cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Willy_
Frequent Visitor

Limit users their owner items in a list preview fill a form

Hi everybody,

 

I want to manage employee vacations. When users fill out vacation request with a form it will start an approval process with power automate and it will register everything in a sharepoint list.
I would like to know how to give access to users so that they only see their items. If I use the option "Read items that were created by the user" in advanced seetings list, only the user who created the form has access, not the users that fill in it

Perhaps the approach is not correct, what I have clear is that it must be through a form and I was thinking in have two list, one to consult the state the request and other to can consult total days, used days, pending days.....

 

Can someone guide me with this?

 

Thans so much

1 ACCEPTED SOLUTION

Accepted Solutions
ChadVKealey
Power Participant
Power Participant

Rolling back a bit. You create a Microsoft Forms form for users to fill out with their leave request. You create a flow to run when a new form response is submitted and have it create an item in the Leave Requests (SharePoint) list. When that runs, it will run using the SharePoint connection you define in the flow (typically your own account or a service account if you have one); it cannot run as the person who submitted the form. So, assuming you use your own account/SharePoint connection, all of those list items will be "Created by" you. In this case, forget about the "Item Level Permissions" settings - they won't help you.

 

You want each user to only see their own items, so you could use the Grant permissions action to give the submitter of the form View access to the item that was created. However, that gives them permission to the item, but not the list. If they don't have some type of access to the list itself, they won't be able to "get to" their item. So, you would need to give them "Read" permission to the list. However, as you pointed out, that does give them the ability to read other user's items. The way to prevent this is to (before granting permission), use the "Stop sharing an item or file" action. This breaks the inherited permissions, so you then need to grant permissions to those who need it. The "permissions" part of the flow would be:

  1. Create item
  2. Stop sharing item
  3. Grant form creator view access to item
  4. (if needed) Grant other permissions as needed (for example, how is "approval" being done? Will another person - the manager, maybe, need edit permission to the item?)

Again, even without the complication of a Power App, I think you need to clearly lay out and define your process so that you can identify exactly who is going to be involved and determine what permissions people will need to to the Leave Request items. A lot of people think "oh, the manager is going to approve, so they need edit permission to the item" when in reality, they don't. If the "approval" process is running as you (or, again, a service account) that has site collection admin access, then the manager does not need any access to the item (assuming you include the relevant details about the request in the approval message). Also, you're saying that the user shouldn't be able to edit their item. What happens if they need to change or cancel a leave request? It will happen, so you need to know how to address that.

Maybe you have already defined all those specs and requirements, but based on the questions you're asking, I think you may have overlooked some details. I'm not trying to make things more difficult for you, but it sounds like you may need to more clearly define your process and requirements. It's not an easy process, but it is necessary.

View solution in original post

8 REPLIES 8
ChadVKealey
Power Participant
Power Participant

When you say "form", do you mean a Microsoft Forms form? If so, any flow that runs based on submission of that form will run with the connections configured in the flow (typically the flow author/creator). So, Person A creates the form and associated flow that takes the form data and creates an item in the "leave request" list. Person B fills out the form and the flow runs, but the "create item" action is running with Person A's SharePoint connection, so the "created by" will be Person A. In this case, the "Item level permissions" in the list won't help.

 

So, if you're using a Microsoft Forms form, that flow could also set permissions on the leave request item that's created, but eventually (most likely) you will hit the unique item permissions scope limit (max of 50,000 uniquely-permissioned items per list or library). Also, as a general rule, I discourage this approach unless there is a plan to clean up those uniquely permissioned items (e.g.: after 30 days, delete the item or move it to another location where it is NOT uniquely permissioned).

 

If you are NOT using a Microsoft Forms form (for example, you're going to use the out-of-the-box SharePoint form or a Power Apps app form), then Item-level permissions should work fine. That's how I set up our leave request system (using a Power Apps app) and it's been working well for almost 2 years. Now, our system is simply used for approval, notification and as a "calendar" of who's in/out. We're not tracking time earned, time used, etc., so I can't comment on that part of your question. However, I would probably handle that via a separate flow that's triggered when the leave request is Approved. That is, the user submits a request, the manager (or whomever) approves it, and then, with a separate "when an item is modified" flow, you adjust the counts in that other list. Otherwise, you'll again have to assign unique permissions to those list items and run the risk of someone manually manipulating the data.

Willy_
Frequent Visitor

Many thanks @ChadVKealy for your quickly answer 

 

Yes, I am refering to Microsoft Forms form, I understand.... I suposse that when you speak about set permissions  is with "Grant access to an item......" isn't it? 

 

Willy__1-1614861783983.png

 

Kindly could you give me a little information about how do it with power apps? I have never used it before, so I have some reference where to start to look for or doing.... 

 

Thanks you again

ChadVKealey
Power Participant
Power Participant

Yes, that is the action you would use. If you plan on using that, I would suggest giving all users of this system read permission to the list and granting them edit permission to their own items. In terms of the unique permissions scope limit, it may take you a long time to hit 50,000 items (or you may never), just know that the limit is out there and it's a hard, unbreakable limit (not a "threshold" that you can sometimes exceed). 

 

Creating a Power Apps app to serve as the user interface to a system like this can be challenging. The nice thing about this approach is that you can build it exactly to your specifications. The painful thing is that you need to explicitly build in whatever functionality you want. There is a "leave request" app template that you could look at to get some idea of what's involved. I would recommend building a few simpler apps first to get comfortable with Power Apps in general. There are a bunch of great resources here: https://docs.microsoft.com/en-us/learn/browse/?products=power-apps&WT.mc_id=webupdates_GEP_Powerapps... and instructor-led training available (at a cost) from a number of different sources. However, unless you hire someone specifically to build (or help you build) it, you won't find a step-by-step guide to creating your own leave request app.

