I'm building a marketing studio time request app that doesn't contain personal information but business sensitive information from the point of view that we don't want people to see other people's submissions due to the inernal politics that might result from it.
I am setting up the powerapp so that staff can submit their time requests and then can go back into the app and view/edit their own submissions only using a formula based on user. The data source is a SharePoint list. I understand that in order to add/edit from the PowerApp they need to have the relevant permissions for list in SharePoint.
So the PowerApp will act as the front end for the submissions and the SharePoint list will act as the back end for the team processing the submissions.
I don't want people in the organisation to be able to access the SharePoint list and view other people's submissions/list items or have the ability to edit other people's submissions/list items.
I could hide the SharePoint list as much as I can by not having it on navigations etc and even create a default view that contains bare minimum info in case someone does navigate there but I feel it's still open to being discovered and information viewed. This is a worry for any future apps that I might create that contain personal data or business sensitive information.
Does anyone have any suggestions about the best way to control this and prevent people from accessing the Sharepoint list that the PowerApp is connected to?
Thanks,
Anna
@stevegeall wrote:Hiding SharePoint lists that are used as datasources in PowerApps.
Do you have a PowerApp that uses SharePoint lists as datasources, and you don't want the users of the PowerApp to be able to view the SharePoint site/lists?
This sets up the SharePoint site/lists so that the PowerApp users can't view the SharePoint site or lists, but they can still perform read/add/edit functions from within the PowerApp.
So finally, we've set up the SharePoint site so any people added to the Visitors group will get read access across the site which we've modified so they won't see any of the site or lists (will be prompted to request access). However, for certain lists (the ones we as PowerApp datasources), the permission inheritance has been broken and we're applying a special (modified) Contribute permission which allows the users to perform the read/add/edit functions when they are in the PowerApp.
Owners and Members (users in the owners [full control] and members [edit] groups) will have the same access they always had.
This sort of works if you believe in security by obscurity but in reality it doesn't work. If the users gain knowledge of the direct access link to the list they can see everything in it. Further you can just search on M365 / SharePoint search and find it. Yes the front door to the site is locked but you can just look through the side window and see everything. I would caution anyone from using this method and thinking it is actually secure. Unless I am really missing something. I added one user to the Visitors and followed all the instructions and that user could see everything in the List once they got to it.
You might not have the permissions quite right. I use this method often and the end users don't have access to the lists, but the edits to the lists from powerapps continues to work.
Even if they enter the URL directly for the List? I don't mean they can go to site and click on it but they have the exact URL or search for it. I will double check the procedure again.
Hi Brian, were you able to validate if this works? I need to be able to restrict users' access via the powerapp as a front end and basically restrict their access via the powerapp form.
Oops I forgot to reply.
Brian had me double-guessing the solution so I went through and tested the access on a site where I have implemented this and can confirm it works as expected.
The end user has zero access to the sharepoint site and zero access to the list (attempting to browse to it directly using the url). But the user can make edits to the list via the powerapp that they have access to.
Hi @stevegeall
Thanks for this! I've followed the exact same steps, but for some reason, a user only gets Access Denied if they are going to the site eg https://xyz.sharepoint.com/sites/TestSite. But if they tried to go direct to the list URL, eg https://xyx.sharepoint.com/sites/TestSite/TestList, they can see the entire list.
Is there something I missed, or am I doing something incorrectly? I created the Sharepoint site through Teams.
Thanks in advance for your help!
Probably something you've missed? Did you change the permissions on each list that you want hidden?
Don't think I missed anything as I followed the steps you detailed..
These are the un-inherited permissions. Assigned Contribute to the Visitors group
Members inside the Visitors Group
and the modified Contribute permissions configured under Site Permissions
Any suggestions? Thanks!
1) Modify the 'Read' permissions level for the site.
* this means any group or person with read access won't have access to anything (site, pages, libraries, lists ... everything)
2) Modify the 'Contribute' permissions level for the site.
* sets the Contribute permission level so that it allows reading/adding/editing list items
3) Stop inheriting permissions on the lists used by the PowerApp
* so we can set special permissions for the lists used by the PowerApp
4) For the concerned lists change the Visitors user group access from Read to Contribute access.
* sets up the Visitors user group to be the group we put the PowerApp users in. This group now has special access to the required list/s, but still only has read access to the rest of the site.
5) Add the PowerApp users to the 'Site Visitors' group
* these are the people who will have the ability to read/add/edit list items (from the PowerApp only!) but if they try and view the SharePoint site or list, they won't have access! Perfect!
So finally, we've set up the SharePoint site so any people added to the Visitors group will get read access across the site which we've modified so they won't see any of the site or lists (will be prompted to request access). However, for certain lists (the ones we as PowerApp datasources), the permission inheritance has been broken and we're applying a special (modified) Contribute permission which allows the users to perform the read/add/edit functions when they are in the PowerApp.
Owners and Members (users in the owners [full control] and members [edit] groups) will have the same access they always had.
Thanks...let me give it a shot and update here again once I'm done 🙂