App Scoping. Who can see the apps?
We know that there is a single app catalog per web application. With the one web application matra, you can have separate department or business units site collections under one web application. Further, these departments will develop their own apps that are valid only for their site collections and will have some security needs. So how to prevent users of one department/business unit from installing/seeing apps developed for another department. Here is the solution
Permissions and app scoping can be achieved by the following configuration
- 1) Only site owners can install the apps
- 2) The site owners must have read-only permission on the root of the app catalog to be able to see the app and thereby install it.
- 3) Security isolation for the apps should be achieved by creating folders in the app catalog and assigning permissions to those folders.
- 4) Once the folder is created, break inheritance on the folder and only provide read-only access to site owners who should be able to install the apps on their sites.
For example
- Site 1 – Site Owner is Bob
- Site 2- Site Owner is Joe
In the app catalog;
- Provide Bob and Joe read-only access at the site level
- Create a folder Site 1 Apps in the app catalog
- Break inheritance and remove Joe’s access to this folder so that only Bob has access to this folder
- Similarly, create a folder Site 2 Apps in the app catalog
- Break inheritance and remove Bob’s access to this folder so that only Joe has access to this folder
With this setup;
- Only Bob can add apps to his site, Site 1, from the Site 1 apps folder from the catalog. He will not see the apps in the Site 2 Apps folder
- Similarly, Only Bob can add apps to his site, Site 2, from the Site 2 apps folder from the catalog. He will not see the apps in the Site 1 Apps folder