FAQs

SharePoint Permissions

Overview

CloudFiles is a Salesforce app for document management in Salesforce. CloudFiles provides functionality to connect Salesforce with SharePoint, and helps move files between the two systems.

CloudFiles needs API access to both these systems. The access is requested using OAuth 2.0 protocol which is the recommended approach by both Salesforce & SharePoint. Using OAuth, CloudFiles never has to ask for user’s username/password to any system. It sends the user to the provider’s website(Salesforce & SharePoint), asks for an approval for API access. Once user approves this request, the provider system gives CloudFiles with an access token, that can be used to access resources on user’s behalf using the API.

What accesses does CloudFiles need in SharePoint

Document image


1. Maintain access to data you have given it access to Allows the app to see and update the data you gave it access to, even when users are not currently using the app. This does not give the app any additional permissions. This is a permission requested to access your data in CloudFiles. Explanation - Since CloudFiles makes API requests to SharePoint on demand(as part of automated processes), even when user is not directly interacting with CloudFiles, this permission is requested. To revoke CloudFiles’ access, users can disconnect SharePoint from CloudFiles dashboard, or from Microsoft page 2. Edit or delete items in all site collections

Allows the application to edit or delete documents and list items in all site collections on behalf of the signed-in user. This is a permission requested to access your data in CloudFiles.

Explanation - This permission is required for CloudFiles to provide full CRUD capabilities(Create, Read, Update & Delete) to its users. This permission is only scoped to the sites & folders that the user has access to 3. Sign in and read user profile Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. This is a permission requested to access your data in CloudFiles. Explanation - With this permission, CloudFiles can get user’s email, as well as some company information like company name. This enables CloudFiles to provide SSO(single sign-on) functionality. Users don’t have to setup a password for CloudFiles, CloudFiles can verify user’s identity by asking Microsoft(using API access) and make them sign in to CloudFiles 4. Have full access to all files user can access Allows the app to read, create, update and delete all files the signed-in user can access. This is a permission requested to access your data in CloudFiles. Explanation - Same as 2, except this one is specific to files & folders and not SharePoint sites & lists 5. Read the names and descriptions of teams Read the names and descriptions of teams, on behalf of the signed-in user. This is a permission requested to access your data in CloudFiles. Explanation - This permissions is requested for Microsoft teams functionality. This is read only access to the metadata of teams that user has access to 6. Create teams

Allows the app to create teams on behalf of the signed-in user. This is a permission requested to access your data in CloudFiles.

Explanation - This permission allows CloudFiles to create new teams on behalf of user

How to restrict CloudFiles’ access to certain folders

All the permissions mentioned above enable CloudFiles to access only the data which the approving user has access to. To scope CloudFiles’ access to certain folders, it is recommended to create an integration user with access to only these folders and use that user to connect CloudFiles with SharePoint

Why is an Admin consent being required

Based on your SharePoint security settings, sometimes security policy doesn’t allow it’s SharePoint users to grant access to 3rd party apps like CloudFiles. When an admin gives consent using the approval link, then only, users can approve 3rd party apps to access their SharePoint data using APIs. When admin is consenting to this, they’re not allowing CloudFiles to access their own SharePoint data, they are only approving the fact that users in their SharePoint can

Alternative Approach

If you don’t want to consent to permissions as admin, you can also allow users to consent to permissions themselves, by updating settings here - https://portal.azure.com/#view/Microsoft_AAD_IAM/ConsentPoliciesMenuBlade/~/UserSettings Here, Please select the 3rd option - “Allow user consent for apps”

Document image


More about CloudFiles Data privacy policy & security

CloudFiles has a very robust data privacy policy. It only accesses SharePoint resources on need basis. This data is encrypted in rest & in transit and the documents are never copied to CloudFiles servers. CloudFiles is only a facilitator between Salesforce & SharePoint. This is covered in detail in our Data Processing Agreement CloudFiles is also GDPR compliant, SOC2 Type 2 complaint and ISO certified. CloudFiles is security reviewed by Salesforce and then only approved to be listed in Salesforce app store You can access all security & compliance related policies on the CloudFiles Trust Portal For any questions, please reach out to [email protected]

PREVIOUS
Failed flow is executing multiple times
NEXT
How to get CloudFiles API key
Docs powered by Archbee