Free Busy Only Access
The security model that Cronofy offers allows Application Vendors to only request free busy information for events that are added to the calendar by the user but maintain the ability to write and update events originated by the application.
We achieve this by obtaining full write permission to a calendar. We then differentiate in our sync engine between application originated events and the events sourced from the calendar. This allows us to provide different access models for the application events and calendar events.
We recognize that for some organizations, data policies require that only free busy information leaves the calendar service so we provide an alternative model to the
ApplicationImpersonation role we favor.
Instead of the
ApplicationImpersonation role, the service account is granted
AvailabilityOnly on the mailboxes.
Example: Granting the
AvailabilityOnly folder permission to a service account via Powershell
Add-MailboxFolderPermission -Identity email@example.com -AccessRights AvailabilityOnly -User firstname.lastname@example.org
This does change the capabilities of the calendar integration. The Application Vendor cannot use the API connection to create or update events in the user’s calendars with this model.