Hi All,

I would like to know what are the specific permissions required for adding an app from organization.

I have uploaded my sharepoint hosted app in App Catalog, with the "Enabled" property selected. As we know, this property will allow end users to add this app. 

This app contains the following permissions:

Scope : Tenant , Permission : Full Control
Scope : Web , Permission : Full Control

This app also allows to make app-only calls to sharepoint.

At the admin centre,in configure store settings the following property is set to "Yes":

Should end users be able to get apps from the marketplace? - Yes

These all settings should allow users to get the app from the organization.
But when a site owner(with Full Control Permission) tries to add the app from organization, i am getting the following error:

"Sorry, only site collection administrators can add or give access to this app."

Ideally, site owner who has full control should be able to add this app. Not sure why I am getting this error. 

Please suggest on this.

Thank You

Site owner doesn't have permissions on other sites within a site collection; app is installed at site collection level, so you have to use site collection administrator to add the app.

Thank You for your response.

The App is uploaded into App Catalog.

As a Global Admin and as a SCA, I am able to goto Site Contents-> Add an App -> Your Apps --> From Organization --> Here, I can see the app which I have uploaded in App Catalog.

Now, as a site owner,when I try to add the app it says "You can't add this app here."

Clicking on "Find Out Why" says Sorry, only site collection administrators can add or give access to this app.

I have few questions here -

1. Site Owners Group has full control. So if I add a user in this Site Owners Group, he will have full control. Why cant that user add an app -> app from organization ?

2. Do I need to modify the permissions for my App in App Manifest File?

Is there any option to achieve this?

Last but not least, could you please share some informative articles on this so that I can understand this better? 

Thanks Again !

You're welcome :)

1. Because, as I said, site owner permissions are "confined" on site he owns; apps instead needs elevated privileges to run, so you should install it with Site Collection admin permissions.

2. you should check that logged user is member of Site Collection Administrators

Take a look on this guide, expecially on Part 6

https://samlman.wordpress.com/2015/03/02/security-in-sharepoint-apps-part-1/

Thank You !

I am using JSOM so I don't think I can use the "run with elevated" in Javascript code.

So, I think my requirement of allowing the site owners to Install/get the app is incorrect.

I will go through the guide suggested by you

Thanks again ! :) 

[Update]

Hi,

Site owners will be able to add the app, if the app doesnt allow app only calls.

As you said, an SCA will be able to install the app - 

I have added the user who was in site owner group as SCA.

Now it says "Your tenant administrator has to approve this app." Its giving an option to request approval.

I observed that by removing tenant - scope permissions at the app manifest, am able to add the app when i login as SCA.

But I need Tenant - Scope permissions for my app, as its making some calls to the app catalog and its like cross site collection. 

Could you please throw some light on this? 

Thank You !!

• Edited by SPOL_365 13 hours 3 minutes ago

Take a look here

https://support.office.com/en-au/article/Request-app-installation-permissions-5a25c5b0-bdfb-49f8-8ca3-046edc9cf598