diff --git a/services/graph/mocks/drive_item_permissions_provider.go b/services/graph/mocks/drive_item_permissions_provider.go
index b619b4e4d4..e28e9cb42b 100644
--- a/services/graph/mocks/drive_item_permissions_provider.go
+++ b/services/graph/mocks/drive_item_permissions_provider.go
@@ -295,7 +295,7 @@ func (_c *DriveItemPermissionsProvider_Invite_Call) RunAndReturn(run func(contex
 }
 
 // ListPermissions provides a mock function with given fields: ctx, itemID
-func (_m *DriveItemPermissionsProvider) ListPermissions(ctx context.Context, itemID providerv1beta1.ResourceId) (libregraph.CollectionOfPermissionsWithAllowedValues, error) {
+func (_m *DriveItemPermissionsProvider) ListPermissions(ctx context.Context, itemID *providerv1beta1.ResourceId) (libregraph.CollectionOfPermissionsWithAllowedValues, error) {
 	ret := _m.Called(ctx, itemID)
 
 	if len(ret) == 0 {
@@ -304,16 +304,16 @@ func (_m *DriveItemPermissionsProvider) ListPermissions(ctx context.Context, ite
 
 	var r0 libregraph.CollectionOfPermissionsWithAllowedValues
 	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, providerv1beta1.ResourceId) (libregraph.CollectionOfPermissionsWithAllowedValues, error)); ok {
+	if rf, ok := ret.Get(0).(func(context.Context, *providerv1beta1.ResourceId) (libregraph.CollectionOfPermissionsWithAllowedValues, error)); ok {
 		return rf(ctx, itemID)
 	}
-	if rf, ok := ret.Get(0).(func(context.Context, providerv1beta1.ResourceId) libregraph.CollectionOfPermissionsWithAllowedValues); ok {
+	if rf, ok := ret.Get(0).(func(context.Context, *providerv1beta1.ResourceId) libregraph.CollectionOfPermissionsWithAllowedValues); ok {
 		r0 = rf(ctx, itemID)
 	} else {
 		r0 = ret.Get(0).(libregraph.CollectionOfPermissionsWithAllowedValues)
 	}
 
-	if rf, ok := ret.Get(1).(func(context.Context, providerv1beta1.ResourceId) error); ok {
+	if rf, ok := ret.Get(1).(func(context.Context, *providerv1beta1.ResourceId) error); ok {
 		r1 = rf(ctx, itemID)
 	} else {
 		r1 = ret.Error(1)
@@ -329,14 +329,14 @@ type DriveItemPermissionsProvider_ListPermissions_Call struct {
 
 // ListPermissions is a helper method to define mock.On call
 //   - ctx context.Context
-//   - itemID providerv1beta1.ResourceId
+//   - itemID *providerv1beta1.ResourceId
 func (_e *DriveItemPermissionsProvider_Expecter) ListPermissions(ctx interface{}, itemID interface{}) *DriveItemPermissionsProvider_ListPermissions_Call {
 	return &DriveItemPermissionsProvider_ListPermissions_Call{Call: _e.mock.On("ListPermissions", ctx, itemID)}
 }
 
-func (_c *DriveItemPermissionsProvider_ListPermissions_Call) Run(run func(ctx context.Context, itemID providerv1beta1.ResourceId)) *DriveItemPermissionsProvider_ListPermissions_Call {
+func (_c *DriveItemPermissionsProvider_ListPermissions_Call) Run(run func(ctx context.Context, itemID *providerv1beta1.ResourceId)) *DriveItemPermissionsProvider_ListPermissions_Call {
 	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(providerv1beta1.ResourceId))
+		run(args[0].(context.Context), args[1].(*providerv1beta1.ResourceId))
 	})
 	return _c
 }
@@ -346,7 +346,7 @@ func (_c *DriveItemPermissionsProvider_ListPermissions_Call) Return(_a0 libregra
 	return _c
 }
 
