In this article we learn about add-in permissions in SharePoint Hosted Add-Ins, including types of add-in permissions, managing permissions and permission request scopes.
SharePoint Hosted Add-in Permission Request Scope
A SharePoint Add-in uses permission requests to specify the permissions that it needs to function correctly.
Table 1. SharePoint add-in permission request scope URLs and descriptions
| Scope | Scope URI | Description |
|---|---|---|
| Tenant | http://sharepoint/content/tenant | The tenant where the add-in is installed. Its scope in all set of site collection. |
| Site Collection | http://sharepoint/content/sitecollection | The site collection where the add-in is installed. Its scope is within site collection. |
| Web | http://sharepoint/content/sitecollection/web | The website where the add-in is installed. Its scope in within site or subsite. |
| List | http://sharepoint/content/sitecollection/web/list | A single list in the site where the add-in is installed. Its scope in within that list only. While installing the Add-ins is Prompted to grant permissions, the dialog enables the user to select one list to which the add-in is granted permissions. |
Types of SharePoint Hosted Add-in permissions
- Read – Enables apps to view pages, list items, and download documents.
- Write – Enables apps to view, add, update, and delete items in existing lists and document libraries.
- Manage – Enables apps to view, add, update, delete, approve, and customize items or pages within a web site.
- Full Control – Enables apps to have full control within the specified scope.
Managing SharePoint Hosted Add in permissions
Within SharePoint Add in AppManifest.xml file is responsible for managing add-in permission. AppManifest.xml file present in add-in solutions
Steps
- Go to SharePoint Hosted add-in solutions
- Click on Permission tab
Here we specify the permission of Add in. So we specify Scope as a ‘Tenant’ and Permission as a ‘Read’ - Now we deploy SharePoint add-in solution. After successfully deployment it re-direct on Permission prompt page with massage ‘Your tenant administrator has to approve this app.
‘
Note:- In my scenario this site is not in group of site collection which defined only by tenant.Tenant administrators have the option to batch-install a SharePoint Add-in to multiple websites. - Now we change Permission Scope as a ‘Site Collection’ and Permission as a ‘Write’
It re-direct on Permission prompt page with massage ‘Sorry, only site collection administrators can add or give access to this app’ with disable Trust button. Above massage shown because I am not Site Collection Administrator.
Note:- In my scenario I am not a SCA of this site so it show massage ‘Sorry, only site collection administrators can add or give access to this app’. - Now we change Permission Scope as a ‘Web’ and Permission as a ‘Write’
It re-direct on Permission prompt page with massage ‘Let it edit or delete documents and list items in this site.’ with enable trust button.
Note:- In this scenario Add-in have rights to edit, delete items and access basic info of user only on this site. - Now we change Permission Scope as a ‘List’ and Permission as a ‘Write’
It re-direct on Permission prompt page with massage ‘Let it have full control of the list:’ with drop down selection of list.
Note:- In this scenario Add-in have rights to Full Control only for selected list on this site.
SharePoint Hosted Add in Authorization Policies
There are three standard authorization policies related to hosted Add-in we must be consider when applying permission on add in.
- Add-in and User policy: Both the current user and the Add-in have sufficient permissions to perform the actions that the add in is designed to perform.
- User-only policy: User have sufficient permission to perform action on add in. The user-only policy is required when a user is accessing their own resources like list, library for manipulating through.
- Add-in only policy :Add-in have sufficient permissions to perform the actions on resources like list, library that the add in is designed to perform.
