I'm building a marketing studio time request app that doesn't contain personal information but business sensitive information from the point of view that we don't want people to see other people's submissions due to the inernal politics that might result from it.
I am setting up the powerapp so that staff can submit their time requests and then can go back into the app and view/edit their own submissions only using a formula based on user. The data source is a SharePoint list. I understand that in order to add/edit from the PowerApp they need to have the relevant permissions for list in SharePoint.
So the PowerApp will act as the front end for the submissions and the SharePoint list will act as the back end for the team processing the submissions.
I don't want people in the organisation to be able to access the SharePoint list and view other people's submissions/list items or have the ability to edit other people's submissions/list items.
I could hide the SharePoint list as much as I can by not having it on navigations etc and even create a default view that contains bare minimum info in case someone does navigate there but I feel it's still open to being discovered and information viewed. This is a worry for any future apps that I might create that contain personal data or business sensitive information.
Does anyone have any suggestions about the best way to control this and prevent people from accessing the Sharepoint list that the PowerApp is connected to?
Thanks for this, it seems to be working well for me, have you had any issues since using this approach?
Have been looking for a way to secure the sharepoint lists in case anyone stumbles across them so thanks again
I have use the sharepoint list as a datasource to store the file attachments from powerapps.
I need to give the access for the users to download and upload the file attachments from powerapps only. but they should not access the sharepoint list URL.
I have tried your steps. but it wont works for me. do you any other solution??
Thanks in advance,
@Adam_116 : Thanks for the solution.
For point 5: "For the concerned lists give the Visitors user group Contribute access to the the list.", I don't see any option on Sharepoint to change the Permission level of Visitors group from Read to Contribute. Could you pls let me know how to do that?
This is awesome @Adam_116 , I've done some basic tests (single lines of text column data and uploading attachments) and it works well. I re-wrote your guide so I can use it later, just a bit more verbose, hope you don't mind...
Hiding SharePoint lists that are used as datasources in PowerApps.
Do you have a PowerApp that uses SharePoint lists as datasources, and you don't want the users of the PowerApp to be able to view the SharePoint site/lists?
This sets up the SharePoint site/lists so that the PowerApp users can't view the SharePoint site or lists, but they can still perform read/add/edit functions from within the PowerApp.
(You need to be an owner of the SharePoint site to do this, not just a member).
1) Modify the 'Read' permissions level for the site.
* this means any group or person with read access won't have access to anything (site, pages, libraries, lists ... everything)
2) Modify the 'Contribute' permissions level for the site.
* sets the Contribute permission level so that it allows reading/adding/editing list items
3) Stop inheriting permissions on the lists used by the PowerApp
* so we can set special permissions for the lists used by the PowerApp
4) For the concerned lists change the Visitors user group access from Read to Contribute access.
* sets up the Visitors user group to be the group we put the PowerApp users in. This group now has special access to the required list/s, but still only has read access to the rest of the site.
5) Add the PowerApp users to the 'Site Visitors' group
* these are the people who will have the ability to read/add/edit list items (from the PowerApp only!) but if they try and view the SharePoint site or list, they won't have access! Perfect!
So finally, we've set up the SharePoint site so any people added to the Visitors group will get read access across the site which we've modified so they won't see any of the site or lists (will be prompted to request access). However, for certain lists (the ones we as PowerApp datasources), the permission inheritance has been broken and we're applying a special (modified) Contribute permission which allows the users to perform the read/add/edit functions when they are in the PowerApp.
Owners and Members (users in the owners [full control] and members  groups) will have the same access they always had.
Looking for this solution and landed on this solution - thanks! One slight difference below:
Site owners - should be able to do anything they want (me and 3 others)
Product Mgmt - no direct edit of records in the SP list, only thru the PowerApp. BUT, this group must be able to view the list and export it to XLS
Other users - no direct edit of records in the SP list, only thru the PowerApp
What do I need to do differently to allow for this? I am very new to SP lists permissions, so apologies if this is a total newbie question, but newbie am I!
These tweaks work a treat in the SharePoint List and PowerApps, however how do you stop someone from accessing it all through Power BI/Excel?
I tired the same thing but users are still able to view and edit sharepoint list via browsing.
can you please give me more information? have you got any contact details ??