-func (_c *DriveItemPermissionsProvider_ListPermissions_Call) RunAndReturn(run func(context.Context, providerv1beta1.ResourceId) (libregraph.CollectionOfPermissionsWithAllowedValues, error)) *DriveItemPermissionsProvider_ListPermissions_Call {
+func (_c *DriveItemPermissionsProvider_ListPermissions_Call) RunAndReturn(run func(context.Context, *providerv1beta1.ResourceId) (libregraph.CollectionOfPermissionsWithAllowedValues, error)) *DriveItemPermissionsProvider_ListPermissions_Call {
 	_c.Call.Return(run)
 	return _c
 }
diff --git a/services/graph/pkg/linktype/linktype.go b/services/graph/pkg/linktype/linktype.go
index 9b36b6cec7..a2b6557c10 100644
--- a/services/graph/pkg/linktype/linktype.go
+++ b/services/graph/pkg/linktype/linktype.go
@@ -40,7 +40,7 @@ func SharingLinkTypeFromCS3Permissions(permissions *linkv1beta1.PublicSharePermi
 			return &linkType.linkType, nil
 		}
 	}
-	return nil, unifiedrole.CS3ResourcePermissionsToLibregraphActions(*permissions.GetPermissions())
+	return nil, unifiedrole.CS3ResourcePermissionsToLibregraphActions(permissions.GetPermissions())
 }
 
 // CS3ResourcePermissionsFromSharingLink creates a cs3 resource permissions type
diff --git a/services/graph/pkg/service/v0/api_driveitem_permissions.go b/services/graph/pkg/service/v0/api_driveitem_permissions.go
index dd16165e68..f51c1ed716 100644
--- a/services/graph/pkg/service/v0/api_driveitem_permissions.go
+++ b/services/graph/pkg/service/v0/api_driveitem_permissions.go
@@ -43,7 +43,7 @@ const (
 type DriveItemPermissionsProvider interface {
 	Invite(ctx context.Context, resourceId *storageprovider.ResourceId, invite libregraph.DriveItemInvite) (libregraph.Permission, error)
 	SpaceRootInvite(ctx context.Context, driveID *storageprovider.ResourceId, invite libregraph.DriveItemInvite) (libregraph.Permission, error)
-	ListPermissions(ctx context.Context, itemID storageprovider.ResourceId) (libregraph.CollectionOfPermissionsWithAllowedValues, error)
+	ListPermissions(ctx context.Context, itemID *storageprovider.ResourceId) (libregraph.CollectionOfPermissionsWithAllowedValues, error)
 	ListSpaceRootPermissions(ctx context.Context, driveID *storageprovider.ResourceId) (libregraph.CollectionOfPermissionsWithAllowedValues, error)
 	DeletePermission(ctx context.Context, itemID *storageprovider.ResourceId, permissionID string) error
 	DeleteSpaceRootPermission(ctx context.Context, driveID *storageprovider.ResourceId, permissionID string) error
@@ -121,12 +121,12 @@ func (s DriveItemPermissionsService) Invite(ctx context.Context, resourceId *sto
 	cs3ResourcePermissions := unifiedrole.PermissionsToCS3ResourcePermissions(unifiedRolePermissions)
 
 	permission := &libregraph.Permission{}
-	if role := unifiedrole.CS3ResourcePermissionsToUnifiedRole(*cs3ResourcePermissions, condition); role != nil {
+	if role := unifiedrole.CS3ResourcePermissionsToUnifiedRole(cs3ResourcePermissions, condition); role != nil {
 		permission.Roles = []string{role.GetId()}
 	}
 
 	if len(permission.GetRoles()) == 0 {
-		permission.LibreGraphPermissionsActions = unifiedrole.CS3ResourcePermissionsToLibregraphActions(*cs3ResourcePermissions)
+		permission.LibreGraphPermissionsActions = unifiedrole.CS3ResourcePermissionsToLibregraphActions(cs3ResourcePermissions)
 	}
 
 	var shareid string
@@ -304,14 +304,14 @@ func (s DriveItemPermissionsService) SpaceRootInvite(ctx context.Context, driveI
 }
 
