I am finishing an application with Power Apps and Sharepoint. However I have some security problems that I have not found any solution.
I would like the Sharepoint List to be consumed only by PowerApps and users have no other way to access the data in that list.
I checked this topic but it doesn't have the complete solution: https://powerusers.microsoft.com/t5/Power-Apps-Governance-and/PowerApps-User-SharePoint-Online-Permi...
After applying the settings above, users lose direct access to the list and also to the website, but if they have the address of the list they can create a Flow in Power Automate to consume the data or create an App in Power Apps to consume that data too .
For security reasons they only have to interact with the application, which was shared with them by the owner's power apps.
Do you have a solution for this security problem?
Sorry for English.
Thanks in advance.
Daniel Christian has created a series of tutorials:
If you like this post, give a Thumbs up. Where it solved your request, Mark it as a Solution to enable other users find it.
There is no way to implement what you are asking for. There are various workarounds that hide the list or change individual item level permissions, but Power Apps users must have rights to the SharePoint list to do actions in Power Apps. There is no way to use a SharePoint list in Power Apps and not give users permissions to the list.
I understand that it is necessary to assign permission to the list.
However, the security approach is that a user with this permission can create an application in Power Apps or Flow in Power Automate to consume this list.
Thinking about the security side, if the link in the list is discovered, it manages to change control fields created that it should not have access to.
The question is how to prevent a user from being given limited access to the list from failing to create a flow or application based on that list. He has access to the list only through the application created from Power Apps by the list administrator.
Note: I was able to block the site link and access the list, but when I type the site path directly in Power Automate or Power Apps flow I managed to get the list.
As I said, there is no way to let a user access a list through Power Apps and Power Automate without also giving them access to the list itself. There are ways to obfuscate the list to make it difficult for the user to access the list directly, but there is no way to prevent them from accessing the list directly and still let them use the list in Power Apps and Power Automate. The connectors are not designed to work that way.
Keep up to date with current events and community announcements in the Power Apps community.
A great place where you can stay up to date with community calls and interact with the speakers.
Check out the latest Community Blog from the community!