SharePoint 2013 App Permission Management

What is App permission management?

• Managing the ability of apps to 
• Access and use internal SharePoint 2013 resources.
• Perform tasks on behalf of users.
• Determining minimum permission levels required for an app.
• Determining app authorization policy.

App permission requests

• Collection of permissions that enable apps to perform specific tasks.
• Following app permission request levels are supported – 

Permission Request	Description	Permissions included
1. Read-only	Enables apps to view pages, list items, and download documents.	·         View Items ·         Open Items ·         View Versions ·         Create Alerts ·         Use Self-Service Site Creation ·         View Pages
2. Write	Enables apps to view, add, update, and delete items in existing lists and document libraries.	Read-Only permissions, plus: ·         Add Items ·         Edit Items ·         Delete Items ·         Delete Versions ·         Browse Directories ·         Edit Personal User Information ·         Manage Personal Views ·         Add/Remove Personal Web Parts ·         Update Personal Web Parts
3. Manage	Enables apps to view, add, update, delete, approve, and customize items or pages within a web site.	Write permissions, plus: ·         Manage Lists ·         Add and Customize Pages ·         Apply Themes and Borders ·         Apply Style Sheets
4. Full control	Enables apps to have full control within the specified scope.	All permissions

App permission request scopes

• Indicates SharePoint 2013 hierarchy levels where permissions given to app are valid.
• Following permission request scopes are supported – 

Permission Request Scope	Description
SPSite	App permissions are valid at SharePoint site collection level and below.
SPWeb	App permissions are valid at SharePoint web site level and below.
SPList	App permissions are valid at SharePoint list level and below.
Tenancy	App permissions are valid at level of set of site collections that are configured and administered as a single unit.

App authorization policies

• Authorization policy is required to ensure that app functions correctly and complies with specified authorization requirements.
• Following authorization policies are available – 

App Authorization Policy	Description
User and App policy	Both logged-in user and app should have sufficient permissions for app to run
App-only policy	Only app is required to have sufficient permissions for app to run
User-only policy	Only logged-in user is required to have sufficient permission for app to run

Managing app permissions

Permissions for an app can be managed in following manners – 

• During app installation.
• By using explicit permission management where website administrator manages app rights.
• End user managing app permission.
• During app removal.

How app permissions works

• User signs in to SharePoint and is authenticated.
• User choses an app to install from Office store/App catalog.
• App requests for permissions during installation.
• User grants permissions to app to access SharePoint resources on user’s behalf.
• When app is launched, SharePoint 2013 provides a context token to the app based on permissions granted to app.
• With the help of context token, app accesses SharePoint resources on behalf of user.