cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
AnnaBrodnicki
Advocate II
Advocate II

Prevent people from accessing SharePoint list that the PowerApp is connected to

I'm building a marketing studio time request app that doesn't contain personal information but business sensitive information from the point of view that we don't want people to see other people's submissions due to the inernal politics that might result from it.

 

I am setting up the powerapp so that staff can submit their time requests and then can go back into the app and view/edit their own submissions only using a formula based on user.  The data source is a SharePoint list.  I understand that in order to add/edit from the PowerApp they need to have the relevant permissions for list in SharePoint.  

 

So the PowerApp will act as the front end for the submissions and the SharePoint list will act as the back end for the team processing the submissions.

 

I don't want people in the organisation to be able to access the SharePoint list and view other people's submissions/list items or have the ability to edit other people's submissions/list items.

 

I could hide the SharePoint list as much as I can by not having it on navigations etc and even create a default view that contains bare minimum info in case someone does navigate there but I feel it's still open to being discovered and information viewed.  This is a worry for any future apps that I might create that contain personal data or business sensitive information.

 

Does anyone have any suggestions about the best way to control this and prevent people from accessing the Sharepoint list that the PowerApp is connected to? 

 

Thanks,

 

Anna

50 REPLIES 50


@stevegeall wrote:

Hiding SharePoint lists that are used as datasources in PowerApps.

 

Do you have a PowerApp that uses SharePoint lists as datasources, and you don't want the users of the PowerApp to be able to view the SharePoint site/lists?


This sets up the SharePoint site/lists so that the PowerApp users can't view the SharePoint site or lists, but they can still perform read/add/edit functions from within the PowerApp.

 

So finally, we've set up the SharePoint site so any people added to the Visitors group will get read access across the site which we've modified so they won't see any of the site or lists (will be prompted to request access). However, for certain lists (the ones we as PowerApp datasources), the permission inheritance has been broken and we're applying a special (modified) Contribute permission which allows the users to perform the read/add/edit functions when they are in the PowerApp.
Owners and Members (users in the owners [full control] and members [edit] groups) will have the same access they always had.


This sort of works if you believe in security by obscurity but in reality it doesn't work. If the users gain knowledge of the direct access link to the list they can see everything in it. Further you can just search on M365 / SharePoint search and find it. Yes the front door to the site is locked but you can just look through the side window and see everything. I would caution anyone from using this method and thinking it is actually secure. Unless I am really missing something. I added one user to the Visitors and followed all the instructions and that user could see everything in the List once they got to it.

stevegeall
Advocate III
Advocate III

You might not have the permissions quite right. I use this method often and the end users don't have access to the lists, but the edits to the lists from powerapps continues to work.

BrianHFASPS
Skilled Sharer
Skilled Sharer

Even if they enter the URL directly for the List? I don't mean they can go to site and click on it but they have the exact URL or search for it. I will double check the procedure again.

Hi Brian, were you able to validate if this works? I need to be able to restrict users' access via the powerapp as a front end and basically restrict their access via the powerapp form.

stevegeall
Advocate III
Advocate III

Oops I forgot to reply.

 

Brian had me double-guessing the solution so I went through and tested the access on a site where I have implemented this and can confirm it works as expected.

 

The end user has zero access to the sharepoint site and zero access to the list (attempting to browse to it directly using the url). But the user can make edits to the list via the powerapp that they have access to.

Hi @stevegeall 

 

Thanks for this! I've followed the exact same steps, but for some reason, a user only gets Access Denied if they are going to the site eg https://xyz.sharepoint.com/sites/TestSite. But if they tried to go direct to the list URL, eg https://xyx.sharepoint.com/sites/TestSite/TestList, they can see the entire list.

Is there something I missed, or am I doing something incorrectly? I created the Sharepoint site through Teams.

Thanks in advance for your help!

Probably something you've missed? Did you change the permissions on each list that you want hidden?

Don't think I missed anything as I followed the steps you detailed..

