►
Description
Webcast around different aspects which SharePoint administrators should know about SharePoint Framework. More details on covered content is available from http://dev.office.com/blogs
A
Welcome
everybody.
This
is
SharePoint
banners
and
practices
of
webcast
and
system
and
we're
not
gonna
actually
again
deep
down
on
a
code.
We're
gonna
talk
about
want
to
boot
and
what
shoe
to
every
SharePoint
admin
know
about
SharePoint
framework,
so
kind
of
a
considerations
for
organizations
or
administration
administrators
of
the
tenants
related
on
SharePoint
framework
solution.
There
has
been
a
lot
of
obviously
discussion
in
the
internet
around
the
different
aspects
of
the
SharePoint
framework
and
we
wanted
to
clarify
some
of
these
topics,
for
everybody
is
watching
the
webcast
as
well.
A
B
A
So
how
do
you
validate
what
is
being
given
to
you
as
a
customization
which
is
getting
deployed?
You
should
clarify
the
responsibilities
who's
responsible
of
what
if
something
goes
wrong
because
it's
well,
it's
IT.
Evidently
something
goes
wrong
at
some
point.
Who
do
we
gonna
call
a
dancer?
It's
not
ghostbusters
in
this
case.
B
A
If
it's
an
in-house
development
or
if
it's
outsourced,
development
or
if
it
was
a
random
guy
who
did
something
and
left
and
nobody
knows
how
to
conduct
a
person
anymore,
we
should
clarify
the
hosting
locations
and,
let's
talk
about
all
of
these
things
more
default
in
a
while
as
well
there's
some
security
considerations
related
on
customizations,
and
there
are
some
specifics
related
on
SharePoint
framework
and
we
can
pinpoint
those
in
upcoming
slide
as
well.
So
in
the
comparison
of
the
older
way
of
doing
these
customizations
and
obviously,
there's
considerations
related
on
deployment
process.
A
And
again
this
is
relatively
typical
thing:
I,
don't
I,
don't
personally
think
the
considerations
have
that
significantly
changed,
so
the
key
topics
are
exactly
the
same
from
the
ages
of
farm
solutions
where
you
needed
to
actually
think
through.
When
do
we
deploy
who's
responsible?
What,
if
something
that's
broken?
What
is
the
impact
for
the
internal
processes?
A
One
of
the
things?
What
we
especially
wanted
to
kind
of
a
concentrate
first
is
the
security
considerations.
So
if
you
think
about
the
sharepoint
sharepoint
framework
solutions,
one
of
the
kind
of
a
key
specific
differences
in
the
sharepoint
framework
solutions
is
the
fact
that
they
are
Chava
script.
They
are
Java
Script,
which
are
running
in
the
context
of
the
of
the
process.
So
essentially
they
are
running
in
the
security
context
of
the
user,
and
this
is
slightly
different
than
it
was
with
adding
model.
A
Adding
model
was
explicitly
introduced
to
have
additional
security
layer
with
an
auth,
so
you
would
be
always
kind
of
am
well
again
depending
on
a
set
up
slightly,
but
you
basically
would
be
always
in
the
context
of
of
the
user
permissions
plus
the
adding
permissions
and
data
model
absolutely
supported
in
the
future
as
well.
So
if
the
sharepoint
framework
solution,
if
you
have
concerns
around
running
script
in
the
context
of
the
user,
you
can
always
fall
back
on
the
adding
model
where
we
have
that
security
isolation
in
the
future,
as
well.
A
One
of
the
considerations
which
people
might
actually
not
think
about
is
the
script
integrity
in
the
context
of
hosting
locations
as
part
of
the
customizations.
People
are
delivering
delivering
javascript
and
those
javascript
files
are
not
actually
in
the
packets
in
the
solution
buckets
the
solution.
Packets
itself
only
contains
the
reference
that
a
JavaScript
files
are
hosted
in
this
particular
location,
and
then
the
question
is
okay.
What
is
the
location?
Is
it
secure?
What
if
somebody
changes
the
javascript
file
without
me,
knowing
which
will
then
impact
the
process?
A
So
the
no
script
is
a
option
is,
was
introduced
already
a
few
years
ago,
actually
on
the
office
traces
to
file,
and
that's
really
there
to
make
sure
that,
as
if
tenant
admin
enables
the
no
script
on
the
sides,
the
end
users
of
the
site-
let's
say
the
site,
collection,
administrators
or
the
site
owners.
