Plan app permissions management in SharePoint 2013

SharePoint 2013

We are in the process of combining the SharePoint Server 2013 and SharePoint Server 2016 content into a single content set. We appreciate your patience while we reorganize things. See the Applies To tag at the top of each article to find out which version of SharePoint an article applies to.


Applies to: SharePoint Foundation 2013, SharePoint Server 2013 Enterprise, SharePoint Server 2013 Standard

Topic Last Modified: 2015-03-09

Summary: App permissions management enforces security and enables the additional functionality that apps provide on SharePoint 2013 sites.

The purpose of app permissions management is to manage the ability of apps to access and use internal SharePoint 2013 resources and perform tasks on behalf of users. For app authentication, SharePoint 2013 relies on a trusted token service named the Azure Access Control Service (ACS) to issue time- and scope-limited access tokens for apps. In SharePoint 2013, the ACS acts as the app identity provider. The app authentication process verifies a claim that an app makes and asserts that the app can act on behalf of an authenticated SharePoint 2013 user. The authorization process verifies that an authenticated app has permission to access a specified resource and perform a defined function. You can configure SharePoint 2013 to process app permissions and enable anyone who enters an anonymous web site, for example, to view and fill out a form that requests additional information about a product or service. You can also allow a SharePoint 2013 site owner, or a user with elevated permissions, to purchase and install an app that a defined set of internal SharePoint 2013 users can access. For example, a site owner can purchase and install an expense report app for a workgroup, and the members of the workgroup can use the app to access data in SharePoint 2013 document libraries and generate expense reports. For more information about apps, see Overview of apps for SharePoint 2013.

In this article:

  • App permission request scopes

  • App permission requests

  • App authorization policies

To plan the management of SharePoint 2013 app permissions, you have to determine the specific SharePoint 2013 resources that the app will need to access, and where those resources reside. You also have to determine the minimum permission level that will be required to enable the app to function correctly. In addition, you have to determine the appropriate app authorization policy to ensure that the app functions correctly and complies with specified authorization requirements.

SharePoint 2013 apps provide a wide variety of powerful tools and enhanced functionality that can increase the usefulness of your SharePoint 2013 deployment. When you decide to support the implementation of SharePoint 2013 apps within your deployment, you need to determine who will be installing the apps and who will be using them. You also need to determine the appropriate scope and permission levels for each app, based on how the app is intended to be used.

This article explains how to decide which scope, permission level, and authorization policy to use for the various types of SharePoint 2013 apps you plan to deploy, depending on how the app is going to be used and who is going to use the app. This article does not explain how to create or configure SharePoint 2013 apps.

SharePoint 2013 apps use app permission request scopes and permission requests to specify the level at which the app is intended to run, and the permission level that is assigned to the app. The app permission request scope indicates the location within the SharePoint 2013 hierarchy where a permission request will apply. SharePoint 2013 supports the following permission request scopes:

  • SPSite Defines the app permission request scope as a SharePoint 2013 site collection.

  • SPWeb Defines the app permission request scope as a SharePoint 2013 web site.

  • SPList Defines the app permission request scope as a SharePoint 2013 list.

  • Tenancy Defines the app permission request scope as a SharePoint 2013 tenancy.

If an app is granted permission to one scope, the permission also applies to the children of that scope. For example, if an app is granted permission to a web site by using the SPWeb scope, the app is also granted permission to each list (SPList scope) that is contained within the SPWeb scope and all list items within each list. Because permission requests are made without information about the topology of the site collection where the app is installed, the scope is expressed as a type rather than as the URL of a specific instance. These scope types are expressed as URIs. Content database related permissions are organized under this URI: http://sharepoint/content. The following table provides an URI example for each app permission request scope.


Scope URI









App permission requests are collections of permissions that enable apps to perform specific tasks. SharePoint 2013 includes four app permission request levels.

The following table lists the four app permission requests that you can assign to a SharePoint 2013 app.


Permission request Description Permissions included


Enables apps to view pages, list items, and download documents.

  • View Items

  • Open Items

  • View Versions

  • Create Alerts

  • Use Self-Service Site Creation

  • View Pages


Enables apps to view, add, update, and delete items in existing lists and document libraries.

  • Read-Only permissions, plus:

  • Add Items

  • Edit Items

  • Delete Items

  • Delete Versions

  • Browse Directories

  • Edit Personal User Information

  • Manage Personal Views

  • Add/Remove Personal Web Parts

  • Update Personal Web Parts


Enables apps to view, add, update, delete, approve, and customize items or pages within a web site.

  • Write permissions, plus:

  • Manage Lists

  • Apply Themes and Borders

  • Apply Style Sheets

Full Control

Enables apps to have full control within the specified scope.

  • All permissions

There are important security implications when you assign a permission request level to a SharePoint 2013 app. The permission request level must be adequate to allow the app to function correctly and complete every aspect of the task it is designed to perform. However, it is also important to make sure that the assigned permission request level does not exceed the minimum requirements to complete the task. For example, the Read-Only app permission request level is adequate for a SharePoint 2013 app that is gathering and rendering data in response to a query. However, the Write app permission request level will be required for a SharePoint 2013 app that is intended to add new data or update existing data in a SharePoint 2013 library.

In addition to determining the app permission request scope and the app permission request level for each app you deploy, you must also determine which app authorization policy is appropriate. SharePoint 2013 provides the following app authorization policies:

  • User and app policy When you assign the user and app policy to a SharePoint 2013 app, the content database authorization checks succeed only if both the current user and the app have sufficient permissions to perform the actions that the app is designed to perform. The user and app policy is required when a SharePoint 2013 site has an embedded IFRAME that links to a SharePoint Store app, and the app calls back to SharePoint 2013 to access SharePoint 2013 resources on behalf of the user. For example, this is a requirement when a SharePoint Store app that does not run within SharePoint 2013 needs to act on behalf of a user to access the user's resources.

  • App-only policy When you assign the app-only policy to a SharePoint 2013 app, the content database authorization checks succeed if the app has sufficient permissions to perform the actions that the app is designed to perform, whether or not the current user (if there is a current user) has the same permissions. The app-only policy is required when the app is not acting on behalf of a user.

  • User-only policy When you assign the user-only policy, the content database authorization checks succeed if the user has sufficient permissions to perform the action that the app is designed to perform. The user-only policy is required when a user is accessing their own resources.