What permissions does the MetaShare app require?

When you activate MetaShare you will need to consent that MetaShare gets appropriate SharePoint permissions to perform tasks such as: upload documents, create documents, search for documents, read MetaShare’s taxonomy and create workspaces. The permissions are granted by clicking on the “Accept” button in the permission request window:
Accept permissions for MetaShare for your organization

The permissions that the MetaShare app requires are:

  1. Access directory as the signed in user
    This permission is automatically added when an app is created. This permission grants MetaShare to read information in Active Directory in the context of the logged in user.
  2. Have full control of all site collections
    This permission is needed in order for MetaShare to create and maintain sites. In reality the permission is only necessary on the site collections created/maintained by MetaShare but as it is not possible to grant this permission for individual sites, the permission needs to be granted for all site collections.
  3. Read and write all user’s full profiles
    This permission is needed for an upcoming MetaShare feature, to enable users to follow/mark workspaces as favorites.
  4. Read directory data
    This permission is needed for MetaShare to count the number of users using the MetaShare app, for billing purpose.
  5. Read and write managed metadata
    This permission is needed for MetaShare to be able to create terms.

The reason that the permissions are granted twice is because MetaShare needs these permissions in two authentication modes:

  1. App-user authentication
    Used for requests that are done through MetaShare’s web interface, on behalf of the logged in user. Logged-in users can therefore not do anything that they cannot do through SharePoint’s standard user interface, except to create a workspace, if they have been assigned the Workspace creator role, or rename a workspace if they are members of the workspace’s owner’s group.
  2. App-only authentication
    The MetaShare app also needs permission, without anyone being logged in, to perform certain background jobs, such as attaching content types to document libraries.