TLDR – The Add-SPShellAdmin and SPWebApplication.GrantAccessToProcessIdentity are very similar in what they do, but there are a few key differences: Add-SPShellAdmin: Should be used for granting admin accounts access to...
After a SharePoint 2013 environment has been configured for Apps, by default the SharePoint Store is open for all farm administrators and anyone with Site Owner/Full Control access to a SharePoint site. If you are using non-default permission levels you need the “create subsites” and “manage web site” permissions to add an app for SharePoint. There is no way of keeping site owners from of browsing the SharePoint Store, but we can configure the environment so that they must request an app from the store and only specified administrators can approve these requests.
To suit this requirement Microsoft created the App Catalog. There can only be one app catalog site collection (Yes, it is its own site collection) per web application. The setting to keep site owners from downloading apps directly is set in Central Admin > Apps > Configure Store Settings. If there is no App Catalog setup you will receive the following error: “Sorry you need to create an app catalog site…” Hit back and go to Manage App Catalog. During the creation of the new App Catalog (With the familiar site collection creation screen) you will be asked to add a Primary Site Collection Admin and End Users. The Primary Site Collection Admin is your “App Gatekeeper” and the End Users are the site owners that you want to be able to see apps from the app catalog.
Once the App Catalog is all setup you can go back to the Configure Store Settings page and you should see the following options (The default for the first option is Yes, but I moved it to no so site owners cannot acquire apps directly):
Now, if a site owner goes to add an app for the SharePoint site they will be able to search the SharePoint Store, but when they click the App they will be presented with a Request It option instead of a Add It option (If the checkbox was marked as yes from the previous screenshot)
Once the site owner clicks Request It, they will need to specify licensing options (How many user licenses or is it for everyone) and an optional “request justification” field. Once the site owner submits the request, it will show up in the App Catalog’s “App Requests” List:
From here the App Catalog Admin(s) can approve or decline app requests. Once the status has been changed to Approved the App Catalog Admin will need to go to the SharePoint Store and acquire the app. This is done by clicking the link next to View App Details on the App Request entry:
Once this is done the site owner can check the “Your Requests” list and notice the status of their request. After the App has been acquired and approved the App will show up in the “Apps You Can Add” list.