Category: Apps

Article 26 from 30 : App authorization

This post is article 26 from the 30 Articles App series for SharePoint

In this article I will be discussing about app authorization policies.

Like users and groups, an app has its own identity in SharePoint. The authorization process verifies that an authenticated user and/or app has permission to perform certain operations or to access specific resources. The authenticated identities can be user identity only, user + app identities, or app identity only. Correspondingly three authorization policy are as following :

  • User-only policy— In this policy, the authorization checks take into account only the user identity. When a user is accessing SharePoint resources directly without using any app this policy is enforced.
  • User + app policy—In this policy, the authorization checks take into account both the user identity and the app identity.  An authorization checks succeed only if both the current user and the app have sufficient permissions to perform the action in question. This policy is used when a Office Store app, which does not run in SharePoint Server , wants to act on behalf of the user to get access to the user’s resources.
  • App only policy—In this policy, the authorization checks take into account only the app identity.  An authorization checks succeed only if the current app has sufficient permissions to perform the action , regardless of the permissions of the current user.  This policy is enforced is when the app is not acting on behalf of the user. In this policy, the person who installs the app has the rights that the app needs, even though users who actually use the app might not have those rights.

To request an app to use App-only policy your app needs to add attribute called “AllowAppOnlyPolicy” in tag node of AppPermissionRequests with value = ‘true”. User must be Site Collection Administrator to allow use of the app-only policy.

<AppPermissionRequests AllowAppOnlyPolicy="true">
... 
</AppPermissionRequests>

App- Only Policy can only be used for Auto Hosted Apps or Provider Hosted Apps.

Hope that helps..!!

Article 25 from 30 : App permissions – II

This post is article 25 from the 30 Articles App series for SharePoint

In this article, I will discuss more on scope and a few examples for app permissions.

an app can have these rights : Read , Write, Manage, FullControl. These rights correspond to the default permission levels: Reader, Contributor, Designer, and Full Control. For more information about user permission levels, see User permissions and permission levels.

Permission request scopes for other (other than sitecollection, website, list ) SharePoint features

Scope URI Available Rights More Info
http://sharepoint/bcs/connection Read Business Connectivity Services in SharePoint 2013
http://sharepoint/search QueryAsUserIgnoreAppPrincipal Search in SharePoint 2013
http://sharepoint/taxonomy Read, Write taxonomy
http://sharepoint/social/tenant Read, Write, Manage, FullControl  social
http://sharepoint/social/core Read, Write, Manage, FullControl  social
http://sharepoint/social/microfeed Read, Write, Manage, FullControl  social
http://sharepoint/projectserver Manage  projectserver
http://sharepoint/projectserver/projects Read, Write  projectserver
http://sharepoint/projectserver/projects/project Read, Write  projectserver
http://sharepoint/projectserver/enterpriseresources Read, Write  projectserver
http://sharepoint/projectserver/statusing SubmitStatus  projectserver
http://sharepoint/projectserver/reporting Read  projectserver
http://sharepoint/projectserver/workflow Elevate  projectserver

Only Read, Write, and Manage rights are allowed for Office Store apps. If you try to submit an app to the Office Store that requires FullControl rights, your app is blocked from submission. However apps that request more than Manage permissions can still be deployed through the app catalog.

Below are some example code for AppManifest file with different scope and rights of App permission

Request Read access to the web scope and the list scope.

<AppPermissionRequests>
  <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="Read"/>
  <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web/list" Right="Read"/>
</AppPermissionRequests>

Request Write access to the list scope.

<AppPermissionRequests>
  <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web/list" Right="Write"/>
</AppPermissionRequests>

The list permission request scope has an additional optional property. BaseTemplateId, and an integer value corresponding with a list base template, which filters the available lists down to the set of lists that match what is specified by the BaseTemplateId property.

<AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web/list" Right="Write">
    <Property Name="BaseTemplateId" Value="101"/>
</AppPermissionRequest>

Request access to all user profiles. ( This app must be installed by a tenant administrator. )

<AppPermissionRequest Scope="http://sharepoint/social/tenant" Right="Read">
</AppPermissionRequest>

Request user’s feed or the team feed. This scope applies to personal sites that support microblogging or to team sites where the Site Feed feature is activated. If the app installs on any other type of site, use the Tenant scope.

<AppPermissionRequest Scope="http://sharepoint/social/microfeed" Right="Read">
</AppPermissionRequest>

 

Hope that helps..!!

Article 24 from 30 : App permissions – I

This post is article 24 from the 30 Articles App series for SharePoint

In this article I will be discussing about app permissions. What are they and how does it work.

Like users and groups, an app has its own identity in SharePoint. each app in SharePoint is associated with a security principal, called an app principal. An app principal has certain permissions and rights.

An app may perform the operation on SharePoint site/web/list and other SharePoint artifacts, It needs certain permission just like an user or a group.

During installation, an app for SharePoint requests the permissions that it needs from the user who is installing it.

The developer of an app must request, the permissions that the particular app needs to be able to run, through the app manifest file.

The user who installs the app must grant all the permissions that an app requests or not grant any permission—the permission granted by the user to an app is all or nothing. An app must be granted permissions by the user who is executing the app. Users can grant only the permissions that they have.

The permission requests specify both the rights that an app needs and the scope at which it needs the rights.

SharePoint 2013 supports three different permission scopes within the content database and tenancy as below.

Scope URI Description
site collection :  http://sharepoint/content/sitecollection The permission request scope URI to the site collection where the app is installed. Includes all children of this scope.
website : http://sharepoint/content/sitecollection/web The permission request scope URI to the website where the app is installed. Includes all children of this scope.
list : http://sharepoint/content/sitecollection/web/list The permission request scope URI to the list where the app is installed. Includes all children of this scope.
tenancy : http://sharepoint/content/tenant The permission request scope URI to the tenancy where the app is installed.

If an app is granted permission to one of the scopes, the permission applies to all children of the scope. For example, if an app is granted permission to a website, the app is also granted permission to each list that is contained in the website, and all list items that are in each list.

SharePoint 2013 supports four rights levels in the content database. For each scope, an app can have these rights : Read , Write, Manage, FullControl

Permission request

Description

Permissions included

Read-Only Enables apps to view pages, list items, and download documents.
  • View Items
  • Open Items
  • View Versions
  • Create Alerts
  • Use Self-Service Site Creation
  • View Pages
Write Enables apps to view, add, update, and delete items in existing lists and document libraries.
  • Read-Only permissions, plus:
  • Add Items
  • Edit Items
  • Delete Items
  • Delete Versions
  • Browse Directories
  • Edit Personal User Information
  • Manage Personal Views
  • Add/Remove Personal Web Parts
  • Update Personal Web Parts
Manage Enables apps to view, add, update, delete, approve, and customize items or pages within a web site.
  • Write permissions, plus:
  • Manage Lists
  • Add and Customize Pages
  • Apply Themes and Borders
  • Apply Style Sheets
Full Control Enables apps to have full control within the specified scope.
  • All permissions

Check next article for more details on App permissions.

Hope that helps..!!