Appian o-o-t-b SharePoint Connected Systems URLs per SharePoint site

Hi,

We are integrating with the Appian SharePoint Connected Systems listed in docs.appian.com/.../Connected_System.html. I have a couple of specific questions about the Client Credentials approach. It states that

=====================================================

SharePoint Client Credentials Connected System

Provide a single SharePoint user’s credentials to authenticate. All integrations will use a shared SharePoint service account. Individual Appian users do not need their own SharePoint accounts.

To generate Client Credentials, see Granting access using SharePoint App-Only in the Microsoft docs.

A few notes on the process:

1. If you only need access to a particular SharePoint site, go to that site’s URL to generate your Client ID and Client Secret. For example: <siteName>.sharepoint.com/sites/<subsite>/_layouts/15/appinv.aspx
2. If you do not have tenant administrator permissions, you may need to use a different permission XML. For example:

1
2
3

<AppPermissionRequests AllowAppOnlyPolicy="true">
    <AppPermissionRequest Scope="">sharepoint/.../sitecollection" Right="FullControl" />
</AppPermissionRequests>

=====================================================

(1) the first question I have is that the 'Instance URL' seems to be hard-coded in this Connected System. To elaborate, if I wanted access to a specific site's URL, I would it appears have to mention that site in a Connected System. This means I would have to create a separate Connected System for each SharePoint site/subsite. Is there a way around this ?

(2) the second question I have is regarding the XML that says that "FullControl" is needed. As expected, our security team is worried about granting FullControl. Can we not just grant ReadWrite ? I believe I tried it and it did not work, but am looking for confirmation from Appian as well as a better understanding of the need for fullcontrol.