They
can
not
embed
random
script
on
the
site
which
people
tend
to
do
in
the
old
way.
They
they
kind
of
a
used
to
do
that
using
script.
A
A
Permissions
are
taking
trended
so
to
say
by
adding
a
script
on
the
page,
which
is
doing
something
funky
the
no
script
option.
If
you
enable
that,
and
then
the
site
and
site
collection
administrators
can
not
just
embed
a
script
or
a
masturbate
or
a
custom
masturbate
or
a
base
layer
or
whatever
on
their
site
without
the
permissions
of
the
tenant
administrator
using
the
share
pond
framework,
what
about
me
talking
well,
like
anything,
you
wanna,
add
on
this
one.
This.
A
Absolutely
absolutely,
and
even
though
the
title
is
kind
of
an
again
referring
to
the
development
of
these
things,
but
we
wanted
to
make
this
slider
kind
of
a
pinpoint
and
the
difference
is
related
on
clients
and
customization
options
in
the
context
again
of
a
tenant
administrator
or
as
a
tenant
owner.
So
is
it
working
with
no
script
sites?
Essentially,
if
you
enable
the
no
script
option
to
pluck
random
scripture
to
be
added
on
the
site,
what
does
it
actually
mean?
Is
there
a
permission
model,
which
is
a
big
thing?
Obviously
is
it?
A
Is
it
using
the
OAuth
permission
model
whenever
the
customization
I
decided
on
the
sign
and
then
also
do
you
have
a
centralized
approval?
So
can
you
ascertain
an
administrator
approve
or
deny,
or
even
afterwards
go
on
and
essentially
remove
that
customization
from
a
one,
centralized
location
and,
let's
start
with
actually
ship
on
framework?
So
we
kind
of
quickly
went
through
this
one
in
the
intro
in
the
previous
lines
as
well,
but
the
SharePoint
framework
solutions
are
deployed
centrally
as
a
tenant
administer
admin
admin.
So
essentially
you
get
as
a
tenant
administrator.
A
You
go
to
the
App
Catalog.
You
are
that
you
are
uploading.
The
solution
begins
to
do
app
catalog,
you
give
that
solution,
buckets
the
permissions
to
be
used
across
the
tenant
and
then
the
implications
of
doing
so
is
that
the
Java
Script
is
then
available
across
all
of
the
sites
within
a
tenant,
but
you're,
essentially
making
that
centralized
approval
for
that
customization,
which
again
would
like
to
remind
people
and
that's
why
you
should
review
what
are
you
actually
getting
deployed?
A
This
is
almost
like
the
plastic
farm
solutions
in
a
in
a
classic
2010
or
2007
timeframe.
You
really
needed
to
understand
what
the
farm
solutions
actually
contained
and
where
it
came
from
so
you're
able
to
trust
what
the
solution
is
doing.
The
farm
solution
is
is
equals
full
solutions
and
it
was
actually
running
in
the
context
of
well
administrative
permissions,
but
looking
into
characteristics
or
looking
into
that
mapping.
So
it
works
on
on
a
no
script
site,
so
SharePoint
framework
solutions
they
do
work
on,
even
even
though
no
script
is
enabled
on
a
site.
A
So
you
can
actually
use
this
in
the
future
in
the
modern
SharePoint
sites,
as
well
like
the
modern
collaboration
sites
or
the
modern
publishing
sites
which
are
coming
at
some
point
again,
depending
on
what
you're,
when
you're
watching
the
video
there
is
no
permission
model.
So
as
long
as
you
test
at
an
administrator,
you
approve
that
customization
to
be
used
within
a
tenant.
Then
the
site
collection
administrators
can
install
the
add-in
not
not
an
adding
as
a
solution
is
perfect
solution.
A
There
we
go
I'm,
mixing
terminology,
the
the
site
administrators
can
take
that
solution
into
a
use
by
well
the
the
processes
that
they
go
and
add
an
adding
but
they're
actually
adding
a
chiffon
framework
solution
from
a
UI,
and
it
has
a
centralized
approval
us
a
tenant
administrator.
You
are
approving
that
solution
to
be
taking
into
use
in
the
app
catalog
when
you
upload
that
to
be
available
within
App
Catalog.
