SharePoint 中的加载项权限Add-in permissions in SharePoint

在阅读本文之前,应首先熟悉 SharePoint 加载项的授权和身份验证主题。Before you read this article, you should first be familiar with the topic Authorization and authentication of SharePoint Add-ins.

SharePoint 加载项在安装过程中向安装它的用户请求它所需的权限。A SharePoint Add-in requests the permissions that it needs during installation from the user who is installing it. 加载项的开发人员必须通过加载项清单文件请求特定加载项能够运行的必要权限。The developer of an add-in must request, through the add-in manifest file, the permissions that the particular add-in needs to be able to run. (访问 SharePoint 但未安装到 SharePoint 网站的设备和 Web 应用必须由执行加载项的用户在运行时授予权限。(Device and web apps that access SharePoint, but are not installed to SharePoint websites, must be granted permissions at runtime by the user who is executing the add-in. 有关详细信息,请参阅 SharePoint 加载项的授权代码 OAuth 流。)For more information, see Authorization Code OAuth flow for SharePoint Add-ins.)

用户只能授予他们拥有的权限。Users can grant only the permissions that they have. 用户必须授予加载项请求的所有权限或不授予任何权限。The user must grant all the permissions that an add-in requests or not grant any permission. 不可以进行选择性授予。Selective grants are not possible. (对于即时请求权限的加载项,只有拥有对加载项试图访问的 SharePoint 资源的“管理”权限的用户才能运行加载项,即使加载项仅要求较低的权限,如“读取”)。(For add-ins that request permissions on the fly, only a user with Manage permissions to the SharePoint resources that the add-in seeks to access can run the add-in, even if the add-in is asking only for lesser permissions, such as Read.)

已授予加载项的权限也存储在 SharePoint 场或 SharePoint Online 租赁的内容数据库中。The permissions that the add-in has been granted are also stored in the content database of the SharePoint farm or SharePoint Online tenancy. 它们不使用安全令牌服务进行存储,如 Microsoft Azure 访问控制服务 (ACS)。They are not stored with a secure token service, such as Microsoft Azure Access Control Service (ACS). 当用户首次授予加载项权限时,SharePoint 会从 ACS 获取有关加载项的信息。When a user first grants an add-in permissions, SharePoint obtains information about the add-in from ACS. 然后,SharePoint 将关于加载项的基本信息以及加载项的权限存储在加载项管理服务和内容数据库中。SharePoint then stores the basic information about the add-in in the add-in management service and the content database along with the add-in's permissions. 有关 ACS 的详细信息,请参阅创建使用低信任授权的 SharePoint 加载项For more information about ACS, see Creating SharePoint Add-ins that use low-trust authorization.

重要

作为 Azure Active Directory (Azure AD) 的一项服务,Azure 访问控制 (ACS) 将于 2018 年 11 月 7 日停用。Azure Access Control (ACS), a service of Azure Active Directory (Azure AD), will be retired on November 7, 2018. 此停用不会影响使用 https://accounts.accesscontrol.windows.net 主机名(不受此停用影响)的 SharePoint 加载项模型。This retirement does not impact the SharePoint Add-in model, which uses the https://accounts.accesscontrol.windows.net hostname (which is not impacted by this retirement). 有关详细信息,请参阅停用 Azure 访问控制对 SharePoint 加载项的影响For more information, see Impact of Azure Access Control retirement for SharePoint Add-ins.

如果删除了向其加载项授予权限的对象,则相应的授权也会被删除。If an object to which an add-in was granted permission is deleted, the corresponding grants are also deleted. 回收向其加载项授予权限的对象时,SharePoint 不修改相应的授权。When an object to which an add-in was granted permission is recycled, SharePoint does not modify the corresponding grant. 这样一来,如果从回收站中还原对象,则授权仍保持不变。This is so that if the object is restored from the Recycle Bin, the grant is still intact.

删除外接程序时,将在从其删除了外接程序的范围中撤消向外接程序授予的所有权限。这是为了确保当用户从 SharePoint 删除某个外接程序后,该外接程序不会使用其凭据继续以远程方式访问受保护的 SharePoint 资源。When an add-in is removed, all the permissions granted to that add-in at the scope from which it was removed are revoked. This is to ensure that the add-in can't use its credentials to continue accessing protected SharePoint resources remotely after a user removes the add-in from SharePoint.

