cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Highlighted
Super User
Super User

Powerapps and Sharepoint Online Permissions

Hello,

 

I created a PowerApp with a Sharepoint custom list as the data source. I granted all 315 users of the app "Site Member" status (R/W/E). 

 

Problem

  • The PowerApp has a LOT of validation in place (no blanks, min char counts for comments, etc.)
  • The Sharepoint URL leaked out and users have been creating new records DIRECTLY in the Sharepoint list instead of using the PowerApp
  • This has resulted in many partial records that make reporting impossible. 


Question

  • How can I grant the correct permissions to allow users access to the Custom List but NOT give them permission to edit the Sharepoint list directly if they have the URL?

 

Thank you

1 ACCEPTED SOLUTION

Accepted Solutions
Akinlaw
Level: Power Up

Re: Powerapps and Sharepoint Online Permissions

Here’s how I did it...
In your list give everyone vistior acces so they can see the data but not edit. Create a field for field structural copy of the list name it something like temp-list. Give everyone write access to this list. In your power app, pull the record from the original list. Base your update form on the temp-list. Create a flow using a user That has enough privilege to write to the original list. Attach it to the temp list and have it update the original list with the new data then delete the new data from the temp list. You must trigger the flow from the temp list create or update trigger and not directly from the flow. Auto triggered flows will use the elevated permissions of the flow creator.

View solution in original post

19 REPLIES 19
Super User
Super User

Re: Powerapps and Sharepoint Online Permissions

If you are using a SharePoint custom list as a backend to a stand alone PowerApps app then I am not aware on any way to block them from accessing the SharePoint list because the PowerApps/SharePoint intergration requires the user to have access.

I would recommend creating a PowerApps custom form in the SharePoint library. Then give the users contribute access to the list to prevent any user from changing your PowerApps custom form. After that go into the List Settings page and click on Advance Settings and set the "Quick property editing" to "No". This prevents users from bypassing your custom form and adding or changing items in the quick edit view or the details pane.

 

 



--------------------------------------------------------------------------------
If this post helps answer your question, please click on “Accept as Solution” to help other members find it more quickly. If you thought this post was helpful, please give it a Thumbs Up.
Super User
Super User

Re: Powerapps and Sharepoint Online Permissions

Hi @Jeff_Thorpe, Thanks for the response. 

 

This is indeed a stand alone PowerApp with SP List as a back end. 

 

Unfortunately, creating a PowerApps custom form in the Sharepoint Library would necessitate developing another "app" then supporting two versions of the same. I can't go there with this particular project. \

 

Hm. Bummer. Would be nice to have the ability to control access to the "back end" of the app. I think whats missing is the concept of an APP ID between stand alone PowerApps and Sharepoint lists.

 

Ideally, I would control USER access to the PowerApp via AD Security Groups, then control APP access to the Sharepoint list with an App ID. Then only the APP has read/write/delete/etc. permissions on the list, not individual USERS. 

Super User
Super User

Re: Powerapps and Sharepoint Online Permissions

Aha! Our AWESOME internal Sharepoint Admin showed me a method that just might work. I'll line it out here before I try it: 

 

Permission groups: 

  • Site Owners
  • Site Members (PowerApps USERS)

List Permissions: 

  • Site Members (full Read/Write access to the list)

How to prevent PowerApps users from editing a Sharepoint List:

  • Edit the Sharepoint List Web Part
  • Select Target Audience: 
    • Groups/Site Owners
  • Add another Web Part with a custom message (like: "Keep your hands off this list!")
  • Select Target Audience: 
    • Groups/Site Members

What should happen is that PowerApps USERS with the SP List URL will be presented with the custom message. Site Owners will get to see the List itself and make edits/etc. 

 

I'll try to implement this (next week) and report back. 

Community Support Team
Community Support Team

Re: Powerapps and Sharepoint Online Permissions

Hi @ericonline,

 

Do you want to assign all 315 users of your app access permission rather than edit permisson to the SP list?

Have you solved your problem?

