🔍 Code Extractor

class PermissionGrantPolicy

Maturity: 53

A class representing a permission grant policy that specifies conditions under which consent can be granted, using include and exclude condition sets.

File:
/tf/active/vicechatdev/SPFCsync/venv/lib64/python3.11/site-packages/office365/directory/policies/permission_grant.py
Lines:
9 - 46
Complexity:
moderate

Purpose

PermissionGrantPolicy manages permission grant policies in a directory system (likely Microsoft Graph API). It provides access to condition sets that determine when consent can be granted. The policy uses an include/exclude model where an event must match at least one include condition set and no exclude condition sets to be granted permission. This class extends PolicyBase and provides lazy-loaded collections of PermissionGrantConditionSet objects.

Source Code

class PermissionGrantPolicy(PolicyBase):
    """
    A permission grant policy is used to specify the conditions under which consent can be granted.

    A permission grant policy consists of a list of includes condition sets, and a list of excludes condition sets.
    For an event to match a permission grant policy, it must match at least one of the includes conditions sets,
    and none of the excludes condition sets.
    """

    @property
    def excludes(self):
        """
        Condition sets which are excluded in this permission grant policy.
        This navigation is automatically expanded on GET.
        """
        return self.properties.get(
            "excludes",
            EntityCollection(
                self.context,
                PermissionGrantConditionSet,
                ResourcePath("excludes", self.resource_path),
            ),
        )

    @property
    def includes(self):
        """
        Condition sets which are included in this permission grant policy.
        This navigation is automatically expanded on GET.
        """
        return self.properties.get(
            "includes",
            EntityCollection(
                self.context,
                PermissionGrantConditionSet,
                ResourcePath("includes", self.resource_path),
            ),
        )

Parameters

Name Type Default Kind
bases PolicyBase -

Parameter Details

context: The context object required by the parent PolicyBase class, typically containing authentication and connection information for API calls

resource_path: The resource path identifying this policy in the API hierarchy, inherited from PolicyBase

Return Value

Instantiation returns a PermissionGrantPolicy object. The excludes property returns an EntityCollection of PermissionGrantConditionSet objects representing excluded conditions. The includes property returns an EntityCollection of PermissionGrantConditionSet objects representing included conditions. Both properties are lazily loaded and automatically expanded on GET operations.

Class Interface

Methods

@property excludes(self) -> EntityCollection property

Purpose: Returns the collection of condition sets that are excluded in this permission grant policy

Returns: EntityCollection of PermissionGrantConditionSet objects representing excluded conditions. Returns cached value from properties if available, otherwise creates new EntityCollection with resource path 'excludes'

@property includes(self) -> EntityCollection property

Purpose: Returns the collection of condition sets that are included in this permission grant policy

Returns: EntityCollection of PermissionGrantConditionSet objects representing included conditions. Returns cached value from properties if available, otherwise creates new EntityCollection with resource path 'includes'

Attributes

Name Type Description Scope
context ClientContext The context object containing authentication and connection information, inherited from PolicyBase instance
resource_path ResourcePath The resource path identifying this policy in the API hierarchy, inherited from PolicyBase instance
properties dict Internal dictionary storing cached property values including excludes and includes collections, inherited from PolicyBase instance

Dependencies

  • office365.directory.permissions.grants.condition_set
  • office365.directory.policies.base
  • office365.entity_collection
  • office365.runtime.paths.resource_path

Required Imports

from office365.directory.permissions.grants.condition_set import PermissionGrantConditionSet
from office365.directory.policies.base import PolicyBase
from office365.entity_collection import EntityCollection
from office365.runtime.paths.resource_path import ResourcePath

Usage Example

# Assuming you have a configured context object
from office365.directory.permissions.grants.policy import PermissionGrantPolicy

# Instantiate through parent context (typical usage)
# policy = context.permission_grant_policies.get_by_id('policy_id')

# Access included condition sets
includes = policy.includes
for condition_set in includes:
    print(f"Include condition: {condition_set.id}")

# Access excluded condition sets
excludes = policy.excludes
for condition_set in excludes:
    print(f"Exclude condition: {condition_set.id}")

# Check if policy matches (conceptual - actual matching logic in backend)
# An event matches if it matches any include AND no excludes

Best Practices

  • Do not instantiate PermissionGrantPolicy directly; obtain instances through the parent context or API client
  • The excludes and includes properties are lazily loaded - they create EntityCollection objects on first access
  • Properties are cached in the internal properties dictionary after first access
  • The policy follows an include/exclude pattern: events must match at least one include condition and zero exclude conditions
  • Both condition set collections are automatically expanded on GET operations, reducing the need for additional API calls
  • Treat this as a read-mostly object - modifications should go through proper API update methods
  • The class inherits from PolicyBase, so all PolicyBase methods and attributes are available

Tags

permission policy consent authorization directory microsoft-graph condition-set access-control security

Similar Components

AI-powered semantic similarity - components with related functionality:

  • class PermissionGrantConditionSet 78.4% similar

    A class representing a permission grant condition set that specifies matching rules in a permission grant policy to include or exclude permission grant events in Microsoft Graph API.

    From: /tf/active/vicechatdev/SPFCsync/venv/lib64/python3.11/site-packages/office365/directory/permissions/grants/condition_set.py

  • class ConditionalAccessPolicy 58.9% similar

    Represents an Azure Active Directory conditional access policy entity that defines custom rules for access scenarios.

    From: /tf/active/vicechatdev/SPFCsync/venv/lib64/python3.11/site-packages/office365/directory/policies/conditional_access.py

  • class OAuth2PermissionGrant 58.5% similar

    Represents OAuth 2.0 delegated permissions granted to an application's service principal, allowing it to act on behalf of users when accessing APIs.

    From: /tf/active/vicechatdev/SPFCsync/venv/lib64/python3.11/site-packages/office365/directory/permissions/grants/oauth2.py

  • class ResourceSpecificPermissionGrant 58.1% similar

    Represents a resource-specific permission grant for an Azure AD application, providing read-only access to permission details granted to apps for Microsoft Graph resources.

    From: /tf/active/vicechatdev/SPFCsync/venv/lib64/python3.11/site-packages/office365/directory/permissions/grants/resource_specific.py

  • class AuthorizationPolicy 57.0% similar

    A singleton class representing Azure Active Directory authorization policy settings that control tenant-level authorization behaviors.

    From: /tf/active/vicechatdev/SPFCsync/venv/lib64/python3.11/site-packages/office365/directory/policies/authorization.py
← Back to Browse