SharePoint Permissions

overview cloudfiles is a salesforce app for document management in salesforce cloudfiles provides functionality to connect salesforce with sharepoint, and helps move files between the two systems cloudfiles needs api access to both these systems the access is requested using oauth 2 0 protocol which is the recommended approach by both salesforce & sharepoint using oauth, cloudfiles never has to ask for user’s username/password to any system it sends the user to the provider’s website(salesforce & sharepoint), asks for an approval for api access once user approves this request, the provider system gives cloudfiles with an access token, that can be used to access resources on user’s behalf using the api what accesses does cloudfiles need in sharepoint 1\ maintain access to data you have given it access to allows the app to see and update the data you gave it access to, even when users are not currently using the app this does not give the app any additional permissions this is a permission requested to access your data in cloudfiles explanation since cloudfiles makes api requests to sharepoint on demand(as part of automated processes), even when user is not directly interacting with cloudfiles, this permission is requested to revoke cloudfiles’ access, users can disconnect sharepoint from cloudfiles dashboard, or from microsoft page 2\ edit or delete items in all site collections allows the application to edit or delete documents and list items in all site collections on behalf of the signed in user this is a permission requested to access your data in cloudfiles explanation this permission is required for cloudfiles to provide full crud capabilities(create, read, update & delete) to its users this permission is only scoped to the sites & folders that the user has access to 3\ sign in and read user profile allows users to sign in to the app, and allows the app to read the profile of signed in users it also allows the app to read basic company information of signed in users this is a permission requested to access your data in cloudfiles explanation with this permission, cloudfiles can get user’s email, as well as some company information like company name this enables cloudfiles to provide sso(single sign on) functionality users don’t have to setup a password for cloudfiles, cloudfiles can verify user’s identity by asking microsoft(using api access) and make them sign in to cloudfiles 4\ have full access to all files user can access allows the app to read, create, update and delete all files the signed in user can access this is a permission requested to access your data in cloudfiles explanation same as 2, except this one is specific to files & folders and not sharepoint sites & lists 5\ read the names and descriptions of teams read the names and descriptions of teams, on behalf of the signed in user this is a permission requested to access your data in cloudfiles explanation this permissions is requested for microsoft teams functionality this is read only access to the metadata of teams that user has access to 6\ create teams allows the app to create teams on behalf of the signed in user this is a permission requested to access your data in cloudfiles explanation this permission allows cloudfiles to create new teams on behalf of user how to restrict cloudfiles’ access to certain folders all the permissions mentioned above enable cloudfiles to access only the data which the approving user has access to to scope cloudfiles’ access to certain folders, it is recommended to create an integration user with access to only these folders and use that user to connect cloudfiles with sharepoint why is an admin consent being required based on your sharepoint security settings, sometimes security policy doesn’t allow it’s sharepoint users to grant access to 3rd party apps like cloudfiles when an admin gives consent using the https //login microsoftonline com/common/adminconsent?client id=eb406824 efe3 4989 8247 b80f25f73ae2 then only, users can approve 3rd party apps to access their sharepoint data using apis when admin is consenting to this, they’re not allowing cloudfiles to access their own sharepoint data, they are only approving the fact that users in their sharepoint can alternative approach if you don’t want to consent to permissions as admin, you can also allow users to consent to permissions themselves, by updating settings here https //portal azure com/#view/microsoft aad iam/consentpoliciesmenublade/ /usersettings here, please select the 3rd option “allow user consent for apps” more about cloudfiles data privacy policy & security cloudfiles has a very robust data privacy policy it only accesses sharepoint resources on need basis this data is encrypted in rest & in transit and the documents are never copied to cloudfiles servers cloudfiles is only a facilitator between salesforce & sharepoint this is covered in detail in our https //trust cloudfiles io/?itemuid=c4223a81 5840 4e11 ac9f 2b812794a67e\&source=click cloudfiles is also gdpr compliant, soc2 type 2 complaint and iso certified cloudfiles is security reviewed by salesforce and then only approved to be listed in https //appexchange salesforce com/appxlistingdetail?listingid=a0n4v00000gh9ufuar you can access all security & compliance related policies on the https //trust cloudfiles io/ for any questions, please reach out to security\@cloudfiles io