Each app has a manifest.xml file where the developer can define a list of resources that the app
needs access to using the AppPermissionRequests element. The following code snippet shows an
example of this element used in a provider-hosted app:
<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection"
Right="Read"/>
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web/list"
Right="Write">
<Property Name="BaseTemplateId" Value="101"/>
</AppPermissionRequest>
<AppPermissionRequest Scope="http://sharepoint/userprofilestore/feed"
Right="Post"/>
<AppPermissionRequest Scope="http://exchange/calendars" Right="Schedule"/>
</AppPermissionRequests>
Note the highlighted line in the code snippet. The app permission requests enable the app-only
policy, which means that only the app, and not the current user, requires the needed permissions. If
an app-only policy is not used, both the app and the current user require the necessary permissions
to complete a task such as accessing the entire site collection or writing to a list. The result would be
a context that contains both the app and the user identities.
