Showing results for 
Search instead for 
Did you mean: 
Frequent Visitor

PowerApps Leave Request - Data source loophole

Hi all,


The leave request PowerApps template has been really great for my customization to suit a small office I'm working for. Recently, I have rolled this out for our users but I am concerned about the data source because the excel data file is being shared to users with edit access rights in order to have the apps working. Although the edit access rights have been shared without notification, the file can still be accessed through 'Shared with' under the users' OneDrive account and this is a security loophole.


It will be really helpful if anyone has easy & good solutions on how this security loophole can be mitigated.


Thank you.

Community Support
Community Support

Hi @Purikura :

I'm afraid it is not possible to allow users to use PowerApps, without granting those users direct access to the data source.

Currently there is an ideal under review is "Removing user ability to access data source without using the app", I think you should be interested in it.

If you need this feature, please vote for this ideal.

Best Regards,


Hi @v-bofeng-msft,


Thank you for your reply. 


It is really unfortunate to hear that it's not possible as this is a major security flaw. 


I have voted for the idea but it looks like the idea has been around since 2018 and many people are facing the same issues. Do you have a clue when will Microsoft release patches for this?


Thank you. 

Hi @Purikura :

I think of another alternative for your reference:

Step1:Create two entities in CDS and then give different permissions to different types of users


  • User(Read & wirite)
  • Adimin(Read & wirite)


  • User(Read)
  • Adimin(Read & wirite)

Step2:The user submits the request to Entity1 for Adimin to review.

Step3:After Adimin reviewed and agreed, copy the record to Entity2 and delete the record in Entity1.

Step4:Users can modify and review the records in Entit1, and can also see the approved records in Entity2.

In this way, the user can see but cannot modify the approved record, and can modify the unapproved record at any time.

Best Regards,



Helpful resources

PA User Group

Welcome to the User Group Public Preview

Check out new user group experience and if you are a leader please create your group

Power Query PA Forum 768x460.png

Check it out!

Did you know that you can visit the Power Query Forum in Power BI and now Power Apps

V3_PVA CAmpaign Carousel.png

Community Challenge - Giveaways!

Participate in the Power Virtual Agents Community Challenge

Carousel 2021 Release Wave 2 Plan 768x460.jpg

2021 Release Wave 2 Plan

Power Platform release plan for the 2021 release wave 2 describes all new features releasing from October 2021 through March 2022.

Top Solution Authors
Top Kudoed Authors
Users online (2,375)