Content
View differences
Updated by Wieland Lindenthal over 1 year ago
**As** an administrator responsible for file storage
**I want to** enable a OneDrive/SharePoint storage without using the `Files.ReadWrite.All` Files.ReadWrite.All (Application) permission in SharePoint
**so that** no unnecessary unneccessry wide permissions are set on the Microsoft Entra ID app when it could be avoided.
<br>
### Why?
To allow a third-party app to access files in OneDrive/SharePoint, admins need to set the correct permissions for an Entra app that is used by our integration to authenticate against SharePoint.
When the integration was first implemented, the Files.ReadWrite.All (Application) permission was required for it to work. This permission is quite broad, which concerns some IT security teams. While the Entra ID app with this permission cannot be exploited on its own, if other secrets are leaked, it could exacerbate the issue.
Microsoft has since introduced additional permissions that we can use to grant our integration enough access to operate while avoiding the unwanted Files.ReadWrite.All (Application) permission.
There are two new permissions we could potentially use: `Sites.Restricted` **Sites.Restricted** and `Files.SelectedOperations.Selected`. **Files.SelectedOperations.Selected**.
<br>
### Implementation option 1 (currently not preferred): `Files.SelectedOperations.Selected` Files.SelectedOperations.Selected
The permission, enables admins to enable access just for a specific folder.
The main downside is that we cannot define the root folder of a drive with this permission. However, we can define it for a folder and then mimic the behavior we have in Nextcloud, creating an OpenProject folder with project folders beneath it.
This would require some refactoring of the sync jobs, an additional input field during storage creation, and possibly other side effects in related areas. (#57013)
### Implementation option 2 (currently preferred): `Sites.Restricted` Sites.Restricted
The `Sites.Restricted` Sites.Restricted permission, on the other hand, applies to the entire SharePoint Site, not just a specific folder. This would allow us to keep the existing integration concept and use the root folder in our SharePoint/OneDrive integration.
The downside is that the API endpoints would change, we would need to ask the admin for additional information (Site ID) when setting up the integration, the permission setup would be more complex for SharePoint admins, and we would still need to support the old setup with the broader permissions.
Still, this seems the way to go.
The idea is, that we split the current SharePoint/OneDrive integration into two: one called "OneDrive," which is the current implementation, and another called "SharePoint," using the `Sites.Restricted` Sites.Restricted permissions.
### Acceptance Criteria
* TODO: Add the concept of splitting the SharePoint/OneDrive integration into separate "SharePoint" and "OneDrive" integrations.
**I want to** enable a OneDrive/SharePoint storage without using the `Files.ReadWrite.All`
**so that** no unnecessary
<br>
### Why?
To allow a third-party app to access files in OneDrive/SharePoint, admins need to set the correct permissions for an Entra app that is used by our integration to authenticate against SharePoint.
When the integration was first implemented, the Files.ReadWrite.All (Application) permission was required for it to work. This permission is quite broad, which concerns some IT security teams. While the Entra ID app with this permission cannot be exploited on its own, if other secrets are leaked, it could exacerbate the issue.
Microsoft has since introduced additional permissions that we can use to grant our integration enough access to operate while avoiding the unwanted Files.ReadWrite.All (Application) permission.
There are two new permissions we could potentially use: `Sites.Restricted`
<br>
### Implementation option 1 (currently not preferred): `Files.SelectedOperations.Selected`
The permission, enables admins to enable access just for a specific folder.
The main downside is that we cannot define the root folder of a drive with this permission. However, we can define it for a folder and then mimic the behavior we have in Nextcloud, creating an OpenProject folder with project folders beneath it.
This would require some refactoring of the sync jobs, an additional input field during storage creation, and possibly other side effects in related areas. (#57013)
### Implementation option 2 (currently preferred): `Sites.Restricted`
The `Sites.Restricted`
The downside is that the API endpoints would change, we would need to ask the admin for additional information (Site ID) when setting up the integration, the permission setup would be more complex for SharePoint admins, and we would still need to support the old setup with the broader permissions.
Still, this seems the way to go.
The idea is, that we split the current SharePoint/OneDrive integration into two: one called "OneDrive," which is the current implementation, and another called "SharePoint," using the `Sites.Restricted`
### Acceptance Criteria
* TODO: Add the concept of splitting the SharePoint/OneDrive integration into separate "SharePoint" and "OneDrive" integrations.