cancel
Showing results for 
Search instead for 
Did you mean: 
kapilkjoshi
Nintex Newbie

O365 Update Item Permissions - Confusion

Jump to solution

All,

Our security team would like to know more about the recent changed to the O365 Update Item Permissions action. Why does it need tenant admin to provide the authorization? UIP.JPG

Earlier the action used to work with SharePoint Admin permissions. In order to stop workflows from failing we have to make this change. Please provide any details you might know.

 

Thank you.

Labels: (1)
0 Kudos
Reply
2 Replies
andrewg
Nintex Newbie

Re: O365 Update Item Permissions - Confusion

Jump to solution

The connection made to perform the action uses delegate permissions, but in order for the oauth conneciton to be made it uses features within Azure app registration. So basically the Tenant Admin is granting the Nintex App the ability to use this api but within the confines of the app itself. Azure requires tenant admins to accept permission changes to apps similar to other apps. 

Bottom line is, because now the action allows you to set the destination url, meaning you can connect to other site collections to change permissions, this needs a broader scope for 'tenant wide access'. Really its asking for access as wide as the account being used to make the connection can reach within sharepoint. It does not have the ability to grant this user making the connection admin rights to read/write anything within the tenant. 

0 Kudos
Reply
kapilkjoshi
Nintex Newbie

Re: O365 Update Item Permissions - Confusion

Jump to solution
Thanks Andrew.
This should help in explaining the scenario.
0 Kudos
Reply