SharePoint 2013 - Scope, Requesting And Granting App Permissions


In this article, we will explore SharePoint 2013 apps security - Managing app permissions functionality to a SharePoint site.


If you have started creating a new SharePoint app in SharePoint 2013 which requires permissions to write into one or many lists of the host-web, you instantly realize that it is not possible to specify which Lists/Libraries should be given permissions to write.

That is because the Security model (controllable via the AppManifest.xml) does not work like that, but rather uses “Scope” as follows.


Open the Manifest Designer view (double-click the AppManifest.xml file). On the General tab, the Title text box should show the app name that you typed in "New app"  text box. Choose the Permissions tab to add the following permission requests for the app (see Figure ).

  • In the first row of the Permission requests list, in the Scope column, choose Statusing in the drop-down list. In the Permission column, choose SubmitStatus.

  • Requesting and granting app permissions

    The Permissions tab of the app manifest designer supplied by Microsoft Visual Studio makes it easy to add and configure permission requests without having to work with the XML elements directly. The screenshot in Figure shows what the Permissions tab looks like when you are configuring permission requests. You are not required to make direct edits to the AppManifest.xml file to add permission requests.

There are several different types of permissions that an app can request in SharePoint 2013. The below table provides a listing of more common ones that can be used in app development in SharePoint 2013.

Table - Permission types in SharePoint 2013

Object typeScope URIRights
Tenancyhttp://sharepoint/content/tenantRead, Write, Manage, FullControl
Site collectionhttp://sharepoint/content/sitecollectionRead, Write, Manage, FullControl
Host webhttp://sharepoint/content/sitecollection/webRead, Write, Manage, FullControl
Listshttp://sharepoint/content/sitecollection/web/listRead, Write, Manage, FullControl
Managed metadatahttp://sharepoint/taxonomyRead, Write
Social corehttp://sharepoint/social/coreRead, Write, Manage, FullControl
Social tenancyhttp://sharepoint/social/tenantRead, Write, Manage, FullControl
Microsofeedhttp://sharepoint/social/microfeedRead, Write, Manage, FullControl


It is worth noting that running with app-only permissions is only possible when using external authentication. Executing calls from an app with app-only permissions is not possible when using internal authentication. Therefore, running with app-only permissions is not possible from SharePoint-hosted apps. Calls from a SharePoint-hosted app always require that app permissions and user permissions succeed.