cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
AnnaBrodnicki
Advocate I
Advocate I

Prevent people from accessing SharePoint list that the PowerApp is connected to

‎09-12-2018 01:22 AM

I'm building a marketing studio time request app that doesn't contain personal information but business sensitive information from the point of view that we don't want people to see other people's submissions due to the inernal politics that might result from it.

 

I am setting up the powerapp so that staff can submit their time requests and then can go back into the app and view/edit their own submissions only using a formula based on user.  The data source is a SharePoint list.  I understand that in order to add/edit from the PowerApp they need to have the relevant permissions for list in SharePoint.  

 

So the PowerApp will act as the front end for the submissions and the SharePoint list will act as the back end for the team processing the submissions.

 

I don't want people in the organisation to be able to access the SharePoint list and view other people's submissions/list items or have the ability to edit other people's submissions/list items.

 

I could hide the SharePoint list as much as I can by not having it on navigations etc and even create a default view that contains bare minimum info in case someone does navigate there but I feel it's still open to being discovered and information viewed.  This is a worry for any future apps that I might create that contain personal data or business sensitive information.

 

Does anyone have any suggestions about the best way to control this and prevent people from accessing the Sharepoint list that the PowerApp is connected to? 

 

Thanks,

 

Anna

Message 1 of 37
24,025 Views
36 REPLIES 36
BrianHFASPS
Continued Contributor
Continued Contributor
In response to stevegeall

‎03-04-2021 03:20 PM
@stevegeall wrote:

Hiding SharePoint lists that are used as datasources in PowerApps.

 

Do you have a PowerApp that uses SharePoint lists as datasources, and you don't want the users of the PowerApp to be able to view the SharePoint site/lists?


This sets up the SharePoint site/lists so that the PowerApp users can't view the SharePoint site or lists, but they can still perform read/add/edit functions from within the PowerApp.

 

So finally, we've set up the SharePoint site so any people added to the Visitors group will get read access across the site which we've modified so they won't see any of the site or lists (will be prompted to request access). However, for certain lists (the ones we as PowerApp datasources), the permission inheritance has been broken and we're applying a special (modified) Contribute permission which allows the users to perform the read/add/edit functions when they are in the PowerApp.
Owners and Members (users in the owners [full control] and members [edit] groups) will have the same access they always had.

This sort of works if you believe in security by obscurity but in reality it doesn't work. If the users gain knowledge of the direct access link to the list they can see everything in it. Further you can just search on M365 / SharePoint search and find it. Yes the front door to the site is locked but you can just look through the side window and see everything. I would caution anyone from using this method and thinking it is actually secure. Unless I am really missing something. I added one user to the Visitors and followed all the instructions and that user could see everything in the List once they got to it.

Message 21 of 37
1,716 Views
0 Kudos
stevegeall
Advocate II
Advocate II

‎03-04-2021 04:03 PM

You might not have the permissions quite right. I use this method often and the end users don't have access to the lists, but the edits to the lists from powerapps continues to work.

Message 22 of 37
1,702 Views
0 Kudos
BrianHFASPS
Continued Contributor
Continued Contributor

‎03-04-2021 04:05 PM

Even if they enter the URL directly for the List? I don't mean they can go to site and click on it but they have the exact URL or search for it. I will double check the procedure again.

Message 23 of 37
1,700 Views
0 Kudos
kbelcher83
New Member
In response to BrianHFASPS

‎03-13-2021 06:43 AM

Hi Brian, were you able to validate if this works? I need to be able to restrict users' access via the powerapp as a front end and basically restrict their access via the powerapp form.

Message 24 of 37
1,661 Views
0 Kudos
stevegeall
Advocate II
Advocate II

‎03-13-2021 10:50 AM

Oops I forgot to reply.

 

Brian had me double-guessing the solution so I went through and tested the access on a site where I have implemented this and can confirm it works as expected.

 

The end user has zero access to the sharepoint site and zero access to the list (attempting to browse to it directly using the url). But the user can make edits to the list via the powerapp that they have access to.

Message 25 of 37
1,654 Views
0 Kudos
knoxknnocks
Helper I
Helper I
In response to stevegeall

‎04-19-2021 07:32 PM

Hi @stevegeall 

 

Thanks for this! I've followed the exact same steps, but for some reason, a user only gets Access Denied if they are going to the site eg https://xyz.sharepoint.com/sites/TestSite. But if they tried to go direct to the list URL, eg https://xyx.sharepoint.com/sites/TestSite/TestList, they can see the entire list.

Is there something I missed, or am I doing something incorrectly? I created the Sharepoint site through Teams.

Thanks in advance for your help!

Message 26 of 37
1,561 Views
0 Kudos
stevegeall
Advocate II
Advocate II
In response to knoxknnocks

‎04-19-2021 07:37 PM

Probably something you've missed? Did you change the permissions on each list that you want hidden?

Message 27 of 37
1,563 Views
0 Kudos
knoxknnocks
Helper I
Helper I
In response to stevegeall

‎04-19-2021 08:28 PM

Don't think I missed anything as I followed the steps you detailed..

 

These are the un-inherited permissions. Assigned Contribute to the Visitors group

sp1.png

Members inside the Visitors Group

sp2.png

and the modified Contribute permissions configured under Site Permissions

 

sp3.png

Any suggestions? Thanks!

