cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
ARAlmac
Helper I
Helper I

Data Security in SharePoint

Hi PowerApps Community,

 

Our business case is at a bit of a crossroads with our Salary Review Project in PowerApps and I thought I would come on and see if any of the community have any ideas.

 

As I have mentioned, the project is for Salary Review meaning the data is very sensitive. The app will be used to assign percentage increases to each persons salary and save to SharePoint which will then be exported and sent to payroll.

The users of the app will be HR/Finance/Salary Review Managers so only authorised personnel will be given access to the app and in turn will need "Edit" permissions so they can read/write to the SharePoint site. 

 

We have filtered the galleries in the app to ensure the correct records are displayed to the right people.

However, the crossroad we are at is that the actual SharePoint list is still accessible if a user of the app were to get the URL of the SharePoint list.

We know Dataverse may be a more secure option but this comes at quite a cost.

 

Thought id ask if anyone has any thoughts on any measures we can take to hide the sharepoint list on SharePoint but still give users access to it in the app?

 

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
RandyHayes
Super User III
Super User III

@ARAlmac 

You will need to break the permission inheritance of the list down to the item level.  This is best achieved through PowerAutomate.

You can read more about the process at this link.

The concept is, once a record is added, the flow will remove the inherited permission of the list to the item (users have read and write access to the list - this will remove that to the item).  Then the flow will set the permission of the item to the user that submitted and also to any permission groups (admins, etc.) that should be able to see it.

 

I hope this is helpful for you.

_____________________________________________________________________________________
Digging it? - Click on the Thumbs Up below. Solved your problem? - Click on Accept as Solution below. Others seeking the same answers will be happy you did.
Check out my PowerApps Videos too! And, follow me on Twitter @RandyHayes

Really want to show your appreciation? Buy Me A Cup Of Coffee!

View solution in original post

3 REPLIES 3
RandyHayes
Super User III
Super User III

@ARAlmac 

You will need to break the permission inheritance of the list down to the item level.  This is best achieved through PowerAutomate.

You can read more about the process at this link.

The concept is, once a record is added, the flow will remove the inherited permission of the list to the item (users have read and write access to the list - this will remove that to the item).  Then the flow will set the permission of the item to the user that submitted and also to any permission groups (admins, etc.) that should be able to see it.

 

I hope this is helpful for you.

_____________________________________________________________________________________
Digging it? - Click on the Thumbs Up below. Solved your problem? - Click on Accept as Solution below. Others seeking the same answers will be happy you did.
Check out my PowerApps Videos too! And, follow me on Twitter @RandyHayes

Really want to show your appreciation? Buy Me A Cup Of Coffee!

View solution in original post

Thanks @RandyHayes ,

 

We will be doing an initial data load where all the data is loaded in by HR.

The filtering by Manager is done using a filter on the gallery by "Salary Review Manager" field that way they only see the records they need. 
However, when they go onto SharePoint we would like them not to be able to see all data.

if we were to follow that blog and remove and add permissions would they only see the records they are salary manager for?

 

Thanks

RandyHayes
Super User III
Super User III

@ARAlmac 

Your trouble will come with the initial load.  The flow will execute for each record and set the permissions to the groups and the "Created By" user.  Which will be you (or whoever does the initial load).  So, you have a couple of choices on the initial load aspect.

1) Have some additional column in your record that specifies the user/owner of that record and modify the flow to use that column instead of the 'created by' column.

2) Manually re-process each record after initial load to have the permissions set properly.

#1 would be the preference/easiest.

 

The end result of this is that, if a user submits a record(s) to the list, if they navigate to the list in the browser, they will see a list with only that record(s).

If managers need to be able to see all the records of the people they manage, then they should be accounted for in the flow based on something in your record (i.e. a manager column).  Then, if a manager comes to that same list in the browser, they will see all the records of the people they manage.

_____________________________________________________________________________________
Digging it? - Click on the Thumbs Up below. Solved your problem? - Click on Accept as Solution below. Others seeking the same answers will be happy you did.
Check out my PowerApps Videos too! And, follow me on Twitter @RandyHayes

Really want to show your appreciation? Buy Me A Cup Of Coffee!

Helpful resources

Announcements
PA_User Group Leader_768x460.jpg

Manage your user group events

Check out the News & Announcements to learn more.

Power Query PA Forum 768x460.png

Check it out!

Did you know that you can visit the Power Query Forum in Power BI and now Power Apps

Carousel 2021 Release Wave 2 Plan 768x460.jpg

2021 Release Wave 2 Plan

Power Platform release plan for the 2021 release wave 2 describes all new features releasing from October 2021 through March 2022.

R2 (Green) 768 x 460px.png

Microsoft Dynamics 365 & Power Platform User Professionals

DynamicsCon is a FREE, 4 half-day virtual learning experience for 11,000+ Microsoft Business Application users and professionals.

Users online (1,250)