Excessive permissions requested

Hello SketchUp for Schools technical team,

I am the project manager for a project at the Department of Education of the Valencian Community Government that evaluates and authorizes educational applications for public schools in the Valencian Community. Our educational environment includes a Microsoft tenant that provides digital identities to all teachers and students in the Valencian Community. Currently, this tenant supports approximately 80,000 teachers and 800,000 students across the region.

Many schools have expressed interest in using SketchUp for Schools, and our project is keen to evaluate and authorize it.

However, during our evaluation, we have observed that the application requests the “Directory.Read.All” permission. This permission is excessively broad as it exposes all tenant information to the application, posing a significant security and privacy risk for users of the Microsoft educational accounts.

We kindly request that you reassess the necessity of this permission for the application and strive to make it non-essential. No other educational application has ever required such a high level of privileges in our tenant.

Looking forward to your insights and hoping to resolve this matter promptly.

1 Like

We are in the same situation here. Our organization members are not able to use Google SSO unless SketchUp is granted access to read/write/delete all items in Google Drive. The implied scope is not just personal files, but also includes shared files and shared drive files aswell, which is a major security concern if the app were compromised in any way. Many other apps make this optional or unrelated for simply signing in, and we’re wondering if you plan to do the same in the future.

Some apps also concern themselves with only their set of files in Google Drive, but that doesn’t necessarily apply to scenarios where users are importing from Drive and need to at least read their own files.

1 Like

Hi @salva and @bstraub. I am not a developer so I can’t exactly offer any specifics on what is going on on a technical level but as our app does not handle any student data in any way, we need drive access to save and load files into the app itself. We can not access anything on our end at any point nor do we know any information about who is using the app as all of that data is handled by the sign in you are using (Google or Microsoft).

While it may be possible to rework it someday to make the scope more limited, I honestly can’t say one way or another what the end results would be or if they would even meet your requirements as the EDU market is constantly changing what is required for different schools to use our app.

Thank you for your explanation @CaseyG. I understand the need to save and load files for the app’s functionality. However, there are more granular permissions available in Microsoft Graph that could potentially meet your needs without requiring such broad access:

  1. Files.ReadWrite.AppFolder: This permission allows read and write access to a special app folder, which could be used to store app-specific files without accessing the entire drive.
  2. Files.ReadWrite: This delegated permission allows read and write access to files the signed-in user has access to, without requiring directory-wide access.

These options provide more limited scopes that align better with your app’s actual needs while addressing potential security concerns. They ensure that each user can only access their own files, which is in line with the principle of least privilege.

I appreciate that reworking permissions may require development effort. However, adopting this approach not only enhances security but can also make your app more attractive to privacy-conscious educational institutions.

We hope this information is helpful in understanding our perspective on the permission requirements. If you decide to explore these more granular permissions, it could potentially address the concerns we’ve raised while still meeting your app’s functional needs.

Thanks for letting me know all of this @salva. I appreciate your perspective and will pass along your feedback to the team. I can’t make any promises but if we can find a way to get SketchUp into more schools that is always a good thing as far as I am concerned. I’ll bring it up next time I see a developer or Tori (our SketchUp for Schools expert) and see if we can do anything.

We serve 16 schools in Austria and our tenant has over 10,000 users. We have also observed that the application requests the “Directory.Read.All” permission. This permission is excessively broad as it exposes all tenant information to the application, posing a significant security and privacy risk for users of the Microsoft educational accounts.

Unfortunately we can not make this app available to our students as long as this is not addressed.

We kindly request that you reassess the necessity of this permission for the application and strive to make it non-essential. Thank you!

1 Like