Message 28 of 37
1,559 Views
0 Kudos
stevegeall
Advocate II
Advocate II

‎04-19-2021 08:37 PM

1) Modify the 'Read' permissions level for the site.

  • Cog - Site Permissions
  • Advanced Permission settings
  • Ribbon - Permission levels
  • Read
  • Uncheck EVERYTHING except...
    a) SITE PERMISSIONS: "Open - Allows users to open a Web site, list, or folder in order to access items inside that container."
    • NOTE: If performing this on a subsite, the Read permisison level also requires:
      • SITE PERMISSIONS: Browse User Information
      • SITE PERMISSIONS: Use Remote Interfaces
  • If you're applying this to a subsite, you may need to go to the parent site's Permission levels and add a new "Read" permission level (like SubSiteNameRead) that will be used on the subsite. Then once added, go to the subsite advanced Permissions and change the permission level for say "SubsiteName Visitors" from Read to SubSiteNameRead.

* this means any group or person with read access won't have access to anything (site, pages, libraries, lists ... everything)

 

2) Modify the 'Contribute' permissions level for the site.

  • Cog - Site Permissions
  • Advanced Permission settings
  • Ribbon - Permission levels
  • Contribute
  • Uncheck EVERYTHING except...
    a) LIST PERMISSIONS: "View Items - View items in lists and documents in document libraries."
    b) LIST PERMISSIONS: "Edit Items - Edit items in lists, edit documents in document libraries, and customize Web Part Pages in document libraries."
    c) LIST PERMISSIONS: "Add Items - Add items to lists and add documents to document libraries."
    * if users need to open attachments from list items, then the "Open Items" checkbox needs to be checked also
    d) SITE PERMISSIONS: "Open - Allows users to open a Web site, list, or folder in order to access items inside that container." (might have automatically been selected from the list selections)
    e) SITE PERMISSIONS: "View Pages - View pages in a Web site." (might have automatically been selected from the list selections)
  • If you're applying this to a subsite, you may need to go to the parent site's Permission levels and add a new "Contribute" permission level (like SubSiteNameContribute) that will be used on the subsite.

* sets the Contribute permission level so that it allows reading/adding/editing list items

 

3) Stop inheriting permissions on the lists used by the PowerApp

  • Go to list/s
  • Cog - List Settings
  • Permissions for this list
  • Ribbon - Stop Inheriting Permissions - OK

* so we can set special permissions for the lists used by the PowerApp

 

4) For the concerned lists change the Visitors user group access from Read to Contribute access.

  • Go to list/s
  • Cog - List Settings
  • Permissions for this list
  • SiteName Visitors - check the checkbox
  • Ribbon - Edit User Permissions
  • Uncheck Read (or SubSiteName Read)
  • Check Contribute (or SubSiteName Contribute)

* sets up the Visitors user group to be the group we put the PowerApp users in. This group now has special access to the required list/s, but still only has read access to the rest of the site.

 

5) Add the PowerApp users to the 'Site Visitors' group

  • Cog - Site Permissions
  • Advanced Permission settings
  • SiteName Visitors
  • Add people / group

* these are the people who will have the ability to read/add/edit list items (from the PowerApp only!) but if they try and view the SharePoint site or list, they won't have access! Perfect!

 

note: After stopping the inheritance of permissions on a particular list, and setting the custom permissions level, you may also see a greyed out "Limited Access" permission level. This isn't correct. It can be rectified by going back to the site or subsite top level and removing the "SiteName Visitors" User Permissions (select checkbox, Remove User Permissions from the ribbon). Then adding it back in via Grant Permissions, searching for SiteName Visitors and selecting the newly created custom SiteNameRead Permission Level. Now you have to go through the lists that you set unique permissions on and also do the same, granting the "SiteName Visitors" permission level, and choosing the SiteNameContribute Permission Level (because this is the permission on the list where we want the PowerApp users to be able to add/edit items via PowerApp). I've only seen this happen once, it might've just been SharePoint getting its knickers in a twist.
 

So finally, we've set up the SharePoint site so any people added to the Visitors group will get read access across the site which we've modified so they won't see any of the site or lists (will be prompted to request access). However, for certain lists (the ones we as PowerApp datasources), the permission inheritance has been broken and we're applying a special (modified) Contribute permission which allows the users to perform the read/add/edit functions when they are in the PowerApp.
Owners and Members (users in the owners [full control] and members [edit] groups) will have the same access they always had.

Message 29 of 37
1,558 Views
knoxknnocks
Helper I
Helper I
In response to stevegeall

‎04-19-2021 08:41 PM

Thanks...let me give it a shot and update here again once I'm done 🙂

Message 30 of 37
1,557 Views
0 Kudos

Helpful resources

Announcements
Power Platform Call June 2022 768x460.png

Power Platform Community Call

Join us for the next call on August 17, 2022 at 8am PDT.

Power Platform Conf 2022 768x460.jpg

Join us for Microsoft Power Platform Conference

The first Microsoft-sponsored Power Platform Conference is coming in September. 100+ speakers, 150+ sessions, and what's new and next for Power Platform.

View All
Users online (1,618)