Redigera

Dela via


Register file storage container type application permissions

In order for a SharePoint Embedded application to interact with containers in a consuming tenant, the container type must first be registered in the consuming tenant. Container type registration happens when the owning application invokes the registration API to specify what permissions can be performed against its container type. The registration API also grants access to other Guest Apps to interact with the owning application's containers. For example, a SharePoint Embedded application can grant permissions to another application--a Guest App so that the Guest App can perform backup operations against its containers.

Since the registration API controls the permissions that a SharePoint Embedded application can perform against the container in the consuming tenant, this call should be one of the first APIs invoked. Failure to do so results in access denied errors when invoking other APIs against the container and/or the content in the containers.

There are no restrictions on how many times the registration API can be invoked. How often the registration API is invoked and when it's invoked is dependent on the SharePoint Embedded application. However, the last successful call to the registration API determines the settings used in the consuming tenant.

Note

Only the owning application of the container type can invoke the registration API in the consuming tenant.

The registration API is NOT a Graph API and can only be invoked using an AppOnly and a cert-based access token. Learn more about authentication.

Container type Permissions

The registration API determines what permissions a SharePoint Embedded application can perform against containers and content in containers for the specified container type.

Permission Description
None Has no permissions to any containers or content of this container type.
ReadContent Can read content of containers of this container type.
WriteContent Can write content to containers for this container type. This permission can't be granted without the ReadContent permission.
Create Can create containers of this container type.
Delete Can delete containers of this container type.
Read Can read the metadata of containers of this container type.
Write Can update the metadata of containers of this container type.
EnumeratePermissions Can enumerate the members of a container and their roles for containers of this container type.
AddPermissions Can add members to the container for containers of this container type.
UpdatePermissions Can update (change roles of) existing memberships in the container for containers of this container type.
DeletePermissions Can delete other members (but not self) from the container for containers of this container type.
DeleteOwnPermissions Can remove own membership from the container for containers of this container type.
ManagePermissions Can add, remove (including self) or update members in the container roles for containers of this container type.
Full Has all permissions for containers of this container type.

HTTP request

PUT {RootSiteUrl}/_api/v2.1/storageContainerTypes/{containerTypeId}/applicationPermissions

Note

This is NOT a Graph API

{RootSiteURL} is the SharePoint URL of the consuming tenant. For example, https://contoso.sharepoint.com.

Request body

In the request body, supply a JSON representation of the container type permissions for the SharePoint Embedded applications.

Response

If successful, this method returns a 200 OK response code and the container type permissions configured for the SharePoint Embedded applications in the response body.

HTTP Code Description
400 Bad request.
401 Request lacks valid authentication credentials.
403 Provided authentication credentials are valid but insufficient to perform the requested operation. Examples: the calling app isn't the owning app of the container type.
404 Container type doesn't exist.

Examples

Register the container type in a consuming tenant

Register the container type in the consuming tenant and grant full permissions to the Owning Application (AppId 71392b2f-1765-406e-86af-5907d9bdb2ab) for Delegated and AppOnly calls.

Request

PUT {RootSiteUrl}/_api/v2.1/storageContainerTypes/{containerTypeId}/applicationPermissions
Content-Type: application/json

{
  "value": [
    {
      "appId": "71392b2f-1765-406e-86af-5907d9bdb2ab",
      "delegated": ["full"],
      "appOnly": ["full"]
    }
  ]
}

Response

HTTP/1.1 200 OK
Content-type: application/json

{
  "value": [
    {
      "appId": "71392b2f-1765-406e-86af-5907d9bdb2ab",
      "delegated": ["full"],
      "appOnly": ["full"]
    }
  ]
}

Register the container type in a consuming tenant with permissions for a Guest App

Register the container type in the consuming tenant and grant full permissions to the Owning Application (AppId 71392b2f-1765-406e-86af-5907d9bdb2ab) for Delegated and AppOnly calls. In addition, grant a Guest App (AppId 89ea5c94-7736-4e25-95ad-3fa95f62b6) read and write permissions only for Delegated calls.

Request

PUT /storagecontainerTypes/{containerTypeId}/applicationPermissions
Content-Type: application/json

{
  "value": [
    {
      "appId": "71392b2f-1765-406e-86af-5907d9bdb2ab",
      "delegated": ["full"],
      "appOnly": ["full"]
    },
    {
      "appId": "89ea5c94-7736-4e25-95ad-3fa95f62b6",
      "delegated": [read", "write"],
      "appOnly": ["none"]
    }
  ]
}

Response

HTTP/1.1 200 OK
Content-type: application/json

{
  "value": [
    {
      "appId": "71392b2f-1765-406e-86af-5907d9bdb2ab",
      "delegated": ["full"],
      "appOnly": ["read"]
    },
    {
      "appId": "89ea5c94-7736-4e25-95ad-3fa95f62b6",
      "delegated": ["read", "write"],
      "appOnly": ["none"]
    }
  ]
}