This post is article 24 from the 30 Articles App series for SharePoint
In this article I will be discussing about app permissions. What are they and how does it work.
Like users and groups, an app has its own identity in SharePoint. each app in SharePoint is associated with a security principal, called an app principal. An app principal has certain permissions and rights.
An app may perform the operation on SharePoint site/web/list and other SharePoint artifacts, It needs certain permission just like an user or a group.
During installation, an app for SharePoint requests the permissions that it needs from the user who is installing it.
The developer of an app must request, the permissions that the particular app needs to be able to run, through the app manifest file.
The user who installs the app must grant all the permissions that an app requests or not grant any permission—the permission granted by the user to an app is all or nothing. An app must be granted permissions by the user who is executing the app. Users can grant only the permissions that they have.
The permission requests specify both the rights that an app needs and the scope at which it needs the rights.
SharePoint 2013 supports three different permission scopes within the content database and tenancy as below.
|site collection : http://sharepoint/content/sitecollection||The permission request scope URI to the site collection where the app is installed. Includes all children of this scope.|
|website : http://sharepoint/content/sitecollection/web||The permission request scope URI to the website where the app is installed. Includes all children of this scope.|
|list : http://sharepoint/content/sitecollection/web/list||The permission request scope URI to the list where the app is installed. Includes all children of this scope.|
|tenancy : http://sharepoint/content/tenant||The permission request scope URI to the tenancy where the app is installed.|
If an app is granted permission to one of the scopes, the permission applies to all children of the scope. For example, if an app is granted permission to a website, the app is also granted permission to each list that is contained in the website, and all list items that are in each list.
SharePoint 2013 supports four rights levels in the content database. For each scope, an app can have these rights : Read , Write, Manage, FullControl
|Read-Only||Enables apps to view pages, list items, and download documents.||
|Write||Enables apps to view, add, update, and delete items in existing lists and document libraries.||
|Manage||Enables apps to view, add, update, delete, approve, and customize items or pages within a web site.||
|Full Control||Enables apps to have full control within the specified scope.||
Check next article for more details on App permissions.
Hope that helps..!!