B
A
A
The
SharePoint
solutions
are
considered
safe
as
long
as
the
tenant
administrator
is
providing
them
to
be
available
within
a
tenon
by
uploading
them
to
be
available
in
our
catalog
they're
considered
safe,
and
therefore
they
will
be
fine
to
get
hurt
that
are
within
the
sites.
Even
though
there's
no
script
is
enabled
right.
B
A
The
direction
at
least
where
we're
heading
right
now,
is
that
all
of
the
modern
sites
are
by
default,
no
script
sites
and
this
kind
of
a
relates
on
the
thinking
point
from
a
customization
perspective
as
well
immediately.
If
we
would
allow
user
custom
actions
or
chase
links
or
whatever
scripting
implementations,
people
would
continue
implementing
customizations,
which
are
dependent
on
a
HTML
Dom
structure,
modifications
and
those
are
not
good,
they're,
not
future
proof.
The
future
proven
approach.
A
The
SharePoint
framework
is
the
future
proven
approach.
As
long
as,
even
though
you
would
be
doing,
let's
say
the
compared
solution
which
will
replace
the
chairs
link
whenever
we
get
that
one
out
again,
depending
on
the
video
when
the
video
is
being
watched,
did
it
did
I
answer
your
question
or
not.
B
A
The
next
one
is
adding
model,
so
the
adings
have
been
around
since
2013
release.
They
are
essentially,
they
are
isolated
functionalities
which
are
hosted
either
on
an
iframe
or
outside
of
the
SharePoint,
as
a
provider
hosted
adding
as
an
example,
the
iframe
was
exposed
this
initially
using
the
client-side
web
part,
which
is
then
hosting
or
exposing
information
from
a
different
domain.
So
there's
a
security
level,
isolation.
B
A
Add-Ins
they
do
work
with
no
script
sites,
as
I
were
able
to
essentially
take
Adams
into
use
in
no
script
side
as
well,
because
the
customizations
is
isolated,
they're
not
actually
running
in
the
context
of
the
site
they're
running
outside
of
the
site,
even
though
from
angels
perspective
it
feels
like
they
are
exposed.
In
the
context
of
the
side,
there
is
a
permission
metal
model
which
means
that
essentially,
when
they
always
take
an
adding
into
use,
you
need
to
approve
it
the
permissions.
What
adding
is
requesting?
It
might
be
a
tenant
level
permission.
A
It
might
be
a
reed
level
permission
to
a
less
than
slightly,
depending
on
a
permission
that
you're
adding
could
be
in
store
or
not,
and
that's
probably
one
of
the
let's
say,
massive
differences
between
this
SharePoint
solution.
Like
we
received
from
the
map
as
well.
In
some
sense,
you
might
actually
say
that
SharePoint
solution,
solute
serpent
solution,
framework
solutions.
They
actually
have
an
approval
process
as
well.
A
It's
the
one
approval,
but
the
tenant
administrator
does
when
they
deploy
that
solution
in
AB
catalog,
but
they
do
not
rely
on
on
the
or
off
model
and
that's
why
the
permission
more
or
less
mark
not
to
be
there,
which
happened,
framework
solutions
and
for
adding
models.
We
do
have
a
centralized
approval
as
well,
even
though
technically
there
are
ways
and
and
well
ways,
for
example,
with
dev
site
collections
to
go
around
or
around
that
one
as
well.
But
you
do
have
a
centralized
approval
of
the
adding
add-ins
anything.
B
With
one
out
there-
yes,
don't
they
I
wanted
to
ask
is
if
I
recall
it
correctly
in
the
past
we
used
to
do
things
like
we
would
deploy
an
add-in
and
we
would
use
the
add
in
to
register
user
custom
action
with
the
host
web
yeah
right,
so
the
script
would
be
lets
say,
deployed
with
the
Adhan,
but
then
would
be
registered
with
the
host
web.
So
would
that
also
work
on
a
no
script
side
or
not
well,.
A
A
You
were
using
the
add-in
as
a
tool
to
get
your
JavaScript
embedded
on
the
site,
which
is
essentially
the
same
as
kind
of
what
SharePoint
framework
is
doing,
but
it
more
relates
on
a
script,
editor
webpart
and
you
were
not
really
taking
advantage
of
the
permission
model
on
runtime.
You
were
using
the
permission
only
on
the
deployment
time
to
get
access
to
get
a
permissions
to
add
that
javascript
in.
