Permissions that the MetaShare app requires

When you activate MetaShare Online you will need to consent that MetaShare gets appropriate SharePoint permissions to perform tasks such as: upload documentscreate documentssearch for documents, read MetaShare’s taxonomy and create workspaces. The permissions are granted by clicking on the “Accept” button in the permission request window:
Granting MetaShare permissions

The reason that some permissions are granted four times, e.g. “Have full control of all site collections”, is because MetaShare needs these permissions in two authentication modes as well as for both SharePoint Online and Microsoft Graph APIs:

  1. App-user authentication
    Used for requests that are done through MetaShare’s web interface, on behalf of the logged in user. Logged-in users can therefore not do anything that they cannot do through SharePoint’s standard user interface, except to create a workspace, if they have been assigned the Workspace creator role, or rename a workspace if they are members of the workspace’s owner’s group.
  2. App-only authentication
    The MetaShare app also needs permission, without anyone being logged in, to perform certain background jobs, such as attaching content types to document libraries.

If the required permissions that MetaShare is granted is an issue for your organization, you can choose “Self-hosted MetaShare Online”, see further information on this page: MetaShare’s technical architecture.

The permissions that the MetaShare app requires are:

  1. Access directory as the signed in user (app-user)
    This permission is automatically added when an app is created. This permission grants MetaShare to read information in Active Directory in the context of the logged in user.
  2. Have full control of all site collections (app-user, app-only)
    This permission is needed in order for MetaShare to create and maintain sites. In reality the permission should only be needed on the site collections that are created/maintained by MetaShare but as it is not possible to create site collections without full control on all site collections, the permission needs to be granted for all site collections.
  3. Read and write all users’ full profiles (app-user)
    This permission is needed for an upcoming MetaShare feature, to enable users to follow/mark workspaces as favorites. This is the SharePoint User Profile, not Active Directory.
  4. Read directory data (app-only)
    This permission is needed for MetaShare to count the number of users using the MetaShare app, for billing purpose.
  5. Read and write managed metadata (app-user, app-only)
    This permission is needed for MetaShare to be able to create terms.
  6. Maintain access to data you have given it access to (app-user)
    Allows for single sign on in the Microsoft Teams app.