Bewerken

Delen via


Sharing and permissions in SharePoint Embedded

Additive permissions

In SharePoint Embedded, content always inherits permissions from its parent hierarchy. While you can't alter this inherited permission structure, you can extend access within a container by applying "additive permissions" to specific files and folders. For instance, if UserA belongs to the Reader role, you can grant the user edit permission to a particular document in that container using Microsoft Graph:

Scenario Microsoft Graph API(s) Notes
Grant an additive permission POST /drives/{drive-id}/items/{item-id}/invite The sendInvitation property must always be false. You can't grant additive permissions to the root folder in a container as this is essentially the same as adding a User to a role. You can't use AppOnly permissions.
Retrieve permissions GET /drives/{drive-id}/items/{item-id}/permissions & GET /drives/{drive-id}/items/{item-id}/permissions/{perm-id},
Delete an additive permission DELETE /drives/{drive-id}/items/{item-id}/permissions/{perm-id} You can only delete the additive permission on the drive item where it was originally added.

Role-based sharing setting

SharePoint Embedded offers a role-based sharing model that allows developers to configure file-sharing permissions based on container permission roles, offering a choice between restrictive and open sharing model. By default, the sharing setting is configured to the open model, permitting unrestricted content sharing by all users. This sharing setting is part of container type configuration. This configuration can only be set by application owner's developers. To learn more about container permission roles, refer to Authentication and Authorization with SharePoint Embedded.

Restrictive sharing model

Only container members who are either the Owner or Manager roles are permitted to add new permissions to files.

Open sharing model

Any container members and guests with edit permissions can add new permissions to this file.

This can be configured using the PowerShell cmdlet Set-SPOcontainerTypeConfiguration as per this example:

Set-SPOcontainerTypeConfiguration
    -containerTypeID <containerTypeID>
    -sharingRestricted $false

Sharing configuration setting

By default, SharePoint Embedded application sharing configuration is the same as the consuming tenant-sharing configuration. For example, if the consuming tenant is configured to disable sharing for guests, then the SharePoint Embedded application is unable to add guests to container roles or grant them additive permissions.

Application external sharing override

For SharePoint Embedded applications, sharing configurations can be adjusted at the application level. Consuming tenant admin can configure permissions that are different than tenant level sharing settings. For example, if a tenant's sharing setting prohibits sharing with guests, SharePoint Embedded applications can be configured to allow guest sharing. So, all containers within that SharePoint Embedded application would have the ability to include guests or extend another permissions, while other SharePoint Embedded applications and SharePoint maintain restricted sharing permissions.

This setting can only be set by consuming tenant SharePoint Embedded admin, and can be configured using the latest PowerShell cmdlet Set-SPOApplication as shown in this example:

Set-SPOApplication
    -OwningApplicationID <OwningApplicationId>
    -OverrideTenantSharingCapability $true
    -SharingCapability <SharingCapability>