How permissions work in SProbot

There are three types of roles in SProbot:

• SProbot admins who create and manage designs, templates, and related functionality.
• Privileged accounts which are used to create connections to tenants.
• Tenant users who interact with the Teams app to search, review and action to-do items, and request workspaces.

SProbot admins

You need a Microsoft account to sign into SProbot. It does not need to be an account on a tenant (commonly referred to as a Work or School account) and can be a personal Microsoft account, but if you're reading this and you work with SharePoint, it's very likely that your account will be an Azure AD account on a tenant.

When you sign in for the first time, we create an SProbot admin user profile for you. At this point you do not yet have the ability to perform any actions on any tenant.

SProbot admins can have the SharePoint admin role assigned to them within their tenant, but it is not a prerequisite to using the full functionality within the system. They can create designs and templates and perform all of the related configuration and management without being a SharePoint admin on the tenant.

The first time you sign into SProbot to use it as an admin, you need to provide this consent:

• Sign you in and read your profile - Allows you to sign into SProbot and lets the app read your basic profile information listed below.
• Maintain access to data you have given it access to - Allows SProbot to see and update the information it gets from your profile even while you are not using the app.

Your basic profile information is your name, email address and user ID. This is the only personal information SProbot has access to.

Privileged accounts

When you create a connection to a tenant, the tenant is associated to your SProbot admin user profile. At the point of creation, you need to authenticate using a privileged account with either of the following roles assigned to it:

• Global Administrator
• Privileged Role Administrator

This account does not need to be your SProbot admin user profile account, but it is allowed to be.

When you authenticate, a once-off permission grant is performed. During this process, an app registration is created for SProbot on the tenant and the privileged account grants the following permissions to the app registration:

• Sign in and read user profile
• Add and remove members from all channels
• Read all channel messages
• Read and write directory data
• Read and write all groups
• Read all published labels and label policies for an organization
• Read all usage reports
• Read and write all admin report settings
• Have full control of all site collections
• Create, edit, and delete items and lists in all site collections
• Read and write items in all site collections
• Get a list of all teams
• Add and remove members from all teams
• Read all available Teams Templates

The prompt looks like this:

When you grant this consent, you give the SProbot app the ability to manage content within the tenant. SProbot needs this access to be able to provision sites and teams and then manage settings for them. Please read our Privacy Notice and Terms of use for more information about your rights and obligations around this.

Important to note:

• SProbot never has access to or stores account credentials.
• Granting consent is a one-off action and only needs to be repeated if there is a change to the permissions required by SProbot due to new or updated functionality. If an update action is required, you'll see a Permission Updated Needed dialog when you open a tenant, with a "Start new permission acceptance" button.

Once you have created a tenant connection, the Microsoft account used for your SProbot admin user profile also never authenticates to the tenant unless this account is also a user (admin or normal) on the tenant.

Tenant users

Normal users on your tenant only interact with the SProbot Workspaces app, which is deployed to the tenant when creating the tenant connection. The first time a user opens the Workspaces app, they need to accept the most basic level of app permissions:

• View your profile
• Maintain access to data you have given it access to

This permission is needed only to authenticate the user with OAuth and enable them to access the directory, request workspaces and view any actions assigned to them. SProbot only stores the user's first name, last name, and email address. We do not store or ever have access to any credentials themselves.

SProbot will automatically communicate with tenant users to notify them about builds, cleanup actions and other actions they need to take, but will never communicate with them about anything else.