DEV Community

Jaime López
Jaime López

Posted on • Originally published at intranetfromthetrenches.substack.com

3 1 1 2 2

Mastering Application Permissions in SharePoint Embedded

In the previous article, Containers and Files Security in SharePoint Embedded, we explored the power of content permissions for controlling access to container data. But security in SharePoint Embedded goes beyond just files and containers. Applications themselves play a crucial role in managing access and functionalities.

Man reading content of a filing cabinet by National Cancer Institute from Unsplash

This article dives deeper into the world of SharePoint Embedded application permissions. We'll uncover the different types of applications, how they interact with permissions, and the various roles you can define for granular control. By understanding these concepts, you'll be well-equipped to build secure and scalable solutions that empower your users within SharePoint.

Understanding Applications

Applications in SharePoint Embedded act as your tools for managing content and containers. Each application requires a Microsoft Entra ID identity, ensuring a secure environment. Additionally, they need specific Microsoft Graph permissions to call the corresponding endpoints.

There are two main types of applications, each playing a distinct role:

  • Owning Application: This application acts as the leader, directly linked to a container type. It's responsible for creating both the container type and its individual containers. Imagine it as the architect, designing the blueprints and laying the foundation. It also has complete control over these containers and their content.
  • Guest Application: As the name suggests, this application focuses on managing the content that lives inside containers. Think of it as the interior designer, arranging and presenting the content within the established structure.

Knowing Tenants

The concept of tenants is crucial when working with SharePoint Embedded applications. Tenants are essentially spaces where you build your solutions on top of the containers. Here's a breakdown of the two key tenants:

  • Development Tenant: This is your starting point! Here, you'll create and configure your Container Type and assign the owning application.
  • Consuming Tenant: This is the final point! This is where the Container Type is used so, containers are created. All data will be under the consuming tenant scope.

Defining Permissions

Permissions in SharePoint Embedded allow you to delegate control over different aspects of your solutions to applications. They can be combined to create various user roles and organize user actions effectively.

Here's a breakdown of the permission sets available, categorized by their scope:

  • Content:
    • ReadContent: Allows applications to read existing content within containers.
    • WriteContent: Allows applications to write content (files) to containers.
  • Container:
    • Create: Allows applications to create new containers.
    • Delete: Allows applications to delete containers.
    • Read: Allows applications to read container metadata.
    • Write: Allows applications to update container metadata.
  • Permission Management:
    • EnumeratePermissions: Allows applications to list container members and their roles.
    • AddPermissions: Allows applications to add new members to containers.
    • UpdatePermissions: Allows applications to change the role of existing members in the container.
    • DeletePermissions: Allows applications to remove members from containers (excluding itself).
    • DeleteOwnPermissions: Allows applications to remove themselves from container permissions.
    • ManagePermissions: Allows applications to perform all permission-related actions (add, update, remove, including itself).

There are two additional special permissions to be aware of:

  • None: The application has no access to containers.
  • Full: The application has all available permissions (use with caution).

Roles

This table provides a basic framework for defining roles with specific access levels to container content and management. You can adapt these roles further based on your specific needs and security requirements.

  • Viewer: Can only view the content and basic metadata of containers.
  • Contributor: Can view, create, edit, and delete the content of containers and read the container metadata.
  • Editor: Can view, create, edit content, manage basic container metadata, and see who has access to the container.
  • Administrator: Has full control over containers, including managing content, metadata, and permissions of other users.
  • Auditor: Can view container metadata and list members with their roles, but cannot access content.
  • Content Manager: Can view and modify the content of containers, but cannot create, delete, or manage container metadata or permissions.
  • Container Manager: Can create and delete containers, as well as view and edit their metadata. Cannot manage content or permissions.
  • Permission Manager: Can manage permissions for containers, including adding, removing, and modifying user roles. Cannot access content or container metadata.

SharePoint Embedded Applications Permissions Table

A Real-World Example

Let's imagine our business is an art gallery and we want to leverage SharePoint Embedded to create a solution. We want a system for artists to manage their artworks, a jury to evaluate submissions, and a public platform to showcase the art.

While it's possible to build everything into one app, we can leverage SharePoint Embedded's features to create a more secure and manageable solution with separate applications:

  1. Artist Portfolio: This artist-facing application allows them to view submitted artworks, track performance metrics, and update their profiles.
  2. Curatorial Review App: A secure application for jury members to review submissions, leave feedback, and manage roles (for administrators).
  3. Public Artwork Gallery Website: This website showcases the artwork available in the gallery. Users can browse submissions, view artist biographies, and potentially initiate purchases (without write access for this application). There wouldn't be a need for the public website to modify any content within SharePoint.

Assigning Permissions for Secure Access Control

Each application in this scenario will have a designated role within the SharePoint Embedded architecture:

  • Artist Portfolio App: This application requires ReadContent and WriteContent permissions. Artists can upload their works, view existing submissions, and update their profiles. Additionally, if the solution allows new artist registration, permissions like Create, Read, and Update might be needed for managing their own containers.
  • Curatorial Review App: ReadContent permission is sufficient for jury members to access and review submissions. They can also leave private feedback notes for artists. Depending on permission settings, they might have access to view other jurors' notes. For administrators managing roles, additional permissions like EnumeratePermissions, AddPermissions, and UpdatePermissions might be necessary.
  • Public Artwork Gallery Website: Since this is a public website, it only requires ReadContent permission to display the artwork information. There's no need for write access to modify content within SharePoint.

Conclusion

By understanding applications, tenants, permissions, and roles, you're equipped to build secure and scalable solutions with SharePoint Embedded. This approach allows for granular control over user access and data, ensuring a robust foundation for your custom SharePoint Embedded experiences.

Remember, this is just a starting point. As you delve deeper into SharePoint Embedded, you'll discover a vast array of possibilities for crafting unique and valuable applications!

References

Do your career a big favor. Join DEV. (The website you're on right now)

It takes one minute, it's free, and is worth it for your career.

Get started

Community matters

Top comments (2)

Collapse
 
ivis1 profile image
Ivan Isaac

Great breakdown of SharePoint Embedded permissions! Can you clarify how the roles differ when it comes to data security and compliance?

Collapse
 
jaloplo profile image
Jaime López

Thanks @ivis1 for your comment.

I don't know exactly what you are asking for. The roles I define in this article are just examples of what anybody can do based on the permission available in SharePoint Embedded. Purview features apply to the content independently of the application permissions assigned.

For content permissions, I've written an article talking about it. Here you have the link to it, dev.to/jaloplo/containers-and-file...

Hope this answer what you are asking for. If not, let me know and I will happy to answer.

A Workflow Copilot. Tailored to You.

Pieces.app image

Our desktop app, with its intelligent copilot, streamlines coding by generating snippets, extracting code from screenshots, and accelerating problem-solving.

Read the docs

👋 Kindness is contagious

Dive into an ocean of knowledge with this thought-provoking post, revered deeply within the supportive DEV Community. Developers of all levels are welcome to join and enhance our collective intelligence.

Saying a simple "thank you" can brighten someone's day. Share your gratitude in the comments below!

On DEV, sharing ideas eases our path and fortifies our community connections. Found this helpful? Sending a quick thanks to the author can be profoundly valued.

Okay