加载项权限的类型和权限范围Types of add-in permissions and permission scopes

SharePoint 外接程序使用权限请求指定正常运行所需的权限。权限请求同时指定外接程序所需的权限以及所需权限所属范围。请求这些权限作为外接程序清单的一部分。A SharePoint Add-in uses permission requests to specify the permissions that it needs to function correctly. The permission requests specify both the rights that an add-in needs and the scope at which it needs the rights. These permissions are requested as part of the add-in manifest.

权限请求范围指示权限请求所适用的 SharePoint 层次结构中的位置。Permission request scopes indicate the location in the SharePoint hierarchy where a permission request applies.

备注

SharePoint 加载项具有其自己的标识,并且是一个安全主体,称为加载项主体。A SharePoint Add-in has its own identity and is a security principal, called an add-in principal. 与用户和组一样,加载项主体具有某些权限。Like users and groups, an add-in principal has certain permissions or rights. 加载项主体对加载项 Web 具有完全控制权,因此只需向主机 Web 或加载项 Web 以外的其他位置请求对 SharePoint 资源的权限。The add-in principal has full control rights to the add-in web, so it only needs to request permissions to SharePoint resources in the host web or other locations outside the add-in web. 有关加载项 Web 的详细信息,请参阅 SharePoint 加载项体系结构和开发前景的重要方面SharePoint 中的主机 Web、加载项 Web 和 SharePoint 组件For more information about the add-in web, see Important aspects of the SharePoint Add-in architecture and development landscape and Host webs, add-in webs, and SharePoint components in SharePoint.

SharePoint 支持内容数据库和租赁中的四个不同的权限范围,如表 1 所示。SharePoint supports four different permission scopes within the content database and tenancy, as shown in Table 1. 权限范围以 URI 命名,其中包括“http:”前缀,但它们不是 URL,并且不包含占位符。Permission scopes are named with URIs, including an "http:" prefix, but they are not URLs and they contain no placeholders. 本表和本文中的权限范围是文本字符串。The permission scopes in this table and this article are literal strings.

表 1. SharePoint 加载项权限请求范围 URI 和说明Table 1. SharePoint add-in permission request scope URIs and descriptions

范围Scope 范围 URIScope URI 说明Description
租赁Tenancy http://sharepoint/content/tenant 安装加载项的租赁。包括此范围的所有子范围。The tenancy where the add-in is installed. Includes all children of this scope.
网站集Site Collection http://sharepoint/content/sitecollection 安装加载项的网站集。包括此范围的所有子范围。The site collection where the add-in is installed. Includes all children of this scope.
网站Website http://sharepoint/content/sitecollection/web 安装加载项的网站。包括此范围的所有子范围。The website where the add-in is installed. Includes all children of this scope.
列表List http://sharepoint/content/sitecollection/web/list 安装加载项的网站中的单个列表。A single list in the website where the add-in is installed.

当提示安装加载项的用户授予权限时,该对话框使用户能够选择向其加载项授予权限的一个列表。When the user who installs the add-in is prompted to grant permissions, the dialog enables the user to select one list to which the add-in is granted permissions.

如果加载项需要对多个列表的权限,它必须请求对 Web 范围的权限。If the add-in needs permission to more than one list, it must request permission to web scope.

此外,由于开发人员无法控制用户选择哪个列表或告诉用户选择哪个列表,如果存在你的加载项必须拥有其权限的列表,则必须使用 Web 范围(但有一种方法可以将用户的选择范围缩小到某些列表子集;请参阅具有关联属性的权限请求范围。)Also, since you, the developer, have no way to control which list the user chooses or to tell the user which one to choose, you must use web scope if there is a list to which your add-in must have permission (but there is a way to narrow the user's choice to certain subsets of lists; see Permission request scope with associated properties.)

如果向外接程序授予了对其中一个范围的权限,则该权限适用于范围的所有子级。例如,如果授予了外接程序对网站的权限,则将授予外接程序对网站中所包含的每个列表以及每个列表中包含的所有列表项的权限。If an add-in is granted permission to one of the scopes, the permission applies to all children of the scope. For example, if an add-in is granted permission to a website, the add-in is also granted permission to each list that is contained in the website, and all list items that are in each list.

