Article 24 from 30 : App permissions – I

This post is article 24 from the 30 Articles App series for SharePoint

In this article I will be discussing about app permissions. What are they and how does it work.

Like users and groups, an app has its own identity in SharePoint. each app in SharePoint is associated with a security principal, called an app principal. An app principal has certain permissions and rights.

An app may perform the operation on SharePoint site/web/list and other SharePoint artifacts, It needs certain permission just like an user or a group.

During installation, an app for SharePoint requests the permissions that it needs from the user who is installing it.

The developer of an app must request, the permissions that the particular app needs to be able to run, through the app manifest file.

The user who installs the app must grant all the permissions that an app requests or not grant any permission—the permission granted by the user to an app is all or nothing. An app must be granted permissions by the user who is executing the app. Users can grant only the permissions that they have.

The permission requests specify both the rights that an app needs and the scope at which it needs the rights.

SharePoint 2013 supports three different permission scopes within the content database and tenancy as below.

Scope URI Description
site collection :  http://sharepoint/content/sitecollection The permission request scope URI to the site collection where the app is installed. Includes all children of this scope.
website : http://sharepoint/content/sitecollection/web The permission request scope URI to the website where the app is installed. Includes all children of this scope.
list : http://sharepoint/content/sitecollection/web/list The permission request scope URI to the list where the app is installed. Includes all children of this scope.
tenancy : http://sharepoint/content/tenant The permission request scope URI to the tenancy where the app is installed.

If an app is granted permission to one of the scopes, the permission applies to all children of the scope. For example, if an app is granted permission to a website, the app is also granted permission to each list that is contained in the website, and all list items that are in each list.

SharePoint 2013 supports four rights levels in the content database. For each scope, an app can have these rights : Read , Write, Manage, FullControl

Permission request

Description

Permissions included

Read-Only Enables apps to view pages, list items, and download documents.
  • View Items
  • Open Items
  • View Versions
  • Create Alerts
  • Use Self-Service Site Creation
  • View Pages
Write Enables apps to view, add, update, and delete items in existing lists and document libraries.
  • Read-Only permissions, plus:
  • Add Items
  • Edit Items
  • Delete Items
  • Delete Versions
  • Browse Directories
  • Edit Personal User Information
  • Manage Personal Views
  • Add/Remove Personal Web Parts
  • Update Personal Web Parts
Manage Enables apps to view, add, update, delete, approve, and customize items or pages within a web site.
  • Write permissions, plus:
  • Manage Lists
  • Add and Customize Pages
  • Apply Themes and Borders
  • Apply Style Sheets
Full Control Enables apps to have full control within the specified scope.
  • All permissions

Check next article for more details on App permissions.

Hope that helps..!!

Introducing ProConnect – now available in office and windows phone store

I am very pleased to share news with you that “ProConnect” is officially launched and is now available in both office and windows phone store.

Last year, I discovered a need for enterprise level location rich business networking application. I had my vision about what ProConnect will be. I gave myself a challenge to make it reality and have been working on this since then. ProConnect also got very good interests from some of ProSigma’s clients, finally I decided to take it to the next level and make it available to all users‏ from the Office and windows phone store. Today, I am very happy to present you ProConnect.

ProConnect is a secured location based business networking application that helps you keep in touch with your colleagues anywhere!

It is a subscription based service which also offers 1 month free trial.

To discover more and start using ProConnect please go to the office store, install the application, activate your free trial and explore!

ProConnect also comes with supporting windows mobile application for free for you to stay connected while on the move.

ProConnect Features:
• Create, store and share location based updates with your colleagues using checkin
• Create and manage places of interests such as company’s offices, recommended hotels and restaurants, client’s offices, meeting places, conference venues etc.
• Follow places and people and stay in touch with their most recent updates
• Receive real-time notifications of checkin activities
• See your real-time location on the map and find your near-by colleagues and places
• Highly interactive mapping user- interface using open source library
• On the go access on windows phone app.
• Complete peace of mind having all your data at your server (ProConnect store checkin updates in SharePoint lists at your servers)

Office store link :

Windows phone store link :

Visit store link to get more details on ProConnect features.

Please visit http://prosigmaltd.com/ProConnect if you have any query or suggestion related to ProConnect.

Also, feel free to contact for more details on ProConnect.

Stay tuned, more coming soon…

Article 23 from 30 : Troubleshooting High-Trust App

This post is article 23 from the 30 Articles App series for SharePoint

In this article I will be discussing about basic guidelines on troubleshooting tips for High-Trust apps. I assume that you already has good understanding of High-Trust app and how to develop one.

Below are some steps you should consider to look into when you run into problems:

(1)    For Hight-Trust App your remote web’s web.config should have appsetting something like below

<appSettings>

<add key="ClientId" value="your-client-id-guid-in-lowercase"/>

<add key="ClientSecret" value="client-secret"/>

<add key="ClientSigningCertificatePath" value="C:\cert.pfx"/>

<add key="ClientSigningCertificatePassword" value="****"/>

<add key="IssuerId" value="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"/>

</appSettings>

(2)    Refer to article-15 to know about how to configure high-trust using client-certificate and configuring high-trust.

(3)    App deployed successfully but client context is always null or you are getting 401 unauthorized error

Make sure you are passing valid identity of Logged in user,

Do iisreset after high-trust configuration if necessary

(4)    App deployed successfully but you are getting 403 forbidden error

oAuth requires SharePoint to run HTTPS. So whenever your SharePoint app attempt to make a call using a test certificate, you will get 403 (forbidden) error.

To overcome this issue, simply turn off HTTPS on your development SharePoint environment using following Powershell command:

$serviceConfig = Get-SPSecurityTokenServiceConfig
$serviceConfig.AllowOAuthOverHttp = $true
$serviceConfig.Update()

Hope that helps..!!