This article is designed to help answers questions customers may have about privacy/access/permissions when installing Agiloft Contract Assistant for Outlook and the Agiloft Contract Assistant for Word, which will hereby be referred to as Agiloft apps.

What does the App capabilities section mean?

On the Agiloft Outlook app in AppSource, near the bottom of the page shows a message from Microsoft that states the following:

This warning comes from Microsoft's perspective as a facilitator of app implementation. The reference to third parties will only ever mean your own Agiloft KB.

Consider their mention of this add-in simply as an instance of the app that can be installed onto a user's computer. When this message says that the app can read or modify the contents of any item in your mailbox, it is referring to the mailbox of the user running the app. At no point will there ever be running instances of the app code that have access to more than a single user’s mailbox at a time, which must be properly configured before it can be accessed.

Microsoft doesn’t allow Office Apps to expand Windows permissions, and Agiloft backs that up by not allowing users to run API calls they do not have permissions for. Microsoft also heavily vets and audits the apps offered on their store, so our representation in AppSource is a verification of proper security compliance.

What permissions do the apps get?

Using the Outlook or Word apps in no way ever increases a user's permissions, either in the KB or in the Microsoft environment. 

A user can only interact with content they would also be able to interact with in Agiloft. Working in an app does not add any extra level of permissions to the user, it just provides a more convenient user interface to work in.

If you don't have permission to do something without the app, you still won't be able to do that thing with the app. If you attempt something you do not have permission for in Agiloft, both editing or viewing, you will receive an error message.

In Outlook, the app will only get Read & Write permissions to the mailbox of the user who launches the app, and inherits the permissions of that user.

The manifest file used for the Outlook app is hosted at https://outlookaddin.agiloft.com/manifest.xml. The snippet of the manifest file that controls permissions is: 

<Permissions>ReadWriteMailbox</Permissions>

The context that Microsoft provides for <Permissions> assures that the app only gets Read & Write permission to the mailbox of the user who launches the app, not to all mailboxes within the organization. 

How do the apps send data?

Both the Outlook app and the Word app use API calls to access mailbox items and contract documents, respectively. It also uses API calls to associate those emails and documents with KB records, as well as make other changes based on user actions that are performed in the apps.

The Outlook app uses MS Outlook APIs to interact with the currently open email. It then uses Agiloft REST APIs to associate those open emails with KB records, and make other KB changes based on user decisions related to the open email.

Similarly, the Word app uses MS Word APIs to interact with the currently open document,. It then uses Agiloft REST APIs to associate those open documents with KB records, and make other KB changes based on user decisions related to the open document.

The API calls only send data to the user KB. If admins would like to confirm this, we recommend verifying this with a tool like Fiddler.

Additional Resources

• Microsoft documentation on mailbox items available to addins
• Microsoft documentation on Outlook privacy and security
• Microsoft documentation on end user privacy concerns