pm box is cloud-based application service that does a lot of complex SharePoint® operations, usually done by users with elevated permissions. As such, pm box must have its own 'identity' and just like a regular user, it needs certain permissions to operate properly. Before we explain what each of these permissions means and what is their scope it is important to mention that they do not exceed the permissions of the actual PMO Administrators group of pm box and have the same (or possibly lesser) scope than an actual human user belonging to this group. 

So, lets have a look at these permissions, their scope and what they mean:

Permission scopes

  • Tenancy - The tenancy where the add-in is installed. Includes all children of this scope, such as site collections, sites, lists and libraries
  • Site Collection - Only the site collection where the add-in is installed. Includes all children of this scope, such as sites, lists and libraries (this is the scope given to pm box)
  • Website - The SharePoint website where the add-in is installed. Includes all children of this scope such as lists and libraries
  • List - A single list in the website where the add-in is installed

Add-in VS User permissions

Permissions indicate the activities that an add-in is permitted to perform within the site collection scope (see bullet-points above). There are four levels for each scope as follows:

Add in permissionEquivalent user permission levelRemark
Read
SharePoint Reader

Write
SharePoint Contributor

Manage
SharePoint Designer

Full control
SharePoint Full Control
This is the permission given to pm box as an add-in as well as the PMO Administrators user group within pm box. They have equivalent rights within the site collection where your projects will be stored.

For more in-depth technical information, you can refer to the following Microsoft article.