Permissions considerations when calling O365 APIs


 

Recently I did a small Proof Of Concept Application that called the Office 365 APIs to access data from a SharePoint site collection and performed some other operations that require higher rights like Creating lists.This was done to verify the way the user permissions in SharePoint and the permissions provided to the application in windows azure impact what data the application can access.

Though this App was done with a windows application in .Net this should be applicable to all the other platforms that use the corresponding O365 API as they call the same underlying infrastructure in Office 365.

The App did the following operations in a SharePoint site.

  • View List Items
  • Create List Items
  • Create Lists

The App was tested with following set of permissions

  • Full Control
  • View /Add . Edit list Items
  • View List Items

In addition the App was tested with following types of users

  • Global Administrator (Azure)
  • Site collection Admin \ Full Control
  • Members \ Contribute permissions
  • Visitors \ Read permission

 

Based on my tests I could come up with the below matrix for permissions. Please note there is currently no official documentation around this and the results are based on testing at my side.

These results should remain the same across the various platform on which the the APIs are called as the underlying infrastructure is same.

Also the scope of the Client Application is limited to retrieving the appropriate tokens and the permissions for an app will depend upon the permissions provided to the App in Azure + the right that the logged in user has

 One more point I need to mention is that I found some time lag before I could do some operation with a new user once the user is created.
  

The API was tested for SharePoint only and the below matrix is applicable for SharePoint only.

  

Following is the matrix

 

  1. App has full controls

Following are the app permissions set in Azure for App

 

Below are the permission that the application will actually have based on the currently logged in user's rights.

User Rights

Can Create List

Can Create List Items

Can Read List Items

Global Administrator (Azure)

Yes

Yes

Yes

Site collection Admin \ Full

    Control

Yes

Yes

Yes

Members \ Contribute permissions

Yes

Yes

Yes

Visitors \ Read permission

No

No

Yes

 

2. App has read and write permissions on lists but not create lists

Following are the app permissions set in Azure for the App

 

Below are the permission that the application will actually have based on the currently logged in user's rights.

 

User Rights

Can Create List

Can Create List Items

Can Read List Items

Global Administrator (Azure)

No

Yes

Yes

Site collection Admin \ Full

    Control

No

Yes

Yes

Members \ Contribute permissions

No

No

Yes

Visitors \ Read permission

No

No

Yes

 

 

3. App has only read permissions on lists

Following are the permissions set in Azure for the App

 

  

Below are the permission that the application will actually have based on the currently logged in user's rights.

User Rights

Can Create List

Can Create List Items

Can Read List Items

Global Administrator (Azure)

No

No

Yes

Site collection Admin \ Full

    Control

No

No

Yes

Members \ Contribute permissions

No

No

Yes

Visitors \ Read permission

No

No

Yes

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Comments (0)

Skip to main content