 // ListPermissions lists the permissions of a driveItem
-func (s DriveItemPermissionsService) ListPermissions(ctx context.Context, itemID storageprovider.ResourceId) (libregraph.CollectionOfPermissionsWithAllowedValues, error) {
+func (s DriveItemPermissionsService) ListPermissions(ctx context.Context, itemID *storageprovider.ResourceId) (libregraph.CollectionOfPermissionsWithAllowedValues, error) {
 	collectionOfPermissions := libregraph.CollectionOfPermissionsWithAllowedValues{}
 	gatewayClient, err := s.gatewaySelector.Next()
 	if err != nil {
 		return collectionOfPermissions, err
 	}
 
-	statResponse, err := gatewayClient.Stat(ctx, &storageprovider.StatRequest{Ref: &storageprovider.Reference{ResourceId: &itemID}})
+	statResponse, err := gatewayClient.Stat(ctx, &storageprovider.StatRequest{Ref: &storageprovider.Reference{ResourceId: itemID}})
 	if err := errorcode.FromStat(statResponse, err); err != nil {
 		s.logger.Warn().Err(err).Interface("stat.res", statResponse).Msg("stat failed")
 		return collectionOfPermissions, err
@@ -322,7 +322,7 @@ func (s DriveItemPermissionsService) ListPermissions(ctx context.Context, itemID
 		return collectionOfPermissions, err
 	}
 
-	permissionSet := *statResponse.GetInfo().GetPermissionSet()
+	permissionSet := statResponse.GetInfo().GetPermissionSet()
 	allowedActions := unifiedrole.CS3ResourcePermissionsToLibregraphActions(permissionSet)
 
 	collectionOfPermissions = libregraph.CollectionOfPermissionsWithAllowedValues{
@@ -352,7 +352,7 @@ func (s DriveItemPermissionsService) ListPermissions(ctx context.Context, itemID
 	} else {
 		// "normal" driveItem, populate user  permissions via share providers
 		driveItems, err = s.listUserShares(ctx, []*collaboration.Filter{
-			share.ResourceIDFilter(conversions.ToPointer(itemID)),
+			share.ResourceIDFilter(itemID),
 		}, driveItems)
 		if err != nil {
 			return collectionOfPermissions, err
@@ -360,7 +360,7 @@ func (s DriveItemPermissionsService) ListPermissions(ctx context.Context, itemID
 	}
 	// finally get public shares, which are possible for spaceroots and "normal" resources
 	driveItems, err = s.listPublicShares(ctx, []*link.ListPublicSharesRequest_Filter{
-		publicshare.ResourceIDFilter(conversions.ToPointer(itemID)),
+		publicshare.ResourceIDFilter(itemID),
 	}, driveItems)
 	if err != nil {
 		return collectionOfPermissions, err
@@ -392,7 +392,7 @@ func (s DriveItemPermissionsService) ListSpaceRootPermissions(ctx context.Contex
 	}
 
 	rootResourceID := space.GetRoot()
-	return s.ListPermissions(ctx, *rootResourceID)
+	return s.ListPermissions(ctx, rootResourceID)
 }
 
 // DeletePermission deletes a permission from a drive item
@@ -612,7 +612,7 @@ func (api DriveItemPermissionsApi) ListPermissions(w http.ResponseWriter, r *htt
 
 	ctx := r.Context()
 
-	permissions, err := api.driveItemPermissionsService.ListPermissions(ctx, itemID)
+	permissions, err := api.driveItemPermissionsService.ListPermissions(ctx, &itemID)
 	if err != nil {
 		errorcode.RenderError(w, r, err)
 		return
diff --git a/services/graph/pkg/service/v0/api_driveitem_permissions_test.go b/services/graph/pkg/service/v0/api_driveitem_permissions_test.go
index c81b3d3f8c..3af2d99151 100644
--- a/services/graph/pkg/service/v0/api_driveitem_permissions_test.go
+++ b/services/graph/pkg/service/v0/api_driveitem_permissions_test.go
@@ -344,11 +344,11 @@ var _ = Describe("DriveItemPermissionsService", func() {
 	})
 	Describe("ListPermissions", func() {
 		var (
-			itemID             provider.ResourceId
+			itemID             *provider.ResourceId
 			listSharesResponse *collaboration.ListSharesResponse
 		)
 		BeforeEach(func() {
-			itemID = provider.ResourceId{
+			itemID = &provider.ResourceId{
 				StorageId: "1",
 				SpaceId:   "2",
 				OpaqueId:  "3",
@@ -358,7 +358,7 @@ var _ = Describe("DriveItemPermissionsService", func() {
 				Shares: []*collaboration.Share{},
 			}
 			statResponse.Info = &provider.ResourceInfo{
-				Id:            &itemID,
+				Id:            itemID,
 				Type:          provider.ResourceType_RESOURCE_TYPE_FILE,
 				PermissionSet: roleconversions.NewViewerRole().CS3ResourcePermissions(),
 			}
@@ -1145,8 +1145,8 @@ var _ = Describe("DriveItemPermissionsApi", func() {
 			Expect(err).ToNot(HaveOccurred())
 
