Article 24 from 30 : App permissions – I

This post is article 24 from the 30 Articles App series for SharePoint

In this article I will be discussing about app permissions. What are they and how does it work.

Like users and groups, an app has its own identity in SharePoint. each app in SharePoint is associated with a security principal, called an app principal. An app principal has certain permissions and rights.

An app may perform the operation on SharePoint site/web/list and other SharePoint artifacts, It needs certain permission just like an user or a group.

During installation, an app for SharePoint requests the permissions that it needs from the user who is installing it.

The developer of an app must request, the permissions that the particular app needs to be able to run, through the app manifest file.

The user who installs the app must grant all the permissions that an app requests or not grant any permission—the permission granted by the user to an app is all or nothing. An app must be granted permissions by the user who is executing the app. Users can grant only the permissions that they have.

The permission requests specify both the rights that an app needs and the scope at which it needs the rights.

SharePoint 2013 supports three different permission scopes within the content database and tenancy as below.

Scope URI Description
site collection :  http://sharepoint/content/sitecollection The permission request scope URI to the site collection where the app is installed. Includes all children of this scope.
website : http://sharepoint/content/sitecollection/web The permission request scope URI to the website where the app is installed. Includes all children of this scope.
list : http://sharepoint/content/sitecollection/web/list The permission request scope URI to the list where the app is installed. Includes all children of this scope.
tenancy : http://sharepoint/content/tenant The permission request scope URI to the tenancy where the app is installed.

If an app is granted permission to one of the scopes, the permission applies to all children of the scope. For example, if an app is granted permission to a website, the app is also granted permission to each list that is contained in the website, and all list items that are in each list.

SharePoint 2013 supports four rights levels in the content database. For each scope, an app can have these rights : Read , Write, Manage, FullControl

Permission request

Description

Permissions included

Read-Only Enables apps to view pages, list items, and download documents.
  • View Items
  • Open Items
  • View Versions
  • Create Alerts
  • Use Self-Service Site Creation
  • View Pages
Write Enables apps to view, add, update, and delete items in existing lists and document libraries.
  • Read-Only permissions, plus:
  • Add Items
  • Edit Items
  • Delete Items
  • Delete Versions
  • Browse Directories
  • Edit Personal User Information
  • Manage Personal Views
  • Add/Remove Personal Web Parts
  • Update Personal Web Parts
Manage Enables apps to view, add, update, delete, approve, and customize items or pages within a web site.
  • Write permissions, plus:
  • Manage Lists
  • Add and Customize Pages
  • Apply Themes and Borders
  • Apply Style Sheets
Full Control Enables apps to have full control within the specified scope.
  • All permissions

Check next article for more details on App permissions.

Hope that helps..!!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s