0

I have a SharePoint Add-in which has the following App Permissions defined in the AppManifest.xml.

<AppPermissionRequests AllowAppOnlyPolicy="false" >
      <AppPermissionRequest Scope="http://sharepoint/taxonomy" Right="Write" />
      <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="FullControl" />
</AppPermissionRequests>

To avoid the user needing "site collection administrator" permissions, the "AllowAppOnlyPolicy" is set to false.

The purpose of the app is creating a subsite under which all the needed info is stored. I am able to create the subsite without an issue, but from the moment I try to access lists in the subsite, I'm getting an "Access denied. You do not have permission to perform this action or access this resource." exception. Which I found quite surprising since I expected that if you have "Full Control" on a site, you would also have access to the subsites.

Is there a way to access the lists of a subsite without having to add the site collection read permissions?

Mathieu
  • 367
  • 3
  • 11

2 Answers2

1

I believe that you misunderstood the concept of AllowAppOnlyPolicy. The AppOnlyPolicy actually enables you to override the users permissions and let SharePoint only check the permissions granted to the AddIn (see here), so actually what you wanted. You need to change to:

<AppPermissionRequests AllowAppOnlyPolicy="true" >

Why in the first step you can create the subsite, for me only has one possible explanation: That your service account or the users account has the required permissions to do that on that web. (https://sharepoint.stackexchange.com/questions/21193/creating-sub-sites).

tashunko
  • 146
  • 4
  • My outcome is that as a user with full control rights, I'm able to add the add-in on a site and that from that add-in I'm then able to create a subsite. On which I also have "Full Control" To use the "AllowAppOnlyPolicy" as you suggested is not an option for me, since from the moment I put it on, the user that adds the add-in must have site collection administrator rights. I'm also not sure that even if I use it, I will have the same rights on the subsite and the site itself. – Mathieu May 30 '17 at 09:34
0

Give a permission of Full Control to Site Collection and Tenant as well from the App Manifest. That would help.

Jyotsna Wadhwani
  • 130
  • 8
  • I want a normal user to be able to add the add-in. The whole purpose was to not give this much rights, otherwise only site collection administrators can add the add-in. – Mathieu May 30 '17 at 09:30