After an application call to a SharePoint API has been authenticated, the next step in the chain of security processing is to check whether the app and user have the appropriate rights to the resources they are attempting to access. These permissions can be assigned two ways:
Statically assigned permissions are defined as one or more permission requests in the AppManifest.xml file. They are defined by the application developer and are the permissions that the app requests when it is installed. When a user adds the app to the site, she is presented with a consent dialog screen, as shown in Figure 10-2, asking for the user to grant the permissions being asked for.
Note that granting permissions is an “all or nothing” operation. A user cannot, for example, only grant one of the two permissions being asked for. This is another example of why asking only for the permissions that app needs at a minimum to run is important.
After a user grants the application the appropriate permissions, they are recorded in SharePoint in the application management shared service. They are then referred to when an app makes an API call for access to resources.
Additionally, an application may dynamically request permissions on the fly during execution. This allows for scenarios where the application might not know what resources it needs ...