 

These are the un-inherited permissions. Assigned Contribute to the Visitors group

sp1.png

Members inside the Visitors Group

sp2.png

and the modified Contribute permissions configured under Site Permissions

 

sp3.png

Any suggestions? Thanks!

stevegeall
Advocate III
Advocate III

1) Modify the 'Read' permissions level for the site.

  • Cog - Site Permissions
  • Advanced Permission settings
  • Ribbon - Permission levels
  • Read
  • Uncheck EVERYTHING except...
    a) SITE PERMISSIONS: "Open - Allows users to open a Web site, list, or folder in order to access items inside that container."
    • NOTE: If performing this on a subsite, the Read permisison level also requires:
      • SITE PERMISSIONS: Browse User Information
      • SITE PERMISSIONS: Use Remote Interfaces
  • If you're applying this to a subsite, you may need to go to the parent site's Permission levels and add a new "Read" permission level (like SubSiteNameRead) that will be used on the subsite. Then once added, go to the subsite advanced Permissions and change the permission level for say "SubsiteName Visitors" from Read to SubSiteNameRead.

* this means any group or person with read access won't have access to anything (site, pages, libraries, lists ... everything)

 

2) Modify the 'Contribute' permissions level for the site.

  • Cog - Site Permissions
  • Advanced Permission settings
  • Ribbon - Permission levels
  • Contribute
  • Uncheck EVERYTHING except...
    a) LIST PERMISSIONS: "View Items - View items in lists and documents in document libraries."
    b) LIST PERMISSIONS: "Edit Items - Edit items in lists, edit documents in document libraries, and customize Web Part Pages in document libraries."
    c) LIST PERMISSIONS: "Add Items - Add items to lists and add documents to document libraries."
    * if users need to open attachments from list items, then the "Open Items" checkbox needs to be checked also
    d) SITE PERMISSIONS: "Open - Allows users to open a Web site, list, or folder in order to access items inside that container." (might have automatically been selected from the list selections)
    e) SITE PERMISSIONS: "View Pages - View pages in a Web site." (might have automatically been selected from the list selections)
  • If you're applying this to a subsite, you may need to go to the parent site's Permission levels and add a new "Contribute" permission level (like SubSiteNameContribute) that will be used on the subsite.

* sets the Contribute permission level so that it allows reading/adding/editing list items

 

3) Stop inheriting permissions on the lists used by the PowerApp

  • Go to list/s
  • Cog - List Settings
  • Permissions for this list
  • Ribbon - Stop Inheriting Permissions - OK

* so we can set special permissions for the lists used by the PowerApp

 

4) For the concerned lists change the Visitors user group access from Read to Contribute access.

  • Go to list/s
  • Cog - List Settings
  • Permissions for this list
  • SiteName Visitors - check the checkbox
  • Ribbon - Edit User Permissions
  • Uncheck Read (or SubSiteName Read)
  • Check Contribute (or SubSiteName Contribute)

* sets up the Visitors user group to be the group we put the PowerApp users in. This group now has special access to the required list/s, but still only has read access to the rest of the site.

 

5) Add the PowerApp users to the 'Site Visitors' group

  • Cog - Site Permissions
  • Advanced Permission settings
  • SiteName Visitors
  • Add people / group

* these are the people who will have the ability to read/add/edit list items (from the PowerApp only!) but if they try and view the SharePoint site or list, they won't have access! Perfect!

 

note: After stopping the inheritance of permissions on a particular list, and setting the custom permissions level, you may also see a greyed out "Limited Access" permission level. This isn't correct. It can be rectified by going back to the site or subsite top level and removing the "SiteName Visitors" User Permissions (select checkbox, Remove User Permissions from the ribbon). Then adding it back in via Grant Permissions, searching for SiteName Visitors and selecting the newly created custom SiteNameRead Permission Level. Now you have to go through the lists that you set unique permissions on and also do the same, granting the "SiteName Visitors" permission level, and choosing the SiteNameContribute Permission Level (because this is the permission on the list where we want the PowerApp users to be able to add/edit items via PowerApp). I've only seen this happen once, it might've just been SharePoint getting its knickers in a twist.
 

