Use of "All" permissions, and application level

Question

Use of "All" permissions, and application level

Closed this issue 2 years ago · 4 comments

Can I ask why you're stating that the ".All" permissions are required, and why application permissions?
Surely this goes against the principle of least access.
By using that method, the HA user has the ability to see the presence of all users in the tenant - not just their own.

You should only have Presence.Read and User.Read as delegated permissions.

Answer 1 · 2022-07-06T10:23:01.000Z

Hi @loryanstrant,

Thanks for pointing this out. I took over this information from the initial developer. I will test the integration out with less permissions and will update the docs when successful.

Answer 2 · 2022-07-15T15:02:47.000Z

@loryanstrant tested and working! updated the docs

Answer 3 · 2022-10-22T20:34:09.000Z

Heya, just noticed that you're still suggesting people add .All for both User and Presense data (even as delegated) - is this required? It seems unnecessary when it's only supposed to be reading the presense data of the signed in user.
Thanks

Answer 4 · 2022-10-27T17:33:32.000Z

You're right, a PR got merged that undid my previous update. Thanks for pointing it out