SharePoint Add-in is an app in SharePoint that extends the capabilities of SharePoint sites through customization using client side object models only. SharePoint Add-in gives capabilities to add custom code and business logic outside the SharePoint farm or SharePoint Online and ensures SharePoint administrator that it doesn’t harm SharePoint and its performance.

There are two types of SharePoint Add-in: SharePoint hosted and Provider Hosted.

To know more on SharePoint Add-in: Click Here

In this article, I will explain about the permissions of Add-in in Sharepoint and how to manage it.

Insights on Permissions for SharePoint Add-in

SharePoint Add-in requires permission to access the SharePoint resources and contents. And based on the needs, we can specify the permission to the Add-in during the installation via the user installing it. The permissions are requested while installing through an XML file in the add-in called manifest file. The manifest file contains a set of permission requested for the Add-in and can be granted during installation either all those requested permission or nor. There is no option for selective permission.

These permissions of add-in are stored in the content database of the SharePoint farm or SharePoint Online tenancy. Therefore, all the permissions of add-in are revoked when the add-in is removed or deleted.

There are several scopes with permissions rights; Read, Write, Manage and Full Control.

Scopes are listed below:

  • Tenant – http://sharepoint/content/tenant
  • Site Collection
  • Web
  • List
  • User Profiles (Social)
  • Search
  • Business Connectivity Services
  • New Feeds
  • Single Project
  • Multiple Projects
  • Core
  • Enterprise Resources
  • Workflow

We can provide one or multiple scope with any kind of permission rights. And the permission rights are:

  • Full Control
  • Manage
  • Read
  • Write

Note: those scopes and permission rights are in Manifest file in XML format as sample show:

Add Permission to New SharePoint Add-in

We can add permission scopes and rights while creating apps from Visual Studio Solution.

Open the App with Visual Studio >> Open AppManifest.xml file >> Permissions Tab

Select Scope and Permission Rights as portrayed.

Update Permission to Existing SharePoint Add-in

In some cases, we might need to update or regnant the permissions because of requirements. Then we can follow below steps:

  1. Navigate to the site collection and Open http://<SharePointSiteCollection>/_layouts/15/AppInv.aspx URL.

2. Enter the Add-in ID (App ID) or Client ID and hit the Lookup button. Then details will be populated as shown:

After you do the lookup of your Add-in using Client ID or App ID then you will get above details. Furthermore, we will get the option to add/update permissions in XML format.

3. Now, we can fill with XML permissions as shown sample:

<AppPermissionRequests>
	  <AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="FullControl" />
    <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="FullControl" />
    <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web/list" Right="FullControl" />
    <AppPermissionRequest Scope="http://sharepoint/social/tenant" Right="Read" />   
  </AppPermissionRequests>

Based on our requirements, we can add scopes and rights.

4. Then click on create button and Trust it as shown below:

This is how we can add permissions to a SharePoint Add-in.

Regarding permission XML, let me explain in more detail.

For Full control permission in Tenant level:

<AppPermissionRequests AllowAppOnlyPolicy="true"> 
<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
</AppPermissionRequests> 

Similarly, for manage/read/write, we can change the rights shown:

<AppPermissionRequests AllowAppOnlyPolicy="true"> 
<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="Manage" />
</AppPermissionRequests> 
<AppPermissionRequests AllowAppOnlyPolicy="true"> 
<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="Read" />
</AppPermissionRequests> 
<AppPermissionRequests AllowAppOnlyPolicy="true"> 
<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="Write" />
</AppPermissionRequests> 

For Site collection permission:

<AppPermissionRequests>
	  <AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="FullControl" /> 
  </AppPermissionRequests>

For Web Permission:

<AppPermissionRequests>
    <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="FullControl" /> 
  </AppPermissionRequests>

For List Permission:

<AppPermissionRequests>
    <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web/list" Right="FullControl" /> 
  </AppPermissionRequests>

For User Profile permission:

<AppPermissionRequests>
    <AppPermissionRequest Scope="http://sharepoint/social/tenant" Right="Read" />   
  </AppPermissionRequests>

You can add multiple permissions based on needs, as shown:

<AppPermissionRequests>
    <AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="FullControl" />
    <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="FullControl" />
    <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web/list" Right="FullControl" />
    <AppPermissionRequest Scope="http://sharepoint/social/tenant" Right="Read" />   
  </AppPermissionRequests>

Conclusion

In this article, I have explained about SharePoint Add-in and capabilities. We can extend the capabilities of SharePoint through Add-in without any harm on SharePoint farm and performance. Furthermore, I have elaborated with two types of Add-ins in SharePoint. I have described the permissions for SharePoint Add-in with its scopes and rights. Lastly, I have demonstrated how to add permission to a new add-in and existing add-in with various permissions.