Free Busy Only Access

The security model that Cronofy offers allows Application Vendors to only request free busy information for events that are added to the calendar by the user but maintain the ability to write and update events originated by the application.

We achieve this by obtaining full write permission to a calendar. We then differentiate in our sync engine between application originated events and the events sourced from the calendar. This allows us to provide different access models for the application events and calendar events.

We recognize that for some organizations, data policies require that only free busy information leaves the calendar service so we provide an alternative model to the ApplicationImpersonation role we favor.

Instead of the ApplicationImpersonation role, the service account is granted AvailabilityOnly on the mailboxes.

Example: Granting the AvailabilityOnly folder permission to a service account via Powershell

Add-MailboxFolderPermission -Identity -AccessRights AvailabilityOnly -User

This does change the capabilities of the calendar integration. The Application Vendor cannot use the API connection to create or update events in the user’s calendars with this model.