When you activate MetaShare Online you will need to consent that MetaShare gets appropriate SharePoint permissions to perform tasks such as: upload documents, create documents, search for documents, read MetaShare’s taxonomy and create workspaces. The permissions are granted by clicking on the “Accept” button in the permission request window:
The reason that some permissions are granted four times, e.g. “Have full control of all site collections”, is because MetaShare needs these permissions in two authorization modes as well as for both the SharePoint Online and Microsoft Graph APIs:
- Delegated permissions
Used for requests that are done through MetaShare’s web interface, on behalf of the logged in user. Logged-in users can therefore not do anything that they cannot do through SharePoint’s standard user interface, except to create a workspace, if they have been assigned the Workspace creator role, or rename a workspace if they are members of the workspace’s owner’s group. - App permissions
The MetaShare app also needs permission, without anyone being logged in, to perform certain background jobs, such as attaching content types to document libraries.
If the required permissions that MetaShare is granted is an issue for your organization, you can choose “Self-hosted MetaShare Online”, see further information on this page: MetaShare’s technical architecture.
The permissions that the MetaShare app requires are:
- Access directory as the signed in user (delegated)
This permission is automatically added when an app is created. This permission grants MetaShare to read information in Active Directory in the context of the logged in user. - Have full control of all site collections (delegated, app)
This permission is needed in order for MetaShare to create and manage sites. In reality the permission should only be needed on the site collections that are created/maintained by MetaShare but as it is not possible to create site collections without full control on all site collections, the permission needs to be granted for all site collections (if MetaShare is to be able to create sites in SharePoint).- It is however possible to change the permission from “full control on all site collections” to “full control on selected sites”. With this change, MetaShare will not be able to create sites, but it will be able to manage the sites that are added to the list of selected sites.
- Read and write all users’ full profiles (delegated)
This permission is needed for an upcoming MetaShare feature, to enable users to follow/mark workspaces as favorites. This is the SharePoint User Profile, not Active Directory. - Read directory data (app)
This permission is needed for MetaShare to count the number of users using the MetaShare app, for billing purpose. - Read and write managed metadata (delegated, app)
This permission is needed for MetaShare to be able to create terms. - Maintain access to data you have given it access to (delegated)
Allows for single sign on in the Microsoft Teams app.