 			mockProvider.On("ListPermissions", mock.Anything, mock.Anything, mock.Anything).
-				Return(func(ctx context.Context, itemid storageprovider.ResourceId) (libregraph.CollectionOfPermissionsWithAllowedValues, error) {
-					Expect(storagespace.FormatResourceID(&itemid)).To(Equal("1$2!3"))
+				Return(func(ctx context.Context, itemid *storageprovider.ResourceId) (libregraph.CollectionOfPermissionsWithAllowedValues, error) {
+					Expect(storagespace.FormatResourceID(itemid)).To(Equal("1$2!3"))
 					return libregraph.CollectionOfPermissionsWithAllowedValues{}, nil
 				}).Once()
 
diff --git a/services/graph/pkg/service/v0/base.go b/services/graph/pkg/service/v0/base.go
index 837a051510..8e157217aa 100644
--- a/services/graph/pkg/service/v0/base.go
+++ b/services/graph/pkg/service/v0/base.go
@@ -62,18 +62,18 @@ func (g BaseGraphService) getSpaceRootPermissions(ctx context.Context, spaceID *
 	return g.cs3SpacePermissionsToLibreGraph(ctx, space, APIVersion_1_Beta_1), nil
 }
 
-func (g BaseGraphService) getDriveItem(ctx context.Context, ref storageprovider.Reference) (*libregraph.DriveItem, error) {
+func (g BaseGraphService) getDriveItem(ctx context.Context, ref *storageprovider.Reference) (*libregraph.DriveItem, error) {
 	gatewayClient, err := g.gatewaySelector.Next()
 	if err != nil {
 		return nil, err
 	}
 
-	res, err := gatewayClient.Stat(ctx, &storageprovider.StatRequest{Ref: &ref})
+	res, err := gatewayClient.Stat(ctx, &storageprovider.StatRequest{Ref: ref})
 	if err != nil {
 		return nil, err
 	}
 	if res.GetStatus().GetCode() != rpc.Code_CODE_OK {
-		refStr, _ := storagespace.FormatReference(&ref)
+		refStr, _ := storagespace.FormatReference(ref)
 		return nil, fmt.Errorf("could not stat %s: %s", refStr, res.GetStatus().GetMessage())
 	}
 	return cs3ResourceToDriveItem(g.logger, res.GetInfo())
@@ -191,7 +191,7 @@ func (g BaseGraphService) cs3SpacePermissionsToLibreGraph(ctx context.Context, s
 			p.SetExpirationDateTime(time.Unix(int64(exp.GetSeconds()), int64(exp.GetNanos())))
 		}
 
