This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 70%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
My javascript client application needs to read/modify custom security attributes via the Graph API using delegated permissions. This works if I assign the "Attribute Assignment Administrator" and "Attribute Assignment Reader" role to the respective user.
However, with this role the users can read the custom security attributes of all users.
I want to have the permissions such that the users can only read/modify their own custom security attributes.
Futher information: I also granted the delegated "API Permissions" "CustomSecAttributeAssignment.ReadWrite.All". This permissions is not enough though. The Graph API returns either zero customSecurityAttributes (read) or denies the PATCH request with authorization denied.
Managing custom security attributes is an admin-level operation, you cannot delegate it to the end users themselves. Well you can, but you cannot restrict it as you've already noticed.
Thank you very much for the clarification.
Are you aware of any alternative I could use for this task instead of security attributes? Something which can be read and modified by only the users himself and stored in user profile?
Generally speaking, changing attributes is an admin operation. Even for attributes that the user can change themselves, an admin will always be able to override the change.
That said, there are a handful of properties the users can change themselves, probably the easiest way to do so is via Delve: https://support.microsoft.com/en-us/office/view-and-update-your-profile-in-delve-4e84343b-eedf-45a1-aeb9-8627ccca14ba
You will then be able to access said properties via Graph, i.e. $select=aboutMe,skills,etc
Thanks but I'm trying to store a secret value in the user profile only the user itself (and maybe admins) are allowed to read/modify. Skills/AboutMe in the profile are public and hence not a viable solution for my scenario.
In the last few days I read a lot in the documentation but no extensions seems to fulfill my needs:
With this constraints, extension attributes and open extensions are not possible, because with the application-permission User.Read it is also possible to read the two extensions. Schema and directory extensions require Applicaiton.ReadWrite permissions, violating the requirement that the user shall only be able to modify his own secret value.
Is there any suitable extension for this scenario? Or some way to have a custom permission model fulfilling this needs?
Or is there some other possiblity to synchronize users via app registration without the possiblity to read user extensions?
Thanks a lot in advance!