So finally, we've set up the SharePoint site so any people added to the Visitors group will get read access across the site which we've modified so they won't see any of the site or lists (will be prompted to request access). However, for certain lists (the ones we as PowerApp datasources), the permission inheritance has been broken and we're applying a special (modified) Contribute permission which allows the users to perform the read/add/edit functions when they are in the PowerApp.
Owners and Members (users in the owners [full control] and members [edit] groups) will have the same access they always had.

Thanks...let me give it a shot and update here again once I'm done 🙂

Helpful resources

Announcements

Summer of Solutions | Week 3 Results | Win free tickets to the Power Platform Conference

We are excited to announce the Summer of Solutions Challenge!   This challenge is kicking off on Monday, June 17th and will run for (4) weeks.  The challenge is open to all Power Platform (Power Apps, Power Automate, Copilot Studio & Power Pages) community members. We invite you to participate in a quest to provide solutions in the Forums to as many questions as you can. Answers can be provided in all the communities.    Entry Period: This Challenge will consist of four weekly Entry Periods as follows (each an “Entry Period”)   - 12:00 a.m. PT on June 17, 2024 – 11:59 p.m. PT on June 23, 2024 - 12:00 a.m. PT on June 24, 2024 – 11:59 p.m. PT on June 30, 2024 - 12:00 a.m. PT on July 1, 2024 – 11:59 p.m. PT on July 7, 2024 - 12:00 a.m. PT on July 8, 2024 – 11:59 p.m. PT on July 14, 2024   Entries will be eligible for the Entry Period in which they are received and will not carryover to subsequent weekly entry periods.  You must enter into each weekly Entry Period separately.   How to Enter: We invite you to participate in a quest to provide "Accepted Solutions" to as many questions as you can. Answers can be provided in all the communities. Users must provide a solution which can be an “Accepted Solution” in the Forums in all of the communities and there are no limits to the number of “Accepted Solutions” that a member can provide for entries in this challenge, but each entry must be substantially unique and different.    Winner Selection and Prizes: At the end of each week, we will list the top ten (10) Community users which will consist of: 5 Community Members & 5 Super Users and they will advance to the final drawing. We will post each week in the News & Announcements the top 10 Solution providers.  At the end of the challenge, we will add all of the top 10 weekly names and enter them into a random drawing.  Then we will randomly select ten (10) winners (5 Community Members & 5 Super Users) from among all eligible entrants received across all weekly Entry Periods to receive the prize listed below. If a winner declines, we will draw again at random for the next winner.  A user will only be able to win once overall. If they are drawn multiple times, another user will be drawn at random.  Individuals will be contacted before the announcement with the opportunity to claim or deny the prize.  Once all of the winners have been notified, we will post in the News & Announcements of each community with the list of winners.   Each winner will receive one (1) Pass to the Power Platform Conference in Las Vegas, Sep. 18-20, 2024 ($1800 value). NOTE: Prize is for conference attendance only and any other costs such as airfare, lodging, transportation, and food are the sole responsibility of the winner. Tickets are not transferable to any other party or to next year’s event.   ** PLEASE SEE THE ATTACHED RULES for this CHALLENGE**   Week 1 Results: Congratulations to the Week 1 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge. Community MembersNumber of SolutionsSuper UsersNumber of Solutions @anandm08  23 @WarrenBelz  31 @DBO_DV  10 @Amik  19 AmínAA 6 @mmbr1606  12 @rzuber  4 @happyume  7 @Giraldoj  3@ANB 6 (tie)   @SpongYe  6 (tie)     Week 2 Results: Congratulations to the Week 2 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge. Community MembersSolutionsSuper UsersSolutions @anandm08  10@WarrenBelz 25 @DBO_DV  6@mmbr1606 14 @AmínAA 4 @Amik  12 @royg  3 @ANB  10 @AllanDeCastro  2 @SunilPashikanti  5 @Michaelfp  2 @FLMike  5 @eduardo_izzo  2   Meekou 2   @rzuber  2   @Velegandla  2     @PowerPlatform-P  2   @Micaiah  2     Week 3 Results: Congratulations to the Week 3 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge.   Week 3:Community MembersSolutionsSuper UsersSolutionsPower Apps anandm0861WarrenBelz86DBO_DV25Amik66Michaelfp13mmbr160647Giraldoj13FLMike31AmínAA13SpongYe27  