-		if role := unifiedrole.CS3ResourcePermissionsToUnifiedRole(*perm, unifiedrole.UnifiedRoleConditionDrive); role != nil {
+		if role := unifiedrole.CS3ResourcePermissionsToUnifiedRole(perm, unifiedrole.UnifiedRoleConditionDrive); role != nil {
 			switch apiVersion {
 			case APIVersion_1:
 				if r := unifiedrole.GetLegacyName(*role); r != "" {
@@ -311,7 +311,7 @@ func (g BaseGraphService) cs3UserSharesToDriveItems(ctx context.Context, shares
 		resIDStr := storagespace.FormatResourceID(s.ResourceId)
 		item, ok := driveItems[resIDStr]
 		if !ok {
-			itemptr, err := g.getDriveItem(ctx, storageprovider.Reference{ResourceId: s.ResourceId})
+			itemptr, err := g.getDriveItem(ctx, &storageprovider.Reference{ResourceId: s.ResourceId})
 			if err != nil {
 				g.logger.Debug().Err(err).Interface("Share", s.ResourceId).Msg("could not stat share, skipping")
 				continue
@@ -393,13 +393,13 @@ func (g BaseGraphService) cs3UserShareToPermission(ctx context.Context, share *c
 		perm.SetCreatedDateTime(cs3TimestampToTime(share.GetCtime()))
 	}
 	role := unifiedrole.CS3ResourcePermissionsToUnifiedRole(
-		*share.GetPermissions().GetPermissions(),
+		share.GetPermissions().GetPermissions(),
 		roleCondition,
 	)
 	if role != nil {
 		perm.SetRoles([]string{role.GetId()})
 	} else {
-		actions := unifiedrole.CS3ResourcePermissionsToLibregraphActions(*share.GetPermissions().GetPermissions())
+		actions := unifiedrole.CS3ResourcePermissionsToLibregraphActions(share.GetPermissions().GetPermissions())
 		perm.SetLibreGraphPermissionsActions(actions)
 		perm.SetRoles(nil)
 	}
@@ -413,7 +413,7 @@ func (g BaseGraphService) cs3PublicSharesToDriveItems(ctx context.Context, share
 		resIDStr := storagespace.FormatResourceID(s.ResourceId)
 		item, ok := driveItems[resIDStr]
 		if !ok {
-			itemptr, err := g.getDriveItem(ctx, storageprovider.Reference{ResourceId: s.ResourceId})
+			itemptr, err := g.getDriveItem(ctx, &storageprovider.Reference{ResourceId: s.ResourceId})
 			if err != nil {
 				g.logger.Debug().Err(err).Interface("Share", s.ResourceId).Msg("could not stat share, skipping")
 				continue
diff --git a/services/graph/pkg/service/v0/driveitems.go b/services/graph/pkg/service/v0/driveitems.go
index e3dbc9361e..1fcda72e4e 100644
--- a/services/graph/pkg/service/v0/driveitems.go
+++ b/services/graph/pkg/service/v0/driveitems.go
@@ -692,12 +692,12 @@ func (g Graph) getSpecialDriveItems(ctx context.Context, baseURL *url.URL, space
 }
 
 func (g Graph) fetchSpecialDriveItem(ctx context.Context, spaceItems []libregraph.DriveItem, itemName string, itemNode string, space *storageprovider.StorageSpace, baseURL *url.URL) []libregraph.DriveItem {
-	var ref storageprovider.Reference
+	var ref *storageprovider.Reference
 	if itemNode != "" {
 		rid, _ := storagespace.ParseID(itemNode)
 
 		rid.StorageId = space.GetRoot().GetStorageId()
-		ref = storageprovider.Reference{
+		ref = &storageprovider.Reference{
 			ResourceId: &rid,
 		}
 		spaceItem := g.getSpecialDriveItem(ctx, ref, itemName, baseURL, space)
@@ -730,7 +730,7 @@ type specialDriveItemEntry struct {
 	rootMtime         *types.Timestamp
 }
 
-func (g Graph) getSpecialDriveItem(ctx context.Context, ref storageprovider.Reference, itemName string, baseURL *url.URL, space *storageprovider.StorageSpace) *libregraph.DriveItem {
+func (g Graph) getSpecialDriveItem(ctx context.Context, ref *storageprovider.Reference, itemName string, baseURL *url.URL, space *storageprovider.StorageSpace) *libregraph.DriveItem {
 	var spaceItem *libregraph.DriveItem
 	if ref.GetResourceId().GetSpaceId() == "" && ref.GetResourceId().GetOpaqueId() == "" {
 		return nil
diff --git a/services/graph/pkg/service/v0/utils.go b/services/graph/pkg/service/v0/utils.go
index c1b25ad47b..62c2d362f1 100644
--- a/services/graph/pkg/service/v0/utils.go
+++ b/services/graph/pkg/service/v0/utils.go
@@ -416,13 +416,13 @@ func cs3ReceivedShareToLibreGraphPermissions(ctx context.Context, logger *log.Lo
 		if err != nil {
 			return nil, err
 		}
-		role := unifiedrole.CS3ResourcePermissionsToUnifiedRole(*permissionSet, condition)
+		role := unifiedrole.CS3ResourcePermissionsToUnifiedRole(permissionSet, condition)
 
