API Permissions¶
docCentrum Lite¶
For users on the docCentrum Lite tier, the app permissions demand is very lightweight, and only requires the current logged in user's basic details, such as display name and email address.
This is a description of the API permissions requested by docCentrum Lite.
| API | Type | Permission | Purpose |
|---|---|---|---|
| Microsoft Graph | Delegated | User.Read | To identify the currently logged in user |
docCentrum Premium¶
docCentrum Premium exposes greater functionality and integration with Microsoft 365. As such, there is a number of permissions that must be granted by an Administrator prior to using the service.
| API | Type | Permission | Purpose |
|---|---|---|---|
| Microsoft Graph | Delegated | ExternalItem.Read.All | Used in the Admin Center to search for SharePoint content to initiate tasks |
| Microsoft Graph | Delegated | Files.Read.All | Used when browsing document centers from the Admin Center to initiate tasks |
| Microsoft Graph | Delegated | Group.Read.All | Used when initiating tasks to look up Microsoft 365 groups as recipients |
| Microsoft Graph | Application | Group.Read.All | Used by the task processor to enumerate group members to issue tasks to members |
| Microsoft Graph | Application | Mail.Send | Used by the task processor to send notifications to users about their tasks |
| Microsoft Graph | Delegated | Sites.Read.All | Used in the Admin Center to look up SharePoint sites when setting up Document Centers |
| Microsoft Graph | Delegated | Sites.ReadWrite.All | Used in the Admin Center to configure a document center |
| Microsoft Graph | Application | Tasks.ReadWrite.All | Used by the task process to create ToDo tasks for docCentrum tasks (where configured) |
| Microsoft Graph | Delegated | User.Read | Used by docCentrum components to allow the user to sign in |
| Microsoft Graph | Application | User.Read.All | Used by the task processor to look up recipient users to issue tasks |
| Microsoft Graph | Delegated | User.ReadBasic.All | Used when initiating tasks to search for users as recipients |
| SharePoint | Delegated | AllSites.FullControl | Used by docCentrum to configure a document center |
The above permissions are listed as either Application or Delegated permissions.
- Delegated permissions: Also called scopes, allow the application to act on behalf of the signed-in user.
- Application permissions: Also called app roles, allow the app to access data on its own, without a signed-in user.
Delegate permissions importantly act as the signed-in user. Therefore, where the AllSites.FullControl permission is used by docCentrum, it is a Delegate permissions which means the user can only perform "FullControl" operations on sites where they have existing permission to do so.
(In this context, configuring SharePoint sites from docCentrum includes operations such as setting up and configuring site columns and content types on a site).
More information about the types of Microsoft Graph permissions can be found here: Microsoft Graph permissions.
Admin Consent¶
docCentrum Premium¶
To grant Admin Consent for docCentrum Premium, use this link as a Global Administrator:
https://login.microsoftonline.com/common/adminconsent?client_id=fc0ecb91-d846-46d0-a363-4f97c69db711
If you're using a GCC cloud environment, use this link:
https://login.microsoftonline.us/common/adminconsent?client_id=88e6ff70-5880-4703-a65c-c41737bd9712
docCentrum Lite¶
To grant Admin Consent for docCentrum Lite, use this link as a Global Administrator:
https://login.microsoftonline.com/common/adminconsent?client_id=5b0479de-89c3-4c7a-aa5f-393001579763