由于权限请求不包含有关安装加载项的网站集拓扑的信息,因此范围是以类型表示,而不是以特定实例的 URL 表示。Because permission requests are made without information about the topology of the site collection where the add-in is installed, the scope is expressed as a type instead of as the URL of a specific instance. 将用 URI 表示这些范围类型。These scope types are expressed as URIs. 对存储在 SharePoint 内容数据库中的资源的权限按以下 URI 进行整理:http://sharepoint/contentPermissions to resources that are stored in the SharePoint content database are organized under the following URI: http://sharepoint/content.

加载项权限和用户权限之间的区别Differences between add-in permission rights and user rights

权限指示允许外接程序在请求的范围内执行的活动。SharePoint 在内容数据库中支持下列四个权限级别。对于每个范围,外接程序可具有下列权限:Permissions indicate the activities that an add-in is permitted to do within the requested scope. SharePoint supports four rights levels in the content database. For each scope, an add-in can have the following rights:

  • 读取Read
  • 写入Write
  • 管理Manage
  • 完全控制FullControl

备注

有关读取、写入、管理和完全控制权限的详细信息,请参阅规划加载项权限管理For more information about what Read, Write, Manage, and FullControl rights include, see Plan add-in permissions management.

备注

这些权限对应于 SharePoint 的默认用户权限级别:读取者、参与者、设计者和完全控制。These rights correspond to the default user permission levels of SharePoint: Reader, Contributor, Designer, and Full Control. 有关用户权限级别的详细信息,请参阅用户权限和权限级别。加载项权限名称与 SharePoint 用户角色权限名称不匹配,目的是为了避免混淆用户角色权限和加载项权限。For more information about user permission levels, see User permissions and permission levels.The add-ins rights names do not match SharePoint user roles rights names, to avoid confusion between user roles rights and add-in rights. 由于自定义与 SharePoint 用户角色关联的权限不会影响加载项权限请求级别,因此加载项权限名称与对应的 SharePoint 用户角色不匹配,但完全控制权限除外,它不可通过权限管理用户界面进行自定义。Because customizing the permissions that are associated with SharePoint user roles does not affect add-in permission request levels, the add-in rights names do not match the corresponding SharePoint user roles, except Full Control, which can't be customized through the permissions management user interface.

此外:In addition:

  • 对于仅搜索,加载项只能具有查询权限。For Search only, an add-in can have the Query right.

  • 对于某些 Microsoft Project Server 2013 范围,还有 SubmitStatus 权限或 Elevate 权限。For some Microsoft Project Server 2013 scopes, there is also the SubmitStatus right or the Elevate right. 对于 Project Server 2013 的大多数范围,仅提供“读取”和“写入”权限。For most scopes for Project Server 2013, only Read and Write are available. 有关详细信息,请参阅本文中的了解加载项权限的类型和权限范围部分。For more information, see the Understand the types of add-in permissions and permission scopes section in this article.

  • 对于分类,仅提供“读取”和“写入”权限。For taxonomy, only rights for Read and Write are available.

备注

Office 应用商店应用对加载项可以请求的权限类型有一些限制。Office Store apps have some restrictions as to what type of rights an add-in can request. 有关详细信息,请参阅本文前面的加载项权限的类型和权限范围部分。For more information, see the Types of add-in permissions and permission scopes section earlier in this article.

与 SharePoint 用户角色不同,这些权限级别不可进行自定义。这是为了确保向外接程序授予权限请求时,保证外接程序具有一组可预计的功能,并且它不必对授予的权限少于其所预期的权限这一可能性负责。Unlike SharePoint user roles, these rights levels are not customizable. This is to ensure that when an add-in is granted a permission request, the add-in is guaranteed a predictable set of capabilities, and it does not have to account for the possibility of being granted less permission than it expects.

用户不能授予他/她自己不具有的外接程序权限。如果用户尝试安装请求超过用户所具有权限的外接程序,将向用户显示一条错误消息,通知用户他们没有足够的权限向外接程序授予请求的权限。A user cannot grant an add-in permissions that the user himself or herself does not have. If a user attempts to install an add-in that requests more permissions than the user has, an error message displays to the user informing them that they don't have sufficient permissions to grant the add-in its request.