 		if role != nil {
 			permission.SetRoles([]string{role.GetId()})
 		}
 
-		actions := unifiedrole.CS3ResourcePermissionsToLibregraphActions(*permissionSet)
+		actions := unifiedrole.CS3ResourcePermissionsToLibregraphActions(permissionSet)
 
 		// actions only make sense if no role is set
 		if role == nil && len(actions) > 0 {
diff --git a/services/graph/pkg/unifiedrole/unifiedrole.go b/services/graph/pkg/unifiedrole/unifiedrole.go
index 23ad7c26f7..4a6d5123dd 100644
--- a/services/graph/pkg/unifiedrole/unifiedrole.go
+++ b/services/graph/pkg/unifiedrole/unifiedrole.go
@@ -368,7 +368,7 @@ func PermissionsToCS3ResourcePermissions(unifiedRolePermissions []*libregraph.Un
 
 // CS3ResourcePermissionsToLibregraphActions converts the provided cs3 ResourcePermissions to a list of
 // libregraph actions
-func CS3ResourcePermissionsToLibregraphActions(p provider.ResourcePermissions) (actions []string) {
+func CS3ResourcePermissionsToLibregraphActions(p *provider.ResourcePermissions) (actions []string) {
 	if p.GetAddGrant() {
 		actions = append(actions, DriveItemPermissionsCreate)
 	}
@@ -435,7 +435,7 @@ func GetLegacyName(role libregraph.UnifiedRoleDefinition) string {
 
 // CS3ResourcePermissionsToUnifiedRole tries to find the UnifiedRoleDefinition that matches the supplied
 // CS3 ResourcePermissions and constraints.
-func CS3ResourcePermissionsToUnifiedRole(p provider.ResourcePermissions, constraints string) *libregraph.UnifiedRoleDefinition {
+func CS3ResourcePermissionsToUnifiedRole(p *provider.ResourcePermissions, constraints string) *libregraph.UnifiedRoleDefinition {
 	actionSet := map[string]struct{}{}
 	for _, action := range CS3ResourcePermissionsToLibregraphActions(p) {
 		actionSet[action] = struct{}{}
@@ -514,7 +514,7 @@ func convert(role *conversions.Role) []string {
 	if role == nil && role.CS3ResourcePermissions() == nil {
 		return actions
 	}
-	return CS3ResourcePermissionsToLibregraphActions(*role.CS3ResourcePermissions())
+	return CS3ResourcePermissionsToLibregraphActions(role.CS3ResourcePermissions())
 }
 
 func GetAllowedResourceActions(role *libregraph.UnifiedRoleDefinition, condition string) []string {
diff --git a/services/graph/pkg/unifiedrole/unifiedrole_test.go b/services/graph/pkg/unifiedrole/unifiedrole_test.go
index 2d1e4a0a9c..8cfe609392 100644
--- a/services/graph/pkg/unifiedrole/unifiedrole_test.go
+++ b/services/graph/pkg/unifiedrole/unifiedrole_test.go
@@ -20,7 +20,7 @@ var _ = Describe("unifiedroles", func() {
 		func(legacyRole *rConversions.Role, unifiedRole *libregraph.UnifiedRoleDefinition, constraints string) {
 			cs3perm := legacyRole.CS3ResourcePermissions()
 
-			r := unifiedrole.CS3ResourcePermissionsToUnifiedRole(*cs3perm, constraints)
+			r := unifiedrole.CS3ResourcePermissionsToUnifiedRole(cs3perm, constraints)
 			Expect(r.GetId()).To(Equal(unifiedRole.GetId()))
 
 		},