Here you can find a useful info about SharePoint 2013 App Only Policy and diagram
As developers start working with SharePoint 2013 apps, you quickly realize how permissions with apps work when performing work on behalf of a user. I can log in as the site collection administrator, and execute an app that writes to a list and see the action fail because permission was denied. The reason it was denied is because the app did not request write permissions to the list it was trying to write to. Similarly, I can log in as a user who only has read permission to a list and invoke an app that has full control permission and see an attempt to write to a list fail because permission was denied. The reason this time is that even though the app had permissions, the user did not.
This is explained in the following diagram. The app is making a call into SharePoint, and it does so by providing the OAuth access token. SharePoint sees that no user credentials were provided in the request and an OAuth access token is present. When acting on behalf of a user, the token will include user information, so the context will be the App+User context.
This is exactly the scenario I just described. The App+User policy is applied, and both the user and the app must have sufficient permission to write to the list.
Have a good day, :)
This comment has been removed by a blog administrator.
ReplyDelete