将忽略对 SharePoint 未知的权限。这意味着,如果外接程序请求 SharePoint 无法识别的权限,则仍将安装外接程序,但不会提示用户授予权限,并且不会向外接程序授予该权限。Permissions that are not known to SharePoint are ignored. This means that, if an add-in requests a permission that SharePoint does not recognize, the add-in can still be installed, but the user is not prompted to grant the permission, and the permission is not granted to the add-in.

可用范围和权限以及关于 Office 应用商店应用权限的限制Available scopes and permissions, and restrictions on Office Store apps permissions

不同的范围具有不同的可供外接程序请求的权限集。 本节介绍可供每个范围使用的权限集。此外,它重点介绍了通过 Office 商店出售的 SharePoint 外接程序的限制。Different scopes have different sets of rights that are available for an add-in to request. This section describes the sets of rights that are available for each scope. Also, it highlights the restrictions for SharePoint Add-ins that are sold through the Office Store.

Office 商店应用程序的权限Office Store apps' rights

仅允许 Office 商店应用程序使用读取、写入和管理权限。 如果您尝试将应用程序提交给需要完全控制权限的 Office 商店,则您的应用程序的提交将受阻。由于阻止位于 Office 商店提交管道中,因此请求管理权限之外的权限的应用程序仍将通过外接程序目录部署。Only Read, Write, and Manage rights are allowed for Office Store apps. If you try to submit an app to the Office Store that requires FullControl rights, your app is blocked from submission. Because the block is in the Office Store submission pipeline, apps that request more than Manage permissions can still be deployed through the add-in catalog.

列表内容和库内容的权限请求范围Permission request scopes for list content and library content

表 2 显示了列表和库内容的权限请求范围,并列出了可为每个范围 URI 指定的权限。Table 2 shows the permission request scope for list and library content, and lists the rights that can be specified for each scope URI.

备注

表 2 中使用的 URI 是文本值。The URIs used in Table 2 are literal values.

表 2. SharePoint 加载项权限范围 URI 和可用权限Table 2. SharePoint add-in permission scope URIs and available rights

范围 URIScope URI 可用权限Available rights
http://sharepoint/content/sitecollection 读取、写入、管理、完全控制Read, Write, Manage, FullControl
http://sharepoint/content/sitecollection/web 读取、写入、管理、完全控制Read, Write, Manage, FullControl
http://sharepoint/content/sitecollection/web/list 读取、写入、管理、完全控制Read, Write, Manage, FullControl
http://sharepoint/content/tenant 读取、写入、管理、完全控制Read, Write, Manage, FullControl

以下代码演示如何使用 AppManifest.xml 文件中的权限范围和权限。在第一个示例中,外接程序需要列表范围的写入访问权限。The following code shows how you use permission scopes and rights in the AppManifest.xml file. In the first example, an add-in is asking for Write access to the list scope.

  <?xml version="1.0" encoding="utf-8" ?>
  <App xmlns="http://schemas.microsoft.com/sharepoint/2012/app/manifest"
      ProductID="{4a07f3bd-803d-45f2-a710-b9e944c3396e}"
      Version="1.0.0.0"
      SharePointMinVersion="15.0.0.0"
      Name="MySampleAddIn"
  >
    <Properties>
      <Title>My Sample Add-in</Title>
      <StartPage>~remoteAppUrl/Home.aspx?{StandardTokens}</StartPage>
    </Properties>

    <AppPrincipal>
      <RemoteWebApplication ClientId="1ee82b34-7c1b-471b-b27e-ff272accd564" />
    </AppPrincipal>

    <AppPermissionRequests>
      <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web/list" Right="Write"/>
    </AppPermissionRequests>
  </App>

以下代码演示要求 Web 范围的读取访问权限和列表范围的写入访问权限的加载项。The following code shows an add-in that is asking for Read access to the web scope and Write access to the list scope.

