SPO Powershell Set Permissions Error in RoleDefinitionBindingCollection Call

Question

On Sharepoint Online, using Powershell, I am trying to set list item permissions, and am finding dozens of tutorials that use a RoleDefinitionBindingCollection($ctx) call...

When I do this, though, I get the following error:

New-Object : Cannot find an overload for "RoleDefinitionBindingCollection" and 
the argument count: "1".At 
C:\Users\thebear\Desktop\SEDA\SEDASetIPPermissions.ps1:172 char:31
+ ... entReader = New-Object Microsoft.SharePoint.Client.RoleDefinitionBind ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : InvalidOperation: (:) [New-Object], MethodException
+ FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand

I am iterating through Doclib folders, then through the Folder.Files, checking for a value in a custom field, and setting the permissions on the matching items. EDIT: Here is the full code:

# cd 'C:\Users\thebear\Desktop\SEDA'
# .\SEDASetIPPermissions test KLY KLY1

Set-ExecutionPolicy RemoteSigned -Scope CurrentUser

Add-Type -Path "c:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"  
Add-Type -Path "c:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll" 

If($($args.Count) -ne 3) 
{ 
    Write-Host   “Usage: .\SEDASetIPPermissions <'prod' or 'test'> <ProgCode i.e. 'LCL' or 'All'> <IPGroup i.e. 'KLY1' or 'All'>"
    break
}

$Site = if($args[0] -eq 'prod') {'sedasearch'} elseif ($args[0] -eq 'test') {'sedasearchtest'}
$Lib = $args[1]
$IPGroup = $args[2] 


# Get Connected
$Cred = Get-Credential
$Credentials = New-Object -TypeName System.Management.Automation.PSCredential -argumentlist $Cred.UserName,         $Cred.Password
$Url = "https://MySite.sharepoint.com/sites/$Site"
Connect-SPOnline -Url $Url -Credentials $Credentials

# Get Client Context
$ctx = Get-SPOContext
$ctx.RequestTimeout = 1000000
$ctx.ExecuteQuery()

# Get Web & Lists
$web = $ctx.Web
$ctx.Load($web)
$ctx.Load($web.Lists)
$ctx.Load($web.RoleDefinitions)
$ctx.ExecuteQuery()
$lists = $web.Lists

# Get Site Groups
$groups = $web.SiteGroups
$ctx.Load($groups)
$ctx.ExecuteQuery()

# Get Target Group
$groupFound = $false
$ScriptStart = Get-Date

foreach ($group in $groups)
{
    if ($group.Title -eq "SEDA Admins")
    {
        $AdminGroupID = $group.Id
    }    
    elseif($group.Title -eq $IPGroup + " Security Group")
    { 
        $groupFound = $true
        $IPGroupID = $group.Id
        Write-Host "`n'$IPGroup Security Group' Found...`n" -ForegroundColor Green
    }
}

if (!$groupFound) { Write-Host "`n'$IPGroup Security Group' NOT Found...`n" -ForegroundColor Red; break }

# Get Target List
$list = $lists.GetByTitle($Lib + " Library")
$ctx.Load($list)
$ctx.Load($list.RootFolder)
$ctx.Load($list.Fields)
$ctx.ExecuteQuery()

if($list -ne $null)
{ "`n'{0}' Found...`n" -f $list.Title | Write-Host -ForegroundColor Green }
else
{ "`n'{0}' NOT Found...`n" -f $list.Title | Write-Host -ForegroundColor Red; break }

# Get List Folders
$folders = $list.RootFolder.Folders 
$ctx.Load($folders)
$ctx.ExecuteQuery()

$folders = $folders | sort Name

# Set Up Group and Admin Permissions (if not already there)
$RoleDefinitions = $web.RoleDefinitions
$ctx.Load($RoleDefinitions)
$ctx.ExecuteQuery()

$foundIPGroupRole = $false
$foundIPAdminRole = $false

foreach ($role in $RoleDefinitions)
{
    if ($role.Name -eq "Read") 
    { 
        $IPGroupRole = $role
        $foundIPGroupRole = $true 
    }
    elseif ($role.Name -eq "Full Control") 
    { 
        $IPAdminRole = $role
        $foundIPAdminRole = $true
    }
}


