Re: Permissions - M365

Wojciech_Sz · 03-24-2022 03:59 AM

I want to share my app with users from external organization which use M365. Is it necessary for AppSheet to ask for all of these permissions? Can we limit these to only basic, like login? Admin don't want to approve all of these.

I got an answer from support:

Have full access to user files: The application is looking for a specific file type on the user's storage system
Read all groups: maybe using groups as a base to narrow down a search?
Maintain access to data that has been granted access: If the app is being used to sync data the access will definitely need to be permanent
View user base profile: If the data needs to be created on the same user on Google it would need to know what the email is to assign the owner of the file
Edit or delete items in all site collections: The app needs to read whats inside each file to know what to add on Google Sheets.

WillowMobileSys

@Wojciech_Sz wrote:
I want to share my app with users from external organization which use M365. Is it necessary for AppSheet to ask for all of these permissions?

What permissions are you referring to?

If you are referring to adding users in the users list, AppSheet apps do have a setting to allow any authenticated user to use the app. You can specify a specific authenticator OR allow any authenticator AppSheet supports. Note that anyone with the app link and an account with a supported authenticator can then login into the app.

If you wish to provide additional permissioning beyond login (i.e. what data they can see or if they can see ANY data at all), you would need to build into the app your own Users table that provides these capabilities. This, of course, still means that each of these users needs to be added in someway to give them proper permissions but you can build in Admin access that allows a person from that external organization to manage who is added.

I hope this helps!

Wojciech_Sz

I'm refering to the permissions that admin in the M365 organization need to approve. Without this any user cannot log in to the app. I think this is OAuth thing.

As said in https://help.appsheet.com/en/articles/962121-appsheet-permissions-to-your-cloud-provider

App Users
If your app is a Public app, then the users are not asked to sign in and AppSheet does not ask them for any permissions.
If your app requires signin (eg: via a Google Account), then as part of signing in, the users are asked to provide AppSheet some permissions.

Here is what they are agreeing to and why:

They let AppSheet verify their identity. This is so that we can associate a unique identity with each user.
They let AppSheet know their email. This is so that we can match their account to your app user list to provide security and access control for your app.

We call this a "basic" authorization scope, and is currently implemented for Google Drive, Office365, and Dropbox providers. Other providers will ask the app user for the same permissions as the app creator (full scope).

If your app utilizes some specific features (like Private Tables or run As-App-User), then AppSheet needs to ask the user for the same permissions as an app creator (full scope). These features are not used very often..

-------------

So, full scope is these permissions attached to my first post? I can only ask for basic scope (OAuth) when app use only specific features? Which are these specific features? I want to use only basic scope in my app

Wojciech_Sz

@Steve Could you help me with this? Or connect to somebody from AppSheet?

Steve

I know nothing of Office 365. Support is your best option, I think.

https://www.appsheet.com/Support/Contact

WillowMobileSys

I have a better understanding of what/why you are asking now.

Regardless of who the authenticating provider is, what permissions each user needs will be based on how the App tables are defined from a Security perspective. Each user would need to be at least an authorized user - "basic" authorization scope.

Every table within the AppSheet app has 2 settings in the Security section to control WHO's access is used.

Access mode
Shared?

The Access mode is normally set to the App Creator's account - "as app creator" - to provide the file read/write access permissions - what you refer to as "full scope". This account would be the only one needing these permissions, as specified by the provider, to folders that the AppSheet app would need to access. You can change the Access mode to "as app user" then permissions would be based on those for the logged in user.

The Shared? setting deals with WHERE to retrieve the table data and files. App tables are normally set as Shared meaning that tables and files are accessed through the
App Creator's account. You can have some tables Shared and other NOT Shared. If NOT Shared, this creates Private tables and files, data that is only seen by the logged in user and the user would require the proper permissioning for folder access under their login account.

IMAGE - not able to add at the moment. Look at the Security section of a table to see the settings I'm referring to above.