Configuring free-busy only access
Customer security controls may require that only access to free-busy information in calendars is permissible. This article describes how to configure both the Integrator Application as well as the Service Account on the customer side to ensure only free-busy information is available to both Cronofy and the Integrator Application.
The following diagram describes the three systems involved in the calendar data exchange.
Boundary A #
The permissions requested at this boundary are controlled by the Integrator through the
delegated_scope they request to users’ calendar. In this situation the
free_busy scope should be used.
Boundary B #
The permissions requested at this boundary are controlled by the Customer’s IT Admin. When using a Service Account to broker access to calendar data the IT Admin can control three aspects of the data access.
- The mailboxes accessible,
- Whether full or free-busy only access is permitted,
- The mailbox folders that can be accessed.
As these restrictions are placed on the Service Account then all restrictions will apply to the data accessible by the Cronofy system. This in turn limits the information and operations available to the Integrator’s application.
Configuring Free-busy Only access #
The Service Account should be granted the
-AccessRights permission on the mailboxes.
Example: Granting the
AvailabilityOnly folder permission to a service account via Powershell
Add-MailboxFolderPermission -Identity firstname.lastname@example.org -AccessRights AvailabilityOnly -User email@example.com
For full documentation see Set-MailboxFolderPermission Parameters documentation
Restricting access in this way will prevent the Integrator Application from creating events directly in the user’s calendar. Instead the user will need to be sent an email with a calendar invite attachment.