Copilot Cookbook Challenge | WINNERS ANNOUNCED | Win Tickets to the Power Platform Conference

We are excited to announce the "The Copilot Cookbook Community Challenge random winners have been selected for the Challenge.  Thank you to everyone who participated in this challenge.    Copilot Cookbook Gallery:Power Apps Cookbook Gallery: 1. @swaminawale  1. @renatoromao     2.  @SpongYe  2.   @nickpotts10  *Please note if for any reason a winner declines, we will have another random drawing.   Check out all of the Cookbook Submissions: 1. Copilot Studio Cookbook Gallery: https://aka.ms/CS_Copilot_Cookbook_Challenge 2. Power Apps Copilot Cookbook Gallery: https://aka.ms/PA_Copilot_Cookbook_Challenge   There will be 5 chances to qualify for the final drawing: Early Bird Entries: March 1 - June 2Week 1: June 3 - June 9Week 2: June 10 - June 16Week 3: June 17 - June 23Week 4: June 24 - June 30WINNERS ANNOUNCED - JULY 8th     At the end of each week, we will draw 5 random names from every user who has posted a qualifying Copilot Studio template, sample or demo in the Copilot Studio Cookbook or a qualifying Power Apps Copilot sample or demo in the Power Apps Copilot Cookbook. Users who are not drawn in a given week will be added to the pool for the next week. Users can qualify more than once, but no more than once per week. Four winners will be drawn at random from the total qualifying entrants. If a winner declines, we will draw again at random for the next winner.  A user will only be able to win once. If they are drawn multiple times, another user will be drawn at random. Prizes:  One Pass to the Power Platform Conference in Las Vegas, Sep. 18-20, 2024 ($1800 value, does not include travel, lodging, or any other expenses) Winners are also eligible to do a 10-minute presentation of their demo or solution in a community solutions showcase at the event. To qualify for the drawing, templates, samples or demos must be related to Copilot Studio or a Copilot feature of Power Apps, Power Automate, or Power Pages, and must demonstrate or solve a complete unique and useful business or technical problem. Power Automate and Power Pagers posts should be added to the Power Apps Cookbook. Final determination of qualifying entries is at the sole discretion of Microsoft. Weekly updates and the Final random winners will be posted in the News & Announcements section in the communities on July 29th, 2024. Did you submit entries early?  Early Bird Entries March 1 - June 2:  If you posted something in the "early bird" time frame complete this form: https://aka.ms/Copilot_Challenge_EarlyBirds if you would like to be entered in the challenge. Early Bird Submissions: @renato Week 1 Results:  Congratulations to the Week 1 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge. Copilot Cookbook Gallery:Power Apps Cookbook Gallery:1.  @Mathieu_Paris 1.   @SpongYe 2.  n/a2.   @Deenuji 3.  n/a3.   @Nived_Nambiar  4.  n/a4.   @ManishSolanki 5.  n/a5.    n/a   Week 2 Results:  Congratulations to the Week 2 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge. Copilot Cookbook Gallery:Power Apps Cookbook Gallery:1. Kasun_Pathirana1. ManishSolanki2. cloudatica2. madlad3. n/a3. SpongYe4. n/a4. n/a5. n/a5. n/a     Week 3 Results:  Congratulations to the Week 3 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge. Copilot Cookbook Gallery:Power Apps Cookbook Gallery:1. Parul_Yadav_Neo1. n/a2. SpongYe2. n/a3. n/a3. n/a4. n/a4. n/a5. n/a5. n/a   Week 4 Results:  Congratulations to the Week 4 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge.   Copilot Cookbook Gallery:Power Apps Cookbook Gallery:1. @nickpotts10  1. @ShrushtiShah  2. @Suniti_0020 2. @swaminawale 3. n/a3. @farukhis786 4. n/a4. @ManishSolanki  5. n/a5.  n/a

