How permissions work in SProbot

There are three types of roles in SProbot:

• SProbot admins who create and manage designs, templates, pipelines and related functionality.
• Privileged accounts which are used to create connections to tenants.
• Tenant users who access pipeline request forms when needing to build sites.

SProbot admins

You need a Microsoft account to sign into SProbot. It does not need to be an account on a tenant (commonly referred to as a Work or School account) and can be a personal Microsoft account, but if you're reading this and you work with SharePoint, it's very likely that your account will be an Azure AD account on a tenant.

When you sign in the first time, we create an SProbot admin user profile for you. At this point you do not yet have the ability to perform any actions on any tenant.

SProbot admins can have the SharePoint admin role assigned to them within their tenant, but it is not a prerequisite to using the full functionality within the system. They can create designs, templates, pipelines and perform all of the related configuration and management without being a SharePoint admin on the tenant.

The first time you sign into SProbot to use it as an admin, you need to provide this consent:

• Sign you in and read your profile - Allows you to sign into SProbot and lets the app read your basic profile information listed below.
• Maintain access to data you have given it access to - Allows SProbot to see and update the information it gets from your profile even while you are not using the app.

Your basic profile information is your name, email address and user ID. This is the only personal information SProbot has access to.

Privileged accounts

When you create a connection to a tenant, the tenant is associated to your SProbot admin user profile. At the point of creation, you need to authenticate using a privileged account with either of the following roles assigned to it:

• Global Administrator
• Privileged Role Administrator

This account does not need to be your SProbot admin user profile account, but it is allowed to be.

When you authenticate, a once-off permission grant is performed. During this process, an app registration is created for SProbot on the tenant and the privileged account grants the following permissions to the app registration:

• Sign in and read user profile
• Add and remove members from all channels
• Read directory data
• Read and write all groups
• Create, edit, and delete items and lists in all site collections
• Read and write items in all site collections
• Add and remove members from all teams
• Have full control of all site collections

The prompt looks like this:

When you grant this consent, you give the SProbot app the ability to manage content within the tenant. SProbot needs this access to be able to provision sites and teams and then manage settings for them. Please read our Privacy Notice and Terms of use for more information about your rights and obligations around this.

Important to note:

• SProbot never has access to or stores the privileged account credentials.
• Granting consent is a one-off action and only needs to be repeated if there is a change to the permissions required by SProbot due to new or updated functionality. If an update action is required, you'll see a Permission Updated Needed dialog when you open a tenant, with a "Start new permission acceptance" button.

Once you have created a tenant connection, the Microsoft account used for your SProbot admin user profile also never authenticates to the tenant unless this account is also a user (admin or normal) on the tenant.

Tenant users

To be able to view and use a pipeline build request form, you need to be an AD user on the tenant on which that pipeline exists. Users from other tenants cannot access it.

The first time you access a pipeline build request form, you need to provide this consent:

• Sign you in and read your profile - Allows you to sign into SProbot and lets the app read your basic profile information listed below.
• Maintain access to data you have given it access to - Allows SProbot to see and update the information it gets from your profile even while you are not using the app.

Your basic profile information is your name, email address and user ID. This is the only personal information SProbot has access to.

Important to note:

We store tenant user profiles only for the purposes of serving build request forms and never communicate with tenant users for any reason other than notifying them about pipelines and builds related to them.