I'm building a marketing studio time request app that doesn't contain personal information but business sensitive information from the point of view that we don't want people to see other people's submissions due to the inernal politics that might result from it.
I am setting up the powerapp so that staff can submit their time requests and then can go back into the app and view/edit their own submissions only using a formula based on user. The data source is a SharePoint list. I understand that in order to add/edit from the PowerApp they need to have the relevant permissions for list in SharePoint.
So the PowerApp will act as the front end for the submissions and the SharePoint list will act as the back end for the team processing the submissions.
I don't want people in the organisation to be able to access the SharePoint list and view other people's submissions/list items or have the ability to edit other people's submissions/list items.
I could hide the SharePoint list as much as I can by not having it on navigations etc and even create a default view that contains bare minimum info in case someone does navigate there but I feel it's still open to being discovered and information viewed. This is a worry for any future apps that I might create that contain personal data or business sensitive information.
Does anyone have any suggestions about the best way to control this and prevent people from accessing the Sharepoint list that the PowerApp is connected to?
There is no way to prevent your users to access your SharePoint site, but keep their access of the data in PowerApps. You users must have the proper permission on SharePoint list to make it work in PowerApps. You can hide the navigation bar of the list in your SharePoint site, but if your users get the link to the list, they will always be able to access the list.
In the List Advanced Settings, you have the Item Level Permission that allow users to "Create Items and Edit Items that were created by the user".
I haven't tried to combine this option with a PowerApps yet but you can give it a shot.
If you have confidential data SQL would be better, but if you want to use a SharePoint list, you can consider customing the default form in the sharepoint list to be a PowerApp form as well, and just add one control on the Form to tell the user that they shouldn't be here Attached is what they then see when they try and access an item.
You can then also hide all the detail on the view and prevent users from creating customised views.
I have the same issue and have been playing around with modifying the SharePoint permission levels. From the testing I have done so far the below seems to work.
Would welcome any feedback or flaws spotted on this approach. Aim is to allow users to only add/edit items through the app, and prevent them getting in to the SharePoint (Team Site).
1) Modify the Read permissions level to only include site permission 'Open - Allows users to open a Web site, list, or folder in order to access items inside that container.'
2) Add users to the 'Site Visitors' group which gives Read permission to the site
3) Stop Inheriting Permissions on the concerned lists
4) Modify the 'Contribute' permissions level to only include:
Site Permissions - Open - Allows users to open a Web site, list, or folder in order to access items inside that container. & View Pages - View pages in a Web site.
List Permissions - View Items - View items in lists and documents in document libraries. & Edit Items - Edit items in lists, edit documents in document libraries, and customize Web Part Pages in document libraries. & Add Items - Add items to lists and add documents to document libraries.
5) For the concerned lists give the Visitors user group Contribute access to the the list.
Anytime I have tested this with a user (both the Sharepoint URL & List URL) they get the message stating they do not have access/request access.