SharePoint Connector - Security
2 min read
Overview
This document describes security practices, update policies, and the Software Bill of Materials (SBOM) for the SharePoint Connector.
Security Updates
Security update cadence and release lifecycle expectations follow the canonical Upgrade and Release Process. Review this policy when planning upgrade windows and patch rollouts.
Security Reports
If you identify a potential vulnerability, report it through your standard Unique support/security contact and include connector version, affected tenant/environment, and reproduction details. Release handling expectations follow the Upgrade and Release Process.
Security Architecture
Security Principles
Least Privilege Access
Sites.Selected / Lists.SelectedOperations.Selected: Only access explicitly granted sites or libraries
No tenant-wide access: Cannot access sites not specifically granted
Per-site/library revocation: Access can be removed from individual sites or libraries
Certificate-Based Authentication
X.509 certificates: Industry-standard authentication
No shared secrets: Certificate private keys never leave the connector
Rotation support: Certificates can be rotated without service disruption
Transport Security
TLS 1.2+: All external communication encrypted
Certificate validation: Server certificates validated
No plaintext: No unencrypted data transmission
Data Handling
Streaming transfers: Files streamed, not stored locally
In-memory processing: Data processed in memory
No persistent storage: No local file storage of SharePoint content
Tenant-wide principals: SharePoint permissions granted to tenant-wide principals (e.g.,
Everyone,Everyone except external users) are not expanded or synced to Unique. Content accessible to all tenant users in SharePoint may not have corresponding visibility in Unique permissions
Compliance Considerations
Data Residency
Connector does not store SharePoint content persistently
Data flows: SharePoint → Connector (memory) → Unique
No intermediate storage
Audit Logging
All operations are logged with:
Timestamp
Operation type
Resource identifiers
Success/failure status
Error details (if applicable)
Access Controls
Control | Implementation |
|---|---|
Authentication | Certificate-based (X.509) |
Authorization | Sites.Selected / Lists.SelectedOperations.Selected grants |
Audit | Structured logging |
Encryption | TLS 1.2+ in transit |
Best Practices
For Operators
Rotate certificates before expiration
Review site grants periodically
Monitor logs for anomalies
Update promptly when security patches released
Use certificate authentication for production environments
For Security Teams
Review SBOM for each deployment
Assess CVEs against deployed version
Audit site grants for least privilege
Monitor API usage for anomalies
Test in staging before production updates
Related Documentation
Authentication - Certificate and auth setup
Configuration - Security-related settings
Permissions - Required API permissions
Standard References
Microsoft Security Best Practices - Microsoft security guidance
OWASP Top 10 - Web application security risks
CycloneDX - SBOM specification
SPDX - Software Package Data Exchange