# Set the permissions for 'IP Group'
$roleAssignmentReader = New-Object Microsoft.SharePoint.Client.RoleDefinitionBindingCollection($ctx)
$roleAssignmentReader.Add($IPGroupRole)

# Set the permissions for 'IP Admin'
$roleAssignmentAdmin = New-Object Microsoft.SharePoint.Client.RoleDefinitionBindingCollection($ctx)
$roleAssignmentAdmin.Add($IPAdminRole)


# Set Counters
$FileCount = 0
$FailCount = 0

foreach ($folder in $folders)
{
    $FolderFileCount = 0

    $ctx.Load($folder)
    $ctx.Load($folder.ListItemAllFields)
    $ctx.ExecuteQuery()

    if ($folder.ItemCount -lt 5000)
    {
        $files = $folder.Files
        $ctx.Load($files)
        $ctx.ExecuteQuery()

        "`nProcessing Folder {0}..." -f $folder.Name | Write-Host -ForegroundColor Green

    }
    else
    { "`nFolder {0} Exceeds 5000 Items...`n" -f $folder.Url | Write-Host -ForegroundColor Red; continue }

    foreach ($file in $files)
    {
        $ctx.Load($file)
        $ctx.Load($file.ListItemAllFields)
        $ctx.ExecuteQuery()

        $item = $file.ListItemAllFields
        $ctx.Load($item)
        $ctx.ExecuteQuery()

        $name = $file.Name
        $group = $item.get_item('IPGroup')

        if($group -eq $IPGroup)
        { 
            "`nProcessing File {0}...`n" -f $name | Write-Host -ForegroundColor Green;

            # Break inheritance on the list item and remove existing permissons.
            # NOTE: Use $item.ResetRoleInheritance() to Restore Roll Inheritance
            $item.BreakRoleInheritance($false, $true)

            # Apply the two permission roles to the list item.
            $ctx.Load($item.RoleAssignments.Add($IPGroupID, $roleAssignmentReader))
            $ctx.Load($item.RoleAssignments.Add($AdminGroupID, $roleAssignmentAdmin))

            # Update the list item and execute
            $item.Update()
            $ctx.ExecuteQuery()

            "`nProcessed File {0}...`n" -f $name | Write-Host -ForegroundColor Green;
        }

        $FolderFileCount += 1
        if($FolderFileCount % 1000 -eq 0) { "{0}K" -f ($FolderFileCount/1000).ToString() | Write-Host }
        elseif($FolderFileCount % 100 -eq 0) {Write-Host '*'}
        else {Write-Host -NoNewline '.'}    
    }
}
“`n{0} Files Processed, {1} Error(s), Elapsed Time: {2}" -f $FileCount, $FailCount, $((Get-Date) - $ScriptStart) | Write-Host

$ctx appears to be legit... what else could be causing this error (for a day now)?

Answer 1

This error occurs since RoleDefinitionBindingCollection constructor expects ClientRuntimeContext object but the following line:

$ctx = Get-SPOContext

returns object of OfficeDevPnP.Core.PnPClientContext type. Even though it inherits from ClientRuntimeContext object (PnPClientContext -> ClientContext -> ClientRuntimeContext) it could not be used for instantiating of Microsoft.SharePoint.Client.RoleDefinitionBindingCollection object.

Solution

One option would be to replace the lines:

Connect-SPOnline -Url $Url -Credentials $Credentials
#Get Client Context
$ctx = Get-SPOContext

with

$ctx = Get-Context -WebUrl $Url -UserName $Credentials.UserName -Password $Credentials.Password

where

Function Get-Context([String]$WebUrl,[String]$UserName,[System.Security.SecureString]$Password) {
    $context = New-Object Microsoft.SharePoint.Client.ClientContext($WebUrl)
    $context.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($UserName, $Password)
    return $context
}

which returns Microsoft.SharePoint.Client.ClientContext object.

Answer 2

According to this link below. The Microsoft.SharePoint.Client.RoleDefinitionBindingCollection($ctx) is looking for a url as an argument, not a filename. https://msdn.microsoft.com/en-us/library/microsoft.sharepoint.client.roledefinitionbindingcollection.aspx