# Epona365 SharePoint Permissions Reference
Audience: SharePoint/M365 admins deploying Epona365, IT staff configuring access.
This document lists every permission Epona365 requires — at the Azure AD / Graph level, the SharePoint site level, and the Epona-specific group level — and explains why each is needed.
# 1. Declared API Permissions (Azure AD / Microsoft Graph)
These permissions must be approved by an M365 admin in the SharePoint Admin Center → Advanced → API access page during deployment.
All permissions are delegated. Epona365 always acts on behalf of the signed-in user — it can never access or modify data that the user themselves does not have permission to access.
| Scope | Resource | Why it is needed |
|---|---|---|
User.ReadBasic.All | Microsoft Graph | Read basic user profiles for the people picker, matter subscriber lookups, and team member resolution |
Group.Read.All | Microsoft Graph | Read Office 365 group memberships; required by the KMS feature to check Epona permission groups, and by the Planners feature to read plans for an O365 group |
Sites.ReadWrite.All | Microsoft Graph | All document library and list operations: reading and writing documents, creating folders, generating sharing links, syncing to OneDrive, and reading file-level permissions |
Mail.ReadWrite | Microsoft Graph | Email import: read messages and attachments from a mailbox and create mail drafts |
Note:
Sites.ReadWrite.Allis a broad scope. Epona365 only accesses the site collections defined in the matters list — it does not read or write to other sites in your tenant. If your organisation requires a more restricted setup usingSites.Selected(which limits access to specific site collections), this can be implemented on request. It is not supported in the current version.
# 2. SharePoint Site Permissions (User-Level)
Most users only need Read or Contribute on each DMS site collection. Manage Permissions is only required for users who need the Make Private feature.
| SharePoint Role | Features enabled | Notes |
|---|---|---|
| Read | Browse documents, view document metadata and permissions, read KMS published documents (also requires KMS Viewers group membership), document signing, planners, people lookups | Minimum role for any Epona365 functionality |
| Contribute | Upload and edit documents, rate documents, create documents from Contracts templates, nominate to KMS, import email, open the SharePoint sharing dialog, hand off documents for signing | Required for any write operation on a document library |
| Manage Permissions (or Full Control) | Make Private — removes inherited permissions on a document or folder and grants access only to the current user | Optional. Only needed for users who should be able to make documents private. Most users do not need this role. |
# 3. Epona-Specific SharePoint Groups (KMS)
The KMS feature uses three SharePoint groups to control access to KMS actions. These groups must exist on the site configured as the KMS permissions site. Group membership is checked each time the user opens the application.
| Group name | What it unlocks |
|---|---|
| KMS Viewers | Can see and open published KMS documents in the KMS library |
| KMS Nominators | "Nominate to KMS" action in the context menu; can trigger AI-assisted taxonomy prediction |
| KMS Administrators | "Publish to KMS" action in the context menu; can approve nominations and publish documents |
Users who are not a member of any of these groups will not see KMS-related actions in the interface.
# 4. Feature × Permission Matrix
| Feature | Min. SharePoint Role | Epona Group | Graph Scope(s) | Notes |
|---|---|---|---|---|
| Browse / read documents | Read | — | Sites.ReadWrite.All | Includes full-text search |
| Upload / edit documents | Contribute | — | Sites.ReadWrite.All | |
| Rate documents | Contribute | — | Sites.ReadWrite.All | Star rating on documents |
| View document permissions | Read | — | Sites.ReadWrite.All | Shows who has access to a file |
| Manage Access | Contribute | — | Sites.ReadWrite.All | Opens the standard SharePoint sharing dialog |
| Make Private | Manage Permissions | — | Sites.ReadWrite.All | Removes inherited permissions; only the current user retains access |
| Recycle bin: view own items | Read (own items only) | — | Sites.ReadWrite.All | Manage Lists required to view all users' deleted items |
| Recycle bin: restore items | Contribute (own items only) | — | Sites.ReadWrite.All | Manage Lists required to restore other users' deleted items |
| KMS: view published documents | Read | KMS Viewers | Sites.ReadWrite.All | |
| KMS: nominate document | Contribute | KMS Nominators | Sites.ReadWrite.All | Includes AI-assisted taxonomy prediction |
| KMS: publish document | Contribute | KMS Administrators | Sites.ReadWrite.All | |
| Contracts: create from template | Contribute | — | Sites.ReadWrite.All | Creates a new document from a content type template |
| Email import | Contribute | — | Mail.ReadWrite | Reads mailbox and saves attachments to a document library |
| Sync to OneDrive | Read | — | Sites.ReadWrite.All | Feature must be enabled in DMS Configuration Center |
| Planners | Read | — | Sites.ReadWrite.All, Group.Read.All | Reads Microsoft Planner plans for the associated O365 group |
| Document signing (DocuSign / Penneo) | Read | — | Sites.ReadWrite.All | Document is read and sent to the external signing service |
| User / people lookups | Read | — | User.ReadBasic.All | Used in people picker and matter subscriber fields |
| Managed metadata (read / tag) | Contribute | — | Sites.ReadWrite.All | Reading taxonomy values requires no special term store permissions; tagging requires Contribute |
# 5. Term Store / Managed Metadata
No special term store administrator rights are required for reading managed metadata values. Tagging documents with taxonomy values requires Contribute on the document library.
# 6. Recycle Bin
| Action | Required Permission |
|---|---|
| View own deleted items | Read |
| View all users' deleted items | Manage Lists |
| Restore own items | Contribute |
| Restore other users' items | Manage Lists |