We have written an application that access SharePoint CSOM apis to do the following:
- Get sharepoint users and groups in a site collection.
- Get sites in a site colleciton
- Get lists in a site collection
- Get role assignments/definitions
- Get list items in a site collection.
- Get changes since a given time in a site collection.
When we access SharePoint online using app-auth (oauth or azure private key), we are forced to give Full admin access to the app in order to do these things.
But when we user a normal service account (username/password) we have access to the fine-grained permissions as you would expect. We do this by creating a custom SharePoint permission level and give it
- View Items - View items in lists and documents in document libraries.
- Open Items - View the source of documents with server-side file handlers.
- View Versions - View past versions of a list item or document.
- View Application Pages - View forms, views, and application pages. Enumerate lists. Site Permissions
- View Web Analytics Data - View reports on Web site usage.
- Browse Directories - Enumerate files and folders in a Web site using SharePoint Designer and Web DAV interfaces.
- View Pages - View pages in a Web site.
- numerate Permissions - Enumerate permissions on the Web site, list, folder, document, or list item.
- Browse User Information - View information about users of the Web site.
- Use Remote Interfaces - Use SOAP, Web DAV, the Client Object Model or SharePoint Designer interfaces to access the Web site.
- Open - Allows users to open a Web site, list, or folder in order to access items inside that container.
Is Microsoft ever going to fix this so that app-auth can be given fine grained permission?
