a user write permission, the user must already have read permission. If this is not the case, you must grant both read and write.

0 or more

The following example demonstrates how to change the ACL for an item in OneDrive. It makes the following changes:

  • removes all permissions from someuser@mydomain.com
  • grants read and write permissions to otheruser@mydomain.com
  • grants read permission to the user with ID 123456ABCD
<identifiersXML>
    <identifier value="BASE64IDENTIFIER==">
        <acl_update>
            <ace action="remove">
                <principal>someuser@mydomain.com</principal>
                <principalType>Email</principalType>
                <level>*</level>
            </ace>
            <ace action="add">
                <principal>otheruser@mydomain.com</principal>
                <principalType>Email</principalType>
                <level>read,write</level>
            </ace>
            <ace action="add">
                <principal>123456ABCD</principal>
                <principalType>UserId</principalType>
                <level>read</level>
            </ace>
        </acl_update>
    </identifier>
</identifiersXML>