  <?xml version="1.0" encoding="utf-8" ?>
  <App xmlns="http://schemas.microsoft.com/sharepoint/2012/app/manifest"
      ProductID="{4a07f3bd-803d-45f2-a710-b9e944c3396e}"
      Version="1.0.0.0"
      SharePointMinVersion="15.0.0.0"
      Name="MySampleAddIn"
  >
    <Properties>
      <Title>My Sample Add-in</Title>
      <StartPage>~remoteAppUrl/Home.aspx?{StandardTokens}</StartPage>
    </Properties>

    <AppPrincipal>
      <RemoteWebApplication ClientId="6daebfdd-6516-4506-a7a9-168862921986" />
    </AppPrincipal>

    <AppPermissionRequests>
      <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="Read"/>
      <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web/list" Right="Write"/>
    </AppPermissionRequests>
  </App>

其他 SharePoint 功能的权限请求范围Permission request scopes for other SharePoint features

下表列出了其他 SharePoint 功能的权限请求范围。The permission request scope for other SharePoint features are listed in the following tables.

备注

这些表中使用的 URI 为文本值。The URIs used in the tables are literal values.

表 3 显示了 Business Connectivity Services (BCS) 的权限请求范围。Table 3 shows the permission request scope for Business Connectivity Services (BCS). 它还列出了可以为该范围 URI 指定的权限。It also lists the rights that can be specified for that scope URI.

表 3. BCS 加载项权限请求范围 URI 和可用权限Table 3. BCS add-in permission request scope URIs and available rights

范围 URIScope URI 可用权限Available rights
http://sharepoint/bcs/connection 阅读Read

备注

有关 BCS 加载项权限请求范围的详细信息,请参阅 SharePoint 中的 Business Connectivity ServicesFor more information about the BCS add-in permission request scope, see Business Connectivity Services in SharePoint.


表 4 显示了用于搜索的权限请求范围。它还列出了可以为该范围 URI 指定的权限。Table 4 shows the permission request scope for Search. It also lists the rights that can be specified for that scope URI.

表 4. 搜索外接程序权限请求范围 URI 和可用权限Table 4. Search add-in permission request scope URIs and available rights

范围 URIScope URI 可用权限Available rights
http://sharepoint/search QueryAsUserIgnoreAppPrincipalQueryAsUserIgnoreAppPrincipal

备注

有关搜索加载项权限请求范围的详细信息,请参阅 SharePoint 中的搜索For more information about the Search add-in permission request scope, see Search in SharePoint.


表 5 显示的是 Project Server 2013 的权限请求范围。它还列出了可为每个范围 URI 指定的权限。Table 5 shows the permission request scope for Project Server 2013. It also lists the rights that can be specified for each scope URI. > [!NOTE] > 使用 Project Server 2013 功能和服务的加载项应在具有所需 Project Server 功能和服务的环境中进行测试。An add-in that uses Project Server 2013 features and services should be tested in an environment that has the required Project Server features and services. SharePoint Server 默认未安装知道 Project Server 2013 权限范围的 Project Server 2013 权限提供程序程序集。The Project Server 2013 permission provider assembly that knows about Project Server 2013 permission scopes is not installed by default with SharePoint Server. 有关详细信息,请参阅 Project Server 2013 开发人员文档。For more information, see the Project Server 2013 developer documentation.

表 5. Project Server 加载项权限请求范围 URI 和可用权限Table 5. Project Server add-in permission request scope URIs and available rights

范围Scope 可用权限Available rights
http://sharepoint/projectserver 管理Manage
http://sharepoint/projectserver/projects 读取、写入Read, Write
http://sharepoint/projectserver/projects/project 读取、写入Read, Write
http://sharepoint/projectserver/enterpriseresources 读取、写入Read, Write
http://sharepoint/projectserver/statusing SubmitStatusSubmitStatus
http://sharepoint/projectserver/reporting 阅读Read
http://sharepoint/projectserver/workflow 提升Elevate

表 6 显示的是社会功能的权限请求范围。它还列出了可为每个范围 URI 指定的权限。Table 6 shows the permission request scope for social features. It also lists the rights that can be specified for each scope URI.