But
if
you
have
a
no
script
settings
enable
that's
not
supported
scenario,
so
you're
unable
to
do
that
right.
B
Right
and
I
think
that
I
wonder
about
and
correct
me
if
I'm
thinking
different
wrong
way,
but
in
a
past,
when
we
build
that
Eddins
we
could
say
the
add-ins
should
have
permission
to
read
items
or
write
items
to
manage
web
or
are
all
that
yeah
with
SPF
n
SPF
X
in
that
regard
is
also
deployed
to
the
catalog
right.
So
both
add-ins
and
SPF
acts
go
together
to
catalog,
but
only
add-ins.
Have
these
permission
flags?
B
If
you
will
correct
and
given
the
fact
that
SPF
X
runs
under
the
context
of
the
current
user,
would
you
say
it
that
it's
fair
to
agree
that
admins,
when
deploying
SPF
X
packages
should
treat
them
the
same
way
as
if
they
would
deploy
an
ad
and
with
tenant
wha?
What
wide
access
or
the
the
maximum
flags?
If
you
will.
A
In
some
sense,
yes,
absolutely
so,
obviously
there
are
some
differences
and
kind
of
I
would
say
technical
details
around
that
statement
as
well
and
in
the
atom
model
you
can
create
an
adding,
which
is
only
using
only
permissions
and
then
and
requesting
a
tenant
level
access
and
then
that
adding
actually
would
have
a
tenant
level
massive
access.
So
it
would
have
a
massive
permissions
to
do
whatever
in
a
tenant
and
in
the
SharePoint
solution.
You
cannot
do
that.
You
would
be
essentially
in
some
sense
what
the
SharePoint
solution
approval
in
the
App
Catalog.
A
B
A
True,
absolutely
and
and
in
some
sense
it
would
be
exactly
the
same
as
with
let's
say:
hi
tenant
level
permission
probably
hosted
adding.
If
you
give
the
property
hosted,
adding
high
permissions
and
then
you,
the
user,
goes
to
that
property
hosted
adding
it
actually
has
all
of
the
permissions
as
the
user
as
well.
So
there
really
isn't
a
massive
difference
here,
but
there
is
a
let's
say:
it's
a
good
to
clarify
and
understand
what
is
the
permission
difference,
but
you
can.
A
Yes,
let's
have
a
look
on
the
next
one,
so
the
next
one,
a
kind
of
a
classic
way
of
doing
customizations
in
SharePoint
in
SharePoint
Online
is
descriptive
as
a
web
part
or
content
that
a
web
part.
If
you
prefer,
they
use
that
as
well.
So
the
script
are
added
on
the
pages
by
end
users.
As
long
as
you
have
a
page,
editing,
let's
say
permissions
on
a
site.
You
can
essentially
embed
a
script
on
a
on
a
site
and
that
can
be
considered
somebody.
A
So
if
a
tenant
administrator
would
like
to
disable
a
random
int
user
to
embed
a
script
on
a
site
somewhere
in
the
tenant,
because
there
might
be
hundreds
of
thousands
of
sites
who
knows-
and
they
can
actually
do
that
from
a
centralized
location-
and
that's
how
do
you,
if
you
enable
the
no
script
and
then
the
script
there
at
the
web
part
is
not
available,
it
doesn't
matter
if
it's
a
modern
side
or
a
classic
site.
There's
no
support
for
then
embedding
scripts
on
on
a
page
and
there's
no
permission
model,
there's
no
centralized
approval.
A
B
So
I
guess
that
a
concern
here
is
not
always
that
not
per
se
that
the
scripts
that
are
edit
to
the
page
are
malicious.
But
one
of
the
challenges
that
I
can
can
imagine
is
that
when
you
load
script
from
external
URL
that
you
do
not
control
yourself,
you
cannot
really
guarantee
the
integrity
of
it
right
because
you
don't
own
own
the
location
and
with
that
the
whole
IT
might
not
even
know
that
there
is
somewhere
a
page
within
the
whole
internet
that
does
that
yeah.
So
there
might
be
yeah
yeah
and.
A
Again,
if
we
think
about
that,
that
can
be
let's
say
well
that
can
cause
issues
in
the
future.
No
doubt
with
adding
model,
you
are
well
adding
more
ownership
and
framework
solutions
as
a
tenant,
administrator
or
person
who's,
taking
this
into
account
or
installing
them
on
the
side.
