Fine grained permissions applied to SharePoint Online App-Auth?

%3CLINGO-SUB%20id%3D%22lingo-sub-2538964%22%20slang%3D%22en-US%22%3EFine%20grained%20permissions%20applied%20to%20SharePoint%20Online%20App-Auth%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2538964%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20written%20an%20application%20that%20access%20SharePoint%20CSOM%20apis%20to%20do%20the%20following%3A%3C%2FP%3E%3COL%3E%3CLI%3EGet%20sharepoint%20users%20and%20groups%20in%20a%20site%20collection.%3C%2FLI%3E%3CLI%3EGet%20sites%20in%20a%20site%20colleciton%3C%2FLI%3E%3CLI%3EGet%20lists%20in%20a%20site%20collection%3C%2FLI%3E%3CLI%3EGet%20role%20assignments%2Fdefinitions%3C%2FLI%3E%3CLI%3EGet%20list%20items%20in%20a%20site%20collection.%3C%2FLI%3E%3CLI%3EGet%20changes%20since%20a%20given%20time%20in%20a%20site%20collection.%3C%2FLI%3E%3C%2FOL%3E%3CP%3EWhen%20we%20access%20SharePoint%20online%20using%20app-auth%20(oauth%20or%20azure%20private%20key)%2C%20we%20are%20forced%20to%20give%20Full%20admin%20access%20to%20the%20app%20in%20order%20to%20do%20these%20things.%3C%2FP%3E%3CP%3EBut%20when%20we%20user%20a%20normal%20service%20account%20(username%2Fpassword)%20we%20have%20access%20to%20the%20fine-grained%20permissions%20as%20you%20would%20expect.%20We%20do%20this%20by%20creating%20a%20custom%20SharePoint%20permission%20level%20and%20give%20it%3C%2FP%3E%3CUL%3E%3CLI%3EView%20Items%20-%20View%20items%20in%20lists%20and%20documents%20in%20document%20libraries.%3C%2FLI%3E%3CLI%3EOpen%20Items%20-%20View%20the%20source%20of%20documents%20with%20server-side%20file%20handlers.%3C%2FLI%3E%3CLI%3EView%20Versions%20-%20View%20past%20versions%20of%20a%20list%20item%20or%20document.%3C%2FLI%3E%3CLI%3EView%20Application%20Pages%20-%20View%20forms%2C%20views%2C%20and%20application%20pages.%20Enumerate%20lists.%20Site%20Permissions%3C%2FLI%3E%3CLI%3EView%20Web%20Analytics%20Data%20-%20View%20reports%20on%20Web%20site%20usage.%3C%2FLI%3E%3CLI%3EBrowse%20Directories%20-%20Enumerate%20files%20and%20folders%20in%20a%20Web%20site%20using%20SharePoint%20Designer%20and%20Web%20DAV%20interfaces.%3C%2FLI%3E%3CLI%3EView%20Pages%20-%20View%20pages%20in%20a%20Web%20site.%3C%2FLI%3E%3CLI%3Enumerate%20Permissions%20-%20Enumerate%20permissions%20on%20the%20Web%20site%2C%20list%2C%20folder%2C%20document%2C%20or%20list%20item.%3C%2FLI%3E%3CLI%3EBrowse%20User%20Information%20-%20View%20information%20about%20users%20of%20the%20Web%20site.%3C%2FLI%3E%3CLI%3EUse%20Remote%20Interfaces%20-%20Use%20SOAP%2C%20Web%20DAV%2C%20the%20Client%20Object%20Model%20or%20SharePoint%20Designer%20interfaces%20to%20access%20the%20Web%20site.%3C%2FLI%3E%3CLI%3EOpen%20-%20Allows%20users%20to%20open%20a%20Web%20site%2C%20list%2C%20or%20folder%20in%20order%20to%20access%20items%20inside%20that%20container.%3C%2FLI%3E%3C%2FUL%3E%3CP%3EIs%20Microsoft%20ever%20going%20to%20fix%20this%20so%20that%20app-auth%20can%20be%20given%20fine%20grained%20permission%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2538964%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAPIs%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDeveloper%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPnP%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

We have written an application that access SharePoint CSOM apis to do the following:

  1. Get sharepoint users and groups in a site collection.
  2. Get sites in a site colleciton
  3. Get lists in a site collection
  4. Get role assignments/definitions
  5. Get list items in a site collection.
  6. Get changes since a given time in a site collection.

When we access SharePoint online using app-auth (oauth or azure private key), we are forced to give Full admin access to the app in order to do these things.

But when we user a normal service account (username/password) we have access to the fine-grained permissions as you would expect. We do this by creating a custom SharePoint permission level and give it

  • View Items - View items in lists and documents in document libraries.
  • Open Items - View the source of documents with server-side file handlers.
  • View Versions - View past versions of a list item or document.
  • View Application Pages - View forms, views, and application pages. Enumerate lists. Site Permissions
  • View Web Analytics Data - View reports on Web site usage.
  • Browse Directories - Enumerate files and folders in a Web site using SharePoint Designer and Web DAV interfaces.
  • View Pages - View pages in a Web site.
  • numerate Permissions - Enumerate permissions on the Web site, list, folder, document, or list item.
  • Browse User Information - View information about users of the Web site.
  • Use Remote Interfaces - Use SOAP, Web DAV, the Client Object Model or SharePoint Designer interfaces to access the Web site.
  • Open - Allows users to open a Web site, list, or folder in order to access items inside that container.

Is Microsoft ever going to fix this so that app-auth can be given fine grained permission?

0 Replies