表 6. 社交功能外接程序权限请求范围 URI 和可用权限Table 6. Social features add-in permission request scope URIs and available rights

范围名称Scope name 说明Description 可用权限Available rights
用户配置文件User Profiles
http://sharepoint/social/tenant
用于访问所有用户配置文件的权限请求范围。只能更改配置文件图片;对于 SharePoint 外接程序,所有其他用户配置文件属性为只读。必须由租户管理员安装。The permission request scope used to access all user profiles. Only the profile picture can be changed; all other user profile properties are read-only for SharePoint Add-ins. Must be installed by a tenant administrator. 读取、写入、管理、完全控制Read, Write, Manage, FullControl
核心Core
http://sharepoint/social/core
用于访问用户关注的内容和微博功能使用的共享元数据的权限请求范围。此范围仅适用于支持关注内容的个人网站。如果应用程序安装在任何其他类型的网站上,则使用租户范围。The permission request scope used to access the user's followed content and shared metadata that is used by microblogging features. This scope applies only to personal sites that support following content. If the app installs on any other type of site, use the Tenant scope. 读取、写入、管理、完全控制Read, Write, Manage, FullControl
新闻源News Feed
http://sharepoint/social/microfeed
用于访问用户源或团队源的权限请求范围。此范围适用于支持微博的个人网站或适用于激活"网站源"功能的工作组网站。如果应用程序安装在任何其他类型的网站上,则使用租户范围。The permission request scope used to access the user's feed or the team feed. This scope applies to personal sites that support microblogging or to team sites where the Site Feed feature is activated. If the app installs on any other type of site, use the Tenant scope. 读取、写入、管理、完全控制Read, Write, Manage, FullControl
http://sharepoint/social/trimming 此权限请求范围用于确定是否在应用程序的社交源中显示经过安全修整的内容。如果未授予这种高信任权限,有些内容(例如应用程序没有权限的文件和网站的相关活动)将从返回到应用程序的源数据中修整掉,即使用户有足够的权限也是如此。必须手动将此权限添加到应用程序的清单文件中。This permission request scope used to determine whether to display security-trimmed content in the social feed to apps. If this high-trust permission is not granted, some content (such as activities about documents and sites that the app doesn't have permissions to) is trimmed from the feed data that's returned to the app, even if the user has sufficient permissions. This permission must be manually added to the app's manifest file. 读取、写入、管理、完全控制Read, Write, Manage, FullControl

备注

有关社交功能加载项权限请求范围的详细信息,请参阅访问社交功能的加载项权限请求For more information about social features add-in permission request scope, see Add-in permission requests for accessing social features.


表 7 显示用于分类的权限请求范围。它还列出了可以为该范围 URI 指定的权限。Table 7 shows the permission request scope for taxonomy. It also lists the rights that can be specified for that scope URI.

表 7. 分类外接程序权限请求范围 URI 和可用权限Table 7. Taxonomy add-in permission request scope URIs and available rights

范围 URIScope URI 可用权限Available rights
http://sharepoint/taxonomy 读取、写入Read, Write

备注

有关分类加载项权限请求范围的详细信息,请参阅添加 SharePoint 功能For more information about the taxonomy add-in permission request scope, see Add SharePoint capabilities.

包含关联属性的权限请求范围Permission request scope with associated properties

列表权限请求范围具有其他可选属性。The list permission request scope has an additional optional property. 列表范围可以使用名称为 BaseTemplateId 的属性以及与列表基本模板对应的整数值,如以下标记示例所示。The list scope can take a property with the name BaseTemplateId, and an integer value corresponding with a list base template, as shown in the following markup sample. 如果没有基本模板 ID,安装加载项的用户可以选择授予它对 Web 中所有列表中一个列表的权限。Without a base template ID, the user who installs the add-in has the choice of granting it permission to one list from among all lists in the web. 指定基本模板 ID 可将用户的选择限制为与 BaseTemplateId 属性指定内容匹配的列表集合。Specifying a base template ID limits the user's choice to the set of lists that match what is specified by the BaseTemplateId property.

\*\*BaseTemplateId\*\* 属性 (Property) 是子元素,不是 \*\*AppPermissionRequest\*\* 元素的属性 (Attribute)。以下代码演示如何使用 \*\*BaseTemplateId** 属性。The **BaseTemplateId** property is a child element, not an attribute of the **AppPermissionRequest** element. The following code shows how to use the **BaseTemplateId** property.
  <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web/list" Right="Write">
    <Property Name="BaseTemplateId" Value="101"/>
  </AppPermissionRequest>

表 8. 包含关联属性的权限请求范围Table 8. Permission request scope with associated properties

范围 URIScope URI 属性Property TypeType
http://sharepoint/content/sitecollection/web/list BaseTemplateIdBaseTemplateId IntegerInteger

备注

有关 BaseTemplateId 和列表基本模板对应的整数值的详细信息,请参阅 List 元素(列表)Type 属性。For more information about BaseTemplateId and the corresponding integer value for the list base template, see the Type attribute of the List Element (List).