 

If you only want to assign all 315 users of your app access permission rather than edit permission to your SP list, you could consider take a try to assign "Site Visitors" permission (Read-Only) to them.

 

More details about assigning "Site Visitors" permission to SP list, please check the following gif image:Test1.gif

 

 

 

In addition, I also agree with the solution that you provided. If the issue is solved on your side, please go ahead and click “Accept as Solution” so that this thread will be marked for other users to easily identify.

 

Best regards,

Kris

Community Support Team _ Kris Dai
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
Super User
Super User

Re: Powerapps and Sharepoint Online Permissions

Hi @v-xida-msft

 

RE: Do you want to assign all 315 users of your app access permission rather than edit permisson to the SP list?

  • I'm unable to do this because the PowerApp will throw errors. 
  • Users must have Edit perms on the List in order to submit results from the PowerApp

RE: Have you solved your problem?

  • Almost. I can't seem to find a way to apply Target Audiences to the "New Experience" Custom Lists
  • All the documentation I've been able to find only shows how to apply Target Audiences to "Classis Experience" Web Parts

RE: If you only want to assign all 315 users of your app access permission rather than edit permission to your SP list, you could consider take a try to assign "Site Visitors" permission (Read-Only) to them.

  • In my case, this will not work. 
  • Since the List is the Data Source for the PowerApp, users need Site Member permissions and List Edit permissions. 
  • I just want to "hide" the List from their View/Interaction if they visit the List URL directly. 

When I find the solution, I will post it back. Thanks for your input. 

 

panand99
Level 10

Re: Powerapps and Sharepoint Online Permissions

Hi,

You can simply hide 'New Item' link and Top level navigation from your SP list by using  JavaScript to be added on your webpart.

 

or by using toolbar properties

Akinlaw
Level: Power Up

Re: Powerapps and Sharepoint Online Permissions

Here’s how I did it...
In your list give everyone vistior acces so they can see the data but not edit. Create a field for field structural copy of the list name it something like temp-list. Give everyone write access to this list. In your power app, pull the record from the original list. Base your update form on the temp-list. Create a flow using a user That has enough privilege to write to the original list. Attach it to the temp list and have it update the original list with the new data then delete the new data from the temp list. You must trigger the flow from the temp list create or update trigger and not directly from the flow. Auto triggered flows will use the elevated permissions of the flow creator.

View solution in original post

mbrocchi1
Level 8

Re: Powerapps and Sharepoint Online Permissions

I have posted a video that demonstrates adjusting List item permissions based from PowerApps / Flow that I think will be useful - 

 

SharePoint Item Level Security in PowerApps and Flow

 

Hopefully it helps!

 

 

simb55
Level: Powered On

Re: Powerapps and Sharepoint Online Permissions

This will not solve the problem, tho.

If the link for the original list leaked, it is as well possible, that the link to your temp lists will soon be known to your coworkers.

So they just go ahead and make changes to the temp lists which will then duplicate to the original data source.

 

ericonline wrote:


Here’s how I did it...
In your list give everyone vistior acces so they can see the data but not edit. Create a field for field structural copy of the list name it something like temp-list. Give everyone write access to this list. In your power app, pull the record from the original list. Base your update form on the temp-list. Create a flow using a user That has enough privilege to write to the original list. Attach it to the temp list and have it update the original list with the new data then delete the new data from the temp list. You must trigger the flow from the temp list create or update trigger and not directly from the flow. Auto triggered flows will use the elevated permissions of the flow creator.

 

This would be a nice approach for this problem.

Helpful resources

Announcements
thirdimage

Power Automate Community User Group Member Badge

Fill out a quick form to claim your user group badge now!

sixthImage

Power Platform World Tour

Find out where you can attend!

Power Platform 2019 release wave 2 plan

Power Platform 2019 release wave 2 plan

Features releasing from October 2019 through March 2020

fifthimage

Microsoft Learn

Learn how to build the business apps that you need.

Top Kudoed Authors (Last 30 Days)
Users online (5,085)