Permissions considerations when calling O365 APIs
Recently I did a small Proof Of Concept Application that called the Office 365 APIs to access data from a SharePoint site collection and performed some other operations that require higher rights like Creating lists.This was done to verify the way the user permissions in SharePoint and the permissions provided to the application in windows azure impact what data the application can access.
Though this App was done with a windows application in .Net this should be applicable to all the other platforms that use the corresponding O365 API as they call the same underlying infrastructure in Office 365.
The App did the following operations in a SharePoint site.
- View List Items
- Create List Items
- Create Lists
The App was tested with following set of permissions
- Full Control
- View /Add . Edit list Items
- View List Items
In addition the App was tested with following types of users
- Global Administrator (Azure)
- Site collection Admin \ Full Control
- Members \ Contribute permissions
- Visitors \ Read permission
Based on my tests I could come up with the below matrix for permissions. Please note there is currently no official documentation around this and the results are based on testing at my side.
These results should remain the same across the various platform on which the the APIs are called as the underlying infrastructure is same.
Also the scope of the Client Application is limited to retrieving the appropriate tokens and the permissions for an app will depend upon the permissions provided to the App in Azure + the right that the logged in user has
One more point I need to mention is that I found some time lag before I could do some operation with a new user once the user is created.
The API was tested for SharePoint only and the below matrix is applicable for SharePoint only.
Following is the matrix
- App has full controls
Following are the app permissions set in Azure for App
Below are the permission that the application will actually have based on the currently logged in user's rights.
User Rights |
Can Create List |
Can Create List Items |
Can Read List Items |
Global Administrator (Azure) |
Yes |
Yes |
Yes |
Site collection Admin \ Full Control |
Yes |
Yes |
Yes |
Members \ Contribute permissions |
Yes |
Yes |
Yes |
Visitors \ Read permission |
No |
No |
Yes |
2. App has read and write permissions on lists but not create lists
Following are the app permissions set in Azure for the App
Below are the permission that the application will actually have based on the currently logged in user's rights.
User Rights |
Can Create List |
Can Create List Items |
Can Read List Items |
Global Administrator (Azure) |
No |
Yes |
Yes |
Site collection Admin \ Full Control |
No |
Yes |
Yes |
Members \ Contribute permissions |
No |
No |
Yes |
Visitors \ Read permission |
No |
No |
Yes |
3. App has only read permissions on lists
Following are the permissions set in Azure for the App
Below are the permission that the application will actually have based on the currently logged in user's rights.
User Rights |
Can Create List |
Can Create List Items |
Can Read List Items |
Global Administrator (Azure) |
No |
No |
Yes |
Site collection Admin \ Full Control |
No |
No |
Yes |
Members \ Contribute permissions |
No |
No |
Yes |
Visitors \ Read permission |
No |
No |
Yes |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|