管理加载项权限并排查故障Managing and troubleshooting add-in permissions

安装到 SharePoint 的 SharePoint 加载项在安装时被授予权限。SharePoint Add-ins that are installed to SharePoint are granted permissions when they are installed. 安装在其他平台但访问 SharePoint 的加载项由运行加载项的用户在运行时授予权限。Add-ins that are installed on other platforms but access SharePoint are granted permissions at runtime by the user who is running the add-in. 有时,第一种加载项可能会丢失其权限。Occasionally, the first kind of add-in may lose its permissions. 可以使用以下步骤重新授予加载项权限:You can regrant permissions to an add-in by using the following steps:

  1. 在加载项似乎已失去权限的网站的“网站内容”页面上,选择加载项的磁贴上的“...”按钮。On the Site Contents page of the website where the add-in seems to have lost permissions, click the button on the add-in's tile. 这将打开包含“权限”链接或另一个“...”按钮的标注。This opens a callout with either a PERMISSIONS link or another ???

  2. 选择“权限”链接(如果存在)并跳过下一步,或者选择“...”按钮。Select the PERMISSIONS link if it is there and skip the next step, or select the ???

  3. 选择“权限”**** 链接。Select the Permissions link.

  4. 在打开的页面上,选择最后一个句子中的此处On the page that opens, select here in the last sentence. 这将重新授予加载项权限并将浏览器重定向回网站内容页面。This regrants the add-in its permissions and redirects the browser back to the Site Contents page.

重新为应用授予权限


当您开发外接程序或进行外接程序故障排除时,可能会想更改或重新授予已安装外接程序的权限。您可以通过执行以下步骤实现此目的:When you are developing an add-in or troubleshooting an add-in, there may be occasions when you want to change, or regrant, the permissions of an add-in that has already been installed. You can do so with these steps:
  1. 转到 http://<SharePointWebSite>/_layouts/15/AppInv.aspx,其中 是安装了加载项的网站的 URL。Go to http://<SharePointWebSite>/_layouts/15/AppInv.aspx, where is the URL of the website where the add-in is installed. 请注意,不要在 URL 上添加任何查询参数。Be careful not to add any query parameters on the URL. 如果 URL 完全如图所示,则你需要的窗体仅显示在此页面上。The form you need only appears on this page if the URL is exactly as shown.

  2. 在“加载项 ID”**** 框中输入加载项的 ID(也称为客户端 ID),然后选择“查找”****。Enter the add-in's ID, also called the client ID, in the Add-in Id box, and then select Lookup. 然后,使用加载项的相关信息填充窗体上的其他框。The other boxes on the form are then populated with information about the add-in.

  3. 使用与你在加载项清单中输入的完全相同的权限请求填写“权限请求 XML”**** 框。Fill in the Permission Request XML box with permission requests exactly as you would enter them in an add-in manifest. 例如,请参阅列表内容和库内容的权限请求范围For examples, see Permission request scopes for list content and library content. 有关完整的语法信息,请参阅 AppPermissionRequest 元素For complete syntax information, see AppPermissionRequest Element.

  4. 选择“创建”****。Select Create.

特定范围的加载项的权限在从该范围移除时即被吊销。An add-in's permissions for a specific scope are revoked when it is removed from that scope.

为什么加载项无法对用户隐藏Why add-ins cannot be hidden from users

任何具有 SharePoint 网站浏览权限的用户都可以启动安装在网站上的任何 SharePoint 加载项。Any user with browse rights to a SharePoint website can launch any SharePoint Add-in installed on the site. 用户是否可以对加载项执行任何操作取决于用户的其他权限以及加载项使用的授权策略类型Whether the user can do anything with the add-in depends on the user's other permissions and what authorization policy type is being used by the add-in. 如果用户尝试对不具备相应操作权限的加载项执行操作,并且对 SharePoint 的调用使用的是用户加载项策略,调用将失败。If the user tries to do something with the add-in that the user does not have permission to do, and the call to SharePoint is using the user+add-in policy, the call fails.

另请参阅See also