Important Update for Community Platform Access | READ ONLY July 16-22nd

Dear Community Members,   We'd like to let you know of an upcoming change to the community platform: starting July 16th, the platform will transition to a READ ONLY mode until July 22nd.   During this period, members will not be able to Kudo, Comment, or Reply to any posts.   On July 22nd, please be on the lookout for a message sent to the email address registered on your community profile. This email is crucial as it will contain your unique code and link to register for the new platform encompassing all of the communities.   What to Expect in the New Community: A more unified experience where all products, including Power Apps, Power Automate, Copilot Studio, and Power Pages, will be accessible from one community.Community Blogs that you can syndicate and link to for automatic updates. We appreciate your understanding and cooperation during this transition. Stay tuned for the exciting new features and a seamless community experience ahead!

Tuesday Tip | How to Become a Community Blog Author

It's time for another TUESDAY TIPS, your weekly connection with the most insightful tips and tricks that empower both newcomers and veterans in the Power Platform Community! Every Tuesday, we bring you a curated selection of the finest advice, distilled from the resources and tools in the Community. Whether you’re a seasoned member or just getting started, Tuesday Tips are the perfect compass guiding you across the dynamic landscape of the Power Platform Community.   This Week's Topic: How to Become a Community Blog Author We want YOU to be part of the community blog! Sharing your knowledge of Power Platform is an essential part of our community! Here's why:   It helps create a vibrant and dynamic community of makers who can learn from each other’s experiences and insights.It provides a platform for collaboration and innovation, where members can share their ideas and work together to develop new solutions.It helps promote Power Platform by showcasing its capabilities and real-world applications.It helps build trust and credibility in the community because you are providing valuable information and resources your fellow community members can use to improve their skills and knowledge. By sharing your knowledge of Power Platform in the community blog, you help us create a more engaged and informed community, better equipped to tackle complex challenges. To get started with blogging across the Power Platform communities, please visit the following links:   Power Apps: https://powerusers.microsoft.com/t5/Power-Apps-Community-Blog/bg-p/PowerAppsBlog Power Automate: https://powerusers.microsoft.com/t5/Power-Automate-Community-Blog/bg-p/MPABlog Copilot Studios: https://powerusers.microsoft.com/t5/Power-Virtual-Agents-Community/bg-p/PVACommunityBlogPower Pages: https://powerusers.microsoft.com/t5/Power-Pages-Community-Blog/bg-p/mpp_blog   When you follow the link, look for a button like the one below on the right rail of your community blog, and let us know you're interested. We can't wait to connect with you and help you get started. Thanks for being part of our incredible community--and thanks for becoming part of the community blog!  

