SharePoint Online: Elevated Permissions....with love

Remember the good old days! when using RunWithElevatedPrivileges(SPSecurity.CodeToRunElevated), in the SharePoint server-side object model, would let us run our code (Full trust code) with full control i.e. granting us higher permission (as System Account) and letting us performs tasks that waren't permited to do in current user context. 

Now, that, we have SharePoint addin and SharePoint online webparts, one still wonders if there is still a way of achieving that. Since there are use cases where a user needs a higher permission, for instance. 
  • Changing a status of a field in a list where the current logged in user has read only permission. 
  • Reading member of a SharePoint group. 
In Workflows like SharePoint Designer workflow you used to have App step, in Nintex workflow you have elevated permission and in MS Flow Impersonation is possible using connectors in Flow triggered by HTTP request can run under System account as show in the video below: 

Other way of achieving that is Impersonation which literaly mean becoming someone else and perform some tasks. In CSOM-C# based code using Networkcredential in following way:

ClientContext context = new ClientContext(siteUrl);
Web web = context.Web;
context.Credentials = new NetworkCredential(username, password, "domain");
context.Load(web);
context.ExecuteQuery();

Documentation can be found here.


In SharePoint Add-in model, only way is AllowAppOnlyPolicy that means permission to be based what has been granted to the SharePoint Add-in but the problem is that: 
  • AllowAppOnlyPolicy, only works with Provider-hosted SharePoint Add-ins.
Other ways are to define a services account in your SharePoint tenancy and elevate permission in the following manner:

using (ClientContext context = new ClientContext("https://tenancy.sharepoint.com")) { // Use default authentication mode context.AuthenticationMode = ClientAuthenticationMode.Default; // Specify the credentials for the account that will execute the request context.Credentials = new SharePointOnlineCredentials("User Name", "Password"); }


To achieve Elevated permission on SPFx webpart there is a novel way using MS Flow i.e. using SPFx Post call runing a MS Flow which contains a post request for creating list item under System admin context. Following illustration explains it all: 



Following video has more details: 



As a last resort, you can think about deploying your own webservice which makes calls to SharePoint!

Comments

Popular posts from this blog

SharePoint 2010 Migration Woes: Importing and exporting lists template between different SP2010 Servers

How to Stop People From Reading Your Mind and Judging You

Per-user throttling in SharePoint Online: a Recipe for getting blocked in SharePoint Online and way to Avoid it