Saviynt Forums

pinky_chauhan · ‎08/20/2024

Hi ,

We are going to integrate SharePoint with Saviynt using o365 connector as a prerequisite as per Creating an Integration (saviyntcloud.com) we need to Register an Application in Azure AD.

We were following Registering an Application in Azure AD (saviyntcloud.com) and raised ticket for client Azure team to register the app in Azure AD but they need more clarity on permissions to approve the request.

What permissions are required on SharePoint and directory. They are ok to give read and write to SharePoint not on directory.

rushikeshvartak · ‎08/20/2024

Directory.Read.All and Directory.ReadWrite.All are essential for the connector to perform its core functions, particularly for user provisioning and reconciliation.
RoleManagement.ReadWrite.Directory is required if directory role management (assigning and revoking roles in Azure AD) is part of the integration.

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

pinky_chauhan · ‎08/20/2024

hi @rushikeshvartak Are the following permissions for SharePoint or the directory? Our use cases involve reconciliation and the removal and updating of SharePoint access through Saviynt

Directory.Read.All and Directory.ReadWrite.All are essential for the connector to perform its core functions, particularly for user provisioning and reconciliation.

rushikeshvartak · ‎08/20/2024

Directory.Read.All:
- Purpose: Allows the application to read data in the organization's directory, including user profiles, group memberships, and directory roles.
- Use Case: This is crucial for reconciliation processes where Saviynt needs to read user and group information from Azure AD to ensure the data in Saviynt is up-to-date.
Directory.ReadWrite.All:
- Purpose: Grants the application the ability to read and write data in the organization's directory. This includes creating, updating, and deleting users and groups.
- Use Case: This permission is necessary for user provisioning, updating user attributes, managing group memberships, and removing or updating SharePoint access when the user data is synchronized from Azure AD.

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

pinky_chauhan · ‎08/20/2024

Hi @rushikeshvartak For instance, if we remove access from SharePoint, Directory.ReadWrite.All ensures that the access is also removed from Azure AD if both are in sync

rushikeshvartak · ‎08/20/2024

Then you can skip the access.

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

pinky_chauhan · ‎08/20/2024

hi @rushikeshvartak Thank you for your response, but I’m still unclear on something. If the customer does not want to grant Directory.ReadWrite.All and RoleManagement.ReadWrite.Directory permissions, will the removal of access in SharePoint still work using the below removeaccess JSON? We are using SharePoint Online, and our use case involves removing access from SharePoint when a user is terminated or when access is removed from another connected application.

{
"call": [
{
"name": "SharePoint Group",
"connection": "SPAuth",
"url": "${entitlementValue.entitlement_value.split(' \\\\|')[1].trim()}/_api/web/sitegroups(${entitlementValue.entitlementID.split(' \\\\|')[2].trim()})/users/removebyloginname('i%3A0%23.f%7Cmembership%7C${user.email}')",
"httpMethod": "PATCH",
"httpHeaders": {
"Authorization": "${access_token}",
"Accept": "application/json" },
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201,
204
]
},
"unsuccessResponses": {
"odata~dot#error_description": [
"Invalid issuer or signature.",
"Request_BadRequest",
"Authentication_MissingOrMalformed",
"Request_ResourceNotFound" ]
}
},

{
"name": "SharePoint Site",
"connection": "SPAuth",
"callOrder": 0,
"stageNumber": 0,
"httpHeaders": {
"Authorization": "${sessionId}",
"Accept": "application/json" },
"url": "${entitlementValue.description}/_api/Web/ensureuser",
"httpParams": "{\"logonName\":\"${user.email}\"}",
"httpContentType": "application/json",
"httpMethod": "POST" },
{
"name": "SharePoint List",
"connection": "SPAuth",
"callOrder": 0,
"stageNumber": 0,
"httpHeaders": {
"Authorization": "${sessionId}",
"Accept": "application/json" },
"url": "${entitlementValue.customproperty20}/_api/Web/ensureuser",
"httpParams": "{\"logonName\":\"${user.email}\"}",
"httpContentType": "application/json",
"httpMethod": "POST" }
]
}

rushikeshvartak · ‎08/21/2024

If you do not grant Directory.ReadWrite.All and RoleManagement.ReadWrite.Directory but ensure your application has the appropriate SharePoint Online permissions (Sites.Manage.All, Sites.FullControl.All, or similar), the removeaccess JSON should still work as intended for removing user access from SharePoint.

Permissions Required:
- Directory.ReadWrite.All and RoleManagement.ReadWrite.Directory permissions are generally required for managing directory roles and user management operations at a directory level. These permissions are not directly tied to managing SharePoint group memberships or site permissions but might be necessary if your operations involve changes in Azure AD, such as group memberships that influence SharePoint access.
SharePoint Online Permissions:
- The removal of access in SharePoint typically depends on the SharePoint-specific permissions your application has, like Sites.FullControl.All, Sites.Manage.All, or Sites.ReadWrite.All. These permissions are focused on site and group-level actions, which appear to be the focus of your removeaccess JSON.

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Saviynt Forums

Permission required for SharePoint integration