June 2024 Community Newsletter

It's time for the June Community Newsletter, where we highlight the latest news, product releases, upcoming events, and the amazing work of our outstanding Community members.   If you're new to the Community, please make sure to follow the latest News & Announcements and check out the Community on LinkedIn as well! It's the best way to stay up-to-date with all the news from across Microsoft Power Platform and beyond.    COMMUNITY HIGHLIGHTS   Check out the most active community members of the last month! These hardworking members are posting regularly, answering questions, kudos, and providing top solutions in their communities. We are so thankful for each of you--keep up the great work! If you hope to see your name here next month, follow these awesome community members to see what they do!   Power AppsPower AutomateCopilot StudioPower PagesWarrenBelzcreativeopinionExpiscornovus Fubar AmikNived_NambiarPstork1OliverRodriguesmmbr1606ManishSolankifernandosilvaragavanrajanBCBuizerExpiscornovusrenatoromaoLucas001timlAlexEncodianViswavEmadBeshaiDBO_DVDeenujiUmiantaChrist0fGochixVishnuReddy1997citron-trucmandelaVishalJhaverieetuRoboJohanTprathyooanandm08VictorIvanidzenicoxrfm1964shashankbhidepaulbeck1 rpaa   LATEST NEWS Summer of Solutions 2024 The Summer of Solutions challenge kicked off this month - an amazing Microsoft Community initiative to win free tickets to the Power Platform Community Conferencethis September in Las Vegas. The challenge is NOW OPEN to all #PowerPlatform community members and will consist of four weekly entry periods until July 14th, 2024. Click the image below to find out more on how you can win free tickets to #PPCC24 by entering the Summer of Solutions TODAY!   Microsoft Customer Stories We're constantly working with an array of great businesses across the globe to assist them in taking advantage of the latest business applications technology. If you'd like to find out more about their low code journeys, click the image below to view our playlist of Customer Stories to discover how Accenture, Lumen Technologies, Cineplex, and many more, are streamlining their business processes with Microsoft Power Platform.     Microsoft Leap Program Have you heard of Microsoft Leap - a global program designed to recruit, develop, and upskill unconventional talent for careers in the tech space. Microsoft Leap organizes a number of pathways into the industry, including the recent "NFL Legend Cohort - Technical Program Management" run jointly with the NFL Player Care Foundation (PCF) who are dedicated to helping retired players improve their quality of life. Click the image below to find out more about the great day shared at the Redmond campus and be sure to visit the Microsoft Leap website to discover how this amazing initiative is helping re-launch the lives of countless individuals. www.leap.microsoft.com       UPCOMING EVENTS Biz Apps Partner Summit | Seattle | July 24-25 It's not long now until the Biz Apps Partner Summit, which takes place at the Hilton Bellevue in Seattle on July 24-25, 2024. This event is the perfect place to network, connect, and learn how to scale your Microsoft practice, drive profitable revenue, and dazzle your customers! There's a great selection of speakers, including the likes of Tom Patterson, Donald Kossmann Joseph Corigliano, Cecilia Flombaum, Peter Jensen, John Siefert, Becky Lymberis, Daniel Rippey, and many more. Click the image below to find out more and register today!     TechCon365 & Power Platform Conference | D.C. | August 12-16 Things are hotting up for the next TechCon365 & PWRCON Conference in Washington D.C. on August 12-16, 2024. Featuring the likes of Tamara Bredemus, Sunny Eltepu, Lindsay Shelton, Brian Alderman, Daniel Glenn, Julie Turner, Jim Novak, John White, Jason Himmelstein, Luc Labelle, Emily Mancini, MVP, UXMC, Fabian Williams, Emma Wiehe,and many more, this is the perfect event for those that are looking to gain invaluable insights from industry experts. Click the image below to grab your tickets today!     Power Platform Community Conference | Vegas | Sept. 18-20th Are you ready to come and join the fun in Las Vegas this September at PPCC24? This event is the perfect place to connect with fellow business applications enthusiasts and share your knowledge with the worldwide Microsoft Community. Now's your chance to hold all the aces. Just click the image below to find out more and we hope to see you go ALL-IN this September in Las Vegas!     For more events, click the image below to visit the Community Days website.  

Updates to Transitions in the Power Platform Communities

We're embarking on a journey to enhance your experience by transitioning to a new community platform. Our team has been diligently working to create a fresh community site, leveraging the very Dynamics 365 and Power Platform tools our community advocates for.  We started this journey with transitioning Copilot Studio forums and blogs in June. The move marks the beginning of a new chapter, and we're eager for you to be a part of it. The rest of the Power Platform product sites will be moving over this summer.   Stay tuned for more updates as we get closer to the launch. We can't wait to welcome you to our new community space, designed with you in mind. Let's connect, learn, and grow together.   Here's to new beginnings and endless possibilities!   If you have any questions, observations or concerns throughout this process please go to https://aka.ms/PPCommSupport.   To stay up to date on the latest details of this migration and other important Community updates subscribe to our News and Announcements forums: Copilot Studio, Power Apps, Power Automate, Power Pages

Top Solution Authors
Top Kudoed Authors
Users online (5,737)