Minimal required permissions

Access to APIs

To gain interactive access to SharePoint data, such as in the main user interface, as well as Print, Run Actions, Add Alerts and Action History, the app needs to receive a valid access token from SharePoint. This is done by granting access to APIs upon the initial installation of the app under SharePoint Administration page. When clicking on any of Ultimate Forms toolbar buttons, an attempt will be made to retrieve an access token on behalf of the user. If the access has not been granted yet, a warning will appear with a link for an administator to grant the permission. No features of Ultimate Forms can be used prior to granting the permission. Read more here about various API permissions for the app.

Enterpise Application

Following Microsoft's deprecation of the add-in model, versions and up of Ultimate Forms will only be installed as an SPFx solution. Backend functionality (such as alerts, import, actions, etc.) will gain access to SharePoint data through an Entra ID (formerly Azure AD) enterprise application Infowise Ultimate Forms Data Access.

Permission check is performed upon access to Ultimate Forms by administators. If the app has not been granted access, a warning is displayed. A Global Administrator can then grant the necessary permissions directly via a button in the warning. The Enterprise app requests the following required permissions:

  • Office 365 SharePoint Online - TermStore.ReadWrite.All - used to read and create terms in the term store.
  • Office 365 SharePoint Online - Sites.FullControl.All - used read and modify data and settings within SharePoint sites.
  • Microsoft Graph - Group.Read.All - used to read Entra ID groups.
  • Microsoft Graph - User.Read.All - used to read Entra ID user properties.

Without granting the permission, Ultimate Forms will only operate in a very limited capacity and all backend functionality will fail to execute.


Permissions Usage

The app will use a combination of user-specific permissions (granted via API access) and Enterprise app permissions, depending on the context.

User permissions are used in:

  1. Forms and views
  2. Ultimate Forms main UI
  3. Add alert
  4. Print
  5. Manual actions
  6. Template Manager

Enterprise app permissions are used in:

  1. Alerts
  2. Import
  3. Actions (except manual actions)
  4. Associated Items Summary calculations
  5. Signature validation
  6. Item ID



App Principal

Many features of Ultimate Forms are triggered based on events, such as Item is modified. Alerts, Item IDs, Actions, Signatures and Associated Items Summary are all executed behind the scenes in response to user activity.

In the majority of the cases, Ultimate Forms utilizes webhooks, which are the newest and more robust way of subscribing and responding to changes. However, in some specific cases, we use remote event receivers, due to their ability to be executed synchronously (just prior to item being saved), unlike webhooks, which are only asynchronous (triggered about a minute after the change taking place). The following event receivers are used:

  • Item ID - required to be able to inject ID into the item being created/updated. Classic forms or previous versions only.
  • Actions - currently only used in synchronous actions, when "after change" conditions are present or when Item is deleted event is used. In the current version is only used in synchronous actions and for Item is deleted.
  • Alerts - for Item is deleted alerts only.
  • Signatures - used for creating and validating signatures. Previous versions only.
  • Associated Items Summary - used for summary recalculation. Previous versions only.

For remote event receivers to be triggered, they must be created by a valid app principal. An app principal is a kind of user that is created in the SharePoint for apps. If your system implements any of the above described functionality, create an app principal to make sure remote event receivers do not stop functioning.

  1. Make sure you were prompted and granted access to Infowise Ultimate Forms Data Access enterprise app as described above.
  2. Access SharePoint Admin center via waffel menu in the top left corner -> Admin -> SharePoint.
  3. In the address bar of the browser, replace the part after /_layouts/15/ with appinv.aspx. For example:
  4. Under App Id enter 4e7b6f89-2261-4b6d-a7b7-afaa507d56a2 (government cloud customers: 208b239f-4126-4517-81c0-81c82fd66349), then click on Lookup. It should find the app and display Infowise Ultimate Forms Data Access under Title.
  5. Under App Domain enter
  6. Under App's Permission Request XML enter the following:

    <AppPermissionRequests AllowAppOnlyPolicy="false">
          <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />

  7. Click on Create

It will now create an app principal. Note that the app principal is only used to ensure event receivers are fired. It is not used to gain access to the data itself. For accessing data, an access token is retrieved from Entra ID via the Infowise Ultimate Forms Data Access enterprise app.

Also read these:

Last modified: 2/14/2024 8:08 PM

Add your comment

Comments are not designed to replace support calls. If you have a specific issue with one of our products, please send an email to to open a support ticket.