With
that
a
model,
yes,
you
have
the
permission
model
and
if
the
adding
is
asking
high
level,
permissions
is
kind
of
forcing
the
same
category
as
a
sharepoint
framework
solution,
and
but
you
will
know
from
where
those
customizations
start
being
loaded
and
the
scripts
are
being
loaded.
A
It's
not
a
random
location
sambar.
Unless
you
allow
that
and
again
that's
a
consideration
on
the
review
and
like
we
covered
on
the
previous
slide,
you
can
absolutely
host
your
let's
say:
SharePoint
solution
framework,
a
separate
framework
solutions
and
the
Java
scripts,
also
within
your
tenant.
So
you
are
the
only
persons
who
are
able
to
control
how
those
scripts
are
getting
modified
and.
B
I
can
imagine
that
that
there
are
folks
who
would
argue
that
well
yeah,
but
a
review
is
difficult
thing
and
you
might
not
always
be
able
to
do
it,
but
I
guess.
The
point
is
that
with
SPF
X
and
add-ins,
you
have
the
chance
to
review
them
because
everything
goes
to
a
central
approval,
whereas
with
the
scripture
embedded
directly
on
the
page,
that
is
being
done
beyond
the
india,
india
in
the
IDI
t.
A
If
there
is
no
doubt
the
most
control
over
there
and
then
the
the
kind
of
a
final
option
here,
just
to
pinpoint
that
it's
it's
nothing
more
than
kind
of
a
variation
of
the
scripted
at
a
web
part,
or
we
kind
of
touched
this
one
already,
while
the
on
the
world
X
point
as
well,
what
if
I
would
use
and
adding
to
associate
a
script
to
a
user
custom
action
or
a
chase
link
in
a
field?
The
story
with
that
one
is
exactly
the
same
as
we
would
script
editor
web
part.
A
Essentially,
there's
it
won't
work
with
the
no
script
sites
you're
unable
to
do
that,
there's
no
permission
model.
The
script
is
being
executed
by
well
in
the
context
of
the
end
user
and
that's
it
and
then
there's
no
centralized
approval.
As
long
as
the
person
has
access
to
associate
the
script,
the
chair's
link
or
to
the
user
custom
actions
on
the
site,
you
have
no
clue
where
stuff
the
sides
have
their
scripts
associated.
A
So
the
challenge
is
exactly
the
same
as
with
scripted
at
a
web,
more
cool
but
again
considering
those
options,
I
would
say
if,
if
there
are
concerns
around
these
scripts
being
added
on
a
page,
the
no
script
is
no
doubt
an
option
enabled
and
all
script
essentially
disable
the
support
for
scripting
within
the
sides
on
this
random
scripts
being
at
and
then
use
SharePoint
framework
or
adding
model
to
introduce
the
native
customizations
in
a
controlled
way.
In
some
companies
that
might
be
fine
and
some
companies.
People
might
say
that
no,
no,
it's
restricting
too
much.
A
But
that's
why
I
have
that
control?
You
can
you
as
a
tenant
administrator,
you
can
actually
control
the
no
script
from
tenant
admin
UI.
Is
it
enable
and
not,
and
how
is
it
controlled
absolutely
and
you
can
go
down
to
the
level
of
site
collections
in
certain
site
collection
it
can
be
allowed
in
certain
site
collections
or
by
default
it
might
be
not
allowed,
and
that's
probably
the
well
the
best
way
of
thinking
the
truth
and
there's
always
some
exceptions
on
the
role.
B
A
B
A
The
script
itself
can
access
a
rest,
endpoint
and
the
rest
API
endpoints
on
the
other
side,
as
long
as
the
user
has
the
permissions
to
hit
those
influenced,
but
again
it
depends
on
what
kind
of
access
that
script
would
be
looking
into.
That's
really
again
depends
on
a
technical
details,
right,
cool
but
I
think
that's
it
for
this
one
we
didn't
want
to
go
in
there.
A
We
didn't
want
to
intentionally
record
a
demo
around
this
one,
rather
go
through
the
options
and
concentrate
more
on
the
practical
scenarios,
and
and
what
does
it
actually
mean,
but
I
think
we
went
through
all
of
the
scenarios.
I
think
we
explained
that
let's
say
the
difference
is
off
from
a
security
perspective
and
between
the
options.
Anything
you
wanna
add
on
this
one
world
a
well.