MS SharePoint Postman System.UnauthorizedAccessException accessing subsite

Question

My goal is to create anything( Item, Folder, Files) in MS SharePoint using REST API. The issue is, I don´t have the influence to set up my access rights. It was set up by 3th party. They say, I have the full access to the subfolder. It goes something like this: https://xxxx.sharepoint.com/sites/xxxx/mysubfolder Basically we were following the step by step here: https://stuartmccoll.github.io/posts/2020-06-16-sharepoint-api-authentication-with-postman/

I use the Postman to test the process. The first step is getting the access token. It works fine and I get it. When I try to test the get with https://xxx.sharepoint.com/sites/xxxx/mysubfolder/_api/web/Lists/ using the token, I get response back and with status 200 OK.

When I try to list e.g. https://xxx.sharepoint.com/sites/xxxx/mysubfolder/_api/web/Lists/GetByTitle('Postman')/items I get back:

{
    "d": {
        "results": []
    }
}

empty? There are at least 2 items.

When I try to create a new list with post https://xxx.sharepoint.com/sites/xxxx/mysubfolder/_api/web/Lists

{
  "__metadata": {
    "type": "SP.List"
  },
  "AllowContentTypes": true,
  "BaseTemplate": 100,
 "ContentTypesEnabled": true,
 "Description": "My list description",
 "Title": "Test"
}

I recieve

{
    "error": {
        "code": "-2147024891, System.UnauthorizedAccessException",
        "message": {
            "lang": "de-DE",
            "value": "Zugriff verweigert. Sie haben keine Berechtigung, diesen Vorgang auszuführen oder auf diese Ressource zuzugreifen."
        }
    }
}

with the status 403 Forbidden. What am I missing / doing wrong? Thanks.

Answer 1

I found the cause. It was in the setup for "Grant permissions to a SharePoint Add-In"

It must be:

<AppPermissionRequests AllowAppOnlyPolicy="true">
    <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="FullControl" />
</AppPermissionRequests>

Then it works!