 

If you want to pursue that option, though, it's best to start with a clear set of design specifications. Talk to the people who are asking for it and also those who will use it (not all of them, but at least a representative cross-section of the user base) to determine what functionality is actually needed. Also, identify all of the data that's going to be involved. Obviously, the leave request list itself is one table, but there will likely be others. Who will "approve" the requests? If it will always be the "Manager" of the user in the O365 user profile, then you don't need a separate list to identify the approver. However, if even ONE person has an approver other than their manager, you need to have a way to handle those exceptions. Also, it sounds like you've got another table of data (leave accrued, leave used, etc.), so you need to think about how that is populated and maintained. Daniel Christian did a wonderful series of videos on how to plan SharePoint list relationships for use with Power Apps; the first one is here: https://youtu.be/qU22DiaIPpU

 

Also, check out the YouTube channels belonging to Shane Young, Reza Dorani, April Dunnam and Mr. Dang. Most of what I know about Power Apps I learned from a video by one of those 5 people. 

Many thanks for you extend explanation

About set permissions in the item list I don't understand how do it.

 

The idea is user A is the "created by" the form and he has access to read/modify all items

Rest of the users fill in the form and can to see their items only and not all.

So, even I set up in the flow "Grant access to an item...." with roles "Can view" if I choose "Read items that were created by the user" in advanced settings list only the user A "Created by" can to see the all items (this is not an issue) and any other user can't to see the items, any.

And if I set up "Read all items" in advanced settings in the list, all users can to see all items, their and those of others. User B can to see items of the user C and conversely, and this is not desirable.

 

How can I to set up every user to see only their items?

By other side, the users should not be able modify any item.

 

About limit items I found this

 

https://support.microsoft.com/en-us/office/manage-large-lists-and-libraries-b8588dae-9387-48c2-9248-...

 

Thanks you

ChadVKealey
Power Participant
Power Participant

Rolling back a bit. You create a Microsoft Forms form for users to fill out with their leave request. You create a flow to run when a new form response is submitted and have it create an item in the Leave Requests (SharePoint) list. When that runs, it will run using the SharePoint connection you define in the flow (typically your own account or a service account if you have one); it cannot run as the person who submitted the form. So, assuming you use your own account/SharePoint connection, all of those list items will be "Created by" you. In this case, forget about the "Item Level Permissions" settings - they won't help you.

 

You want each user to only see their own items, so you could use the Grant permissions action to give the submitter of the form View access to the item that was created. However, that gives them permission to the item, but not the list. If they don't have some type of access to the list itself, they won't be able to "get to" their item. So, you would need to give them "Read" permission to the list. However, as you pointed out, that does give them the ability to read other user's items. The way to prevent this is to (before granting permission), use the "Stop sharing an item or file" action. This breaks the inherited permissions, so you then need to grant permissions to those who need it. The "permissions" part of the flow would be:

  1. Create item
  2. Stop sharing item
  3. Grant form creator view access to item
  4. (if needed) Grant other permissions as needed (for example, how is "approval" being done? Will another person - the manager, maybe, need edit permission to the item?)

Again, even without the complication of a Power App, I think you need to clearly lay out and define your process so that you can identify exactly who is going to be involved and determine what permissions people will need to to the Leave Request items. A lot of people think "oh, the manager is going to approve, so they need edit permission to the item" when in reality, they don't. If the "approval" process is running as you (or, again, a service account) that has site collection admin access, then the manager does not need any access to the item (assuming you include the relevant details about the request in the approval message). Also, you're saying that the user shouldn't be able to edit their item. What happens if they need to change or cancel a leave request? It will happen, so you need to know how to address that.

Maybe you have already defined all those specs and requirements, but based on the questions you're asking, I think you may have overlooked some details. I'm not trying to make things more difficult for you, but it sounds like you may need to more clearly define your process and requirements. It's not an easy process, but it is necessary.

View solution in original post

Willy_
Frequent Visitor

You are helping me a lot!!!

My first idea is that the list was only available for all users with read permissions, a request record for HR (all items) and for users (yours), I had not thought of giving write permissions to the approver. The approvals (there are two, first manager and second HR) is done in the flow with start and wait for an approval and them the item is updated to another state (pending to approval....approved or reject)

 

 

Now I'm looking for Grant form creator view access to item and I can't find it, can you help me with this?


And you are right, I have to think about how to manage changes and cancellations... maybe other different microsoft forms form that works over first flow canceling the request and deteling the item or modifying the request an item... I don't, I will have to find out....

Now I'm looking for Grant form creator view access to item and I can't find it, can you help me with this?

You won't find that as a specific action, but - as long as it's not an anonymous form - you can get the email address of the user who submitted and use that in the "Grant access" action. It's a little easier to show than type it all out, so check this video: https://www.screencast.com/t/cxc0kXLCb3AZ

 

-Chad

Thanks so much, that I could solve it before

Helpful resources

Announcements
UG GA Amplification 768x460.png

Launching new user group features

Learn how to create your own user groups today!

Community Connections 768x460.jpg

Community & How To Videos

Check out the new Power Platform Community Connections gallery!

Welcome Super Users.jpg

Super User Season 2

Congratulations, the new Super User Season 2 for 2021 has started!

Carousel 2021 Release Wave 2 Plan 768x460.jpg

2021 Release Wave 2 Plan

Power Platform release plan for the 2021 release wave 2 describes all new features releasing from October 2021 through March 2022.

Top Solution Authors
Users online (2,310)