Article 26 from 30 : App authorization

This post is article 26 from the 30 Articles App series for SharePoint

In this article I will be discussing about app authorization policies.

Like users and groups, an app has its own identity in SharePoint. The authorization process verifies that an authenticated user and/or app has permission to perform certain operations or to access specific resources. The authenticated identities can be user identity only, user + app identities, or app identity only. Correspondingly three authorization policy are as following :

  • User-only policy— In this policy, the authorization checks take into account only the user identity. When a user is accessing SharePoint resources directly without using any app this policy is enforced.
  • User + app policy—In this policy, the authorization checks take into account both the user identity and the app identity.  An authorization checks succeed only if both the current user and the app have sufficient permissions to perform the action in question. This policy is used when a Office Store app, which does not run in SharePoint Server , wants to act on behalf of the user to get access to the user’s resources.
  • App only policy—In this policy, the authorization checks take into account only the app identity.  An authorization checks succeed only if the current app has sufficient permissions to perform the action , regardless of the permissions of the current user.  This policy is enforced is when the app is not acting on behalf of the user. In this policy, the person who installs the app has the rights that the app needs, even though users who actually use the app might not have those rights.

To request an app to use App-only policy your app needs to add attribute called “AllowAppOnlyPolicy” in tag node of AppPermissionRequests with value = ‘true”. User must be Site Collection Administrator to allow use of the app-only policy.

<AppPermissionRequests AllowAppOnlyPolicy="true">
... 
</AppPermissionRequests>

App- Only Policy can only be used for Auto Hosted Apps or Provider Hosted Apps.

Hope that helps..!!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s