Allow more control over fields returned in the Calendar API calls
Allow administrators to filter which fields can be returned per endpoint. Our end client is concerned that even though we are filtering the results on our side we still have access to Calendars.Read and technically have access to read meeting subjects, etc. Is there any way in Office365 or the Graph API that our end client can apply more granular permissions to filter which fields we have access to?
My particular example is using the CalendarView endpoint to retrieve a users appointments for a specific time period. While calling the endpoint we are passing $select=start,end,showAs. Our end client does not want us to have access to meeting subjects, attendees, etc.
We recently shipped a new Mail.ReadBasic permission scope that returns everything but the Body and the Attachments of message objects when calling /me/messages for example. From our research, the Subject was ok for our customers to return and was not a concern.
We could introduce a Calendar.ReadBasic, but we would mimic the same approach of body and attachments.
We are not at the stage with a Identity consent model that is property level in access. We are a very long way off this so permissions scopes that are defined as discussed is what we can do in the short term.
From your request, you are more concerned about the Subject and Attendees being returned for events. This makes this a very restricted scope of properties which would mean introducing another permission scope other than Basic. Top of my head thinking would be Calendar.ReadRestricted . For others seeing this, would it be a useful API to return without subject, body, attendees and just return basic propertiies (start, end, showAs)?