Thursday, March 28, 2013

Share Point 2013 - App Permissions, Authentication, Authorization

An App in Share Point gets the permissions that it need while installing the app, from the user who installing app. App permissions are granted through the Appmanifest.xml file during development of an app. User who installing the app may grant all the permissions which he is having or may not grant the permissions. So permissions from the user to an app is all the permissions of the user or no permissions.

Generally App contains the following information,

  • Display Name,
  • Client Id of the app
  • app domain.

Generally Windows Azure Access Control Service (ACS) will store all the basic information of app like display name, APP URL. When Share point User install the app, SharePoint 2013 gets the information from ACS and store it in App management service. Later on the Content DB service and user profile service gets the information from App management shared service.

In Share point 2013 apps has their own identity called App Principle  Unlike Users and groups in share point app principle has permissions and rights. The App principle requests the share point to host the apps web, because it is having full permissions.

Permissions Scopes:
In SharePoint we have different permission scopes, like Site, Web site, List, Library and Tenancy  Here site indicates site level, web sites indicates web site level and list/library indicates the list/library level scope. All the permissions will apply to the child scope like if scope is site, the permissions will be inherit to the entire site level. Permissions will apply all the children in that site. 

Permission Rights:
SharePoint 2013 apps will support four kinds of permissions levels. Read, Write, Manage, Full Control. All these permissions will same as regular share point Reader, Contributor, Designer and Full control. Here to avoid confusion between rights they made right names as unique expect Full Control. Because full control permission level will not be customized.Read, Write, Manage, Full Control permissions are only permissions rights entire share point  For search there is one permission called "Query right". For project server "Submit Right" and "elevate right" are available. For Taxonomy we are having only Read and Write permissions.

Permissions that not aware of SharePoint 2013 are avoided. Suppose, a permission mentioned in the AppManifest file of app that is not recognized by share point 2013, app installed will return an error message. App installer don't have sufficient permissions to install app, in that case also an error message will be shown.

We can supply the permission access for an app through AppManifest.xml file shown read access for list and write access for the web.

<?xml version="1.0" encoding="utf-8" ?>
<App xmlns="http://schemas.microsoft.com/sharepoint/2012/app/manifest"
     ProductID="{5b0dfe5f-715b-34b6-c497-e7c533b2272a}"
     Version="1.0.0.0"
     SharePointMinVersion="15.0.0.0"
     Name="Sample App Developement">
  <Properties>
    <Title>Sample App Developement</Title>
    <StartPage>~remoteAppUrl/Home.aspx?{StandardTokens}</StartPage>
  </Properties>

  <AppPrincipal>

    <RemoteWebApplication ClientId="7acdfebb-4265-5214-b8d6-657645312987" />
  </AppPrincipal>

  <AppPermissionRequests>

    <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="Read"/>
    <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web/list" Right="Wrire"/>
  </AppPermissionRequests>
</App>


As discussed above all the share point sites and list have the four rights. In Some other cases like BCS and Project server, Search , Taxonomy permissions will be changed. 

App Permissions - When and How: 
App permissions will grated when an app is installed by  website administrator, granted permissions explicitly and when an app got removed.

App permissions will be stored in content database under App Id. Each Content database will register the app details. App got permissions or deleted, In content database also app permissions will be granted or deleted.

App Authentication and Authorization:
App authentication will process several ways. If the authentication call is not OAuth call, that should be allowed on the basis of share point principle associated to the app web. If it is OAuth call then, share point uses Windows Azure Access Control service (ACS).

App authorization will have three policies, User-only policy, User-App policy, app-only policy depending on the authentication identity. 
User-only policy is used in share point 2010. Here authorization takes only user account.
User-App policy authorization takes both user and app identity.
App-only policy takes only app-identity. For example if there are four people (A,B,C,D) are working in a site. But A wants to App. In that case App-only permissions will apply to the user-A as elevated permissions. Remaining people will not be used the App.


Share this