Deploying custom products in SharePoint can be tricky due to the platform's various user permissions and roles, especially across different site types like Classic SharePoint. This article cuts through the confusion, detailing the exact roles and permissions a user needs for a smooth and successful BindTuning Intranet deployment.
Before you begin
Are you a Global Administrator for your Microsoft 365 environment? If so, you have full control over SharePoint, Azure, and Teams, meaning you already possess all the necessary permissions to deploy any custom product. In that case, you can stop reading here!
Most organizations delegate responsibilities. If you're not a Global Administrator and need to understand the specific roles and permissions required to deploy BindTuning products, keep reading.
Understanding BindTuning Installation Methods
BindTuning offers flexible installation methods designed to fit your organization's policies and security needs. We categorize them as follows:
Automated Installation: These methods use our built-in provisioning agents for automatic product deployment.
BindTuning Online App: Deploys products to SharePoint Online and Microsoft Teams within Office 365. Click to open the App
BindTuning Desktop App: Deploys products to both SharePoint On-Premises and SharePoint Online.
Manual Installation: This method allows you to download and manually add any BindTuning product to your infrastructure.
Understanding your chosen installation method is crucial, as it directly impacts the specific permissions required for your deployment.
Permissions by Installation Method
The permissions needed depend on the BindTuning installation method you choose.
Automated Installation
BindTuning Online App
The BindTuning Online App requires initial access to be granted within your Azure Enterprise Applications. To initiate the installation, the user performing it must be an Azure Administrator or have the Application Admin role. Once BindTuning is registered as an Enterprise Application, these specific Azure roles are no longer required for subsequent installations, provided the SharePoint-side permissions are in place.
BindTuning Desktop App
This method has no pre-installation Azure conditions. The only requirement for using the Desktop Application is that the necessary SharePoint permissions are already in place.
Manual Installation
Manual deployment has no pre-deployment conditions beyond ensuring the required SharePoint permissions are in place.
Permissions by SharePoint Experience
The required SharePoint permissions vary slightly based on the SharePoint experience (Classic vs. Modern) and deployment scope.
Classic SharePoint
BindTuning Intranet products (i.e, themes, web parts, etc.) are deployed at the SharePoint Site Collection Level, typically appearing in your Solutions Gallery page.
To successfully install BindTuning products on a Classic SharePoint Site Collection, the user must be a Site Collection Administrator for that specific site collection.
Modern SharePoint
Modern SharePoint deployments offer both centralized and decentralized options for BindTuning products, allowing deployment to either a Tenant App Catalog or individual Site Collection App Catalogs.
Note: Learn more about how to create a tenant App Catalog or how to create a Site Collection App Catalog, both for SharePoint Online.
Tenant App Catalog Deployment (Centralized)
The Tenant App Catalog centralizes BindTuning products deployment, making them accessible across all Modern Site Collections and eliminating the need for individual site installations. Only a Tenant (SharePoint) Administrator can manually create this App Catalog. Once established, users with Contribute access to the App Catalog site can deploy or update solutions. Finally, users with Edit permissions on their own site collections can add BindTuning products.
Site Collection App Catalog Deployment (Decentralized)
For Office 365, you can restrict installation scope per site collection, using each site's Site Collection App Catalog. Unlike the single Tenant App Catalog, you can have as many Site Collection App Catalogs as needed. These are created automatically with BindTuning's Automated Installation or manually via PowerShell for manual deployments. Only a SharePoint Administrator can create them, but once set up, users with Contribute access to the site can deploy custom applications.
Note:
For a smoother deployment experience (across both Tenant and Site Collection App Catalog scenarios), we recommend that the installer be a SharePoint Administrator. This simplifies permissions and ensures consistent results.
Permissions for installing the Teams Add-On apps
BindTuning's Microsoft Teams Add-On applications are built upon our SharePoint web part solutions. Therefore, their deployment to Microsoft Teams requires the underlying applications to first be added to either the Tenant App Catalog or a Site Collection App Catalog in SharePoint (as detailed above).
Additionally, by default, custom applications are disabled in your Teams Admin center. To ensure the successful deployment of BindTuning applications in Teams, a Teams Administrator must modify this policy to allow custom apps.
Once both the SharePoint (App Catalog) and Teams (Admin center policy) constraints are fulfilled, the Teams application installation will proceed as expected.
Use-Cases: Permissions in action
Let's examine real-world scenarios to clearly illustrate the necessary permission layers:
Scenario 1:
Global Administrator Deploying Tenant-Wide (Office 365)
User A is a Global Administrator for an Office 365 infrastructure and wants to deploy BindTuning products automatically, tenant-wide.
Installation flow:
BindTuning Online App (suitable for Office 365).
User A, as a Global Administrator, is an Azure Administrator by proxy, fulfilling all Azure requirements.
Being a Global Administrator also makes User A a SharePoint Tenant Administrator by default, enabling tenant-wide deployment.
Scenario 2:
SharePoint Administrator Deploying to Specific Site Collection (Office 365)
User B is a SharePoint Administrator for their company's Office 365 infrastructure, wanting to deploy products to a specific site collection, but lacks additional permissions (e.g., Azure Admin).
Installation flow:
Since User B lacks Azure Administrator permissions, the BindTuning Online App cannot be used. User B must use the BindTuning Desktop App or Manual Installation.
User B, as a SharePoint Administrator, can create (if it doesn't exist) a Tenant App Catalog.
To install products on one site collection, a Site Collection App Catalog is required:
If using the Desktop Application, the Site Collection App Catalog is created automatically.
If using Manual Installation, the Site Collection App Catalog needs to be created manually (via PowerShell).
BindTuning provides various deployment methods to accommodate diverse permission levels. This article outlined the different paths and corresponding permissions you need to consider when deploying custom applications to your SharePoint and/or Microsoft 365 environment.