cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
AnnaBrodnicki
Advocate I
Advocate I

Prevent people from accessing SharePoint list that the PowerApp is connected to

I'm building a marketing studio time request app that doesn't contain personal information but business sensitive information from the point of view that we don't want people to see other people's submissions due to the inernal politics that might result from it.

 

I am setting up the powerapp so that staff can submit their time requests and then can go back into the app and view/edit their own submissions only using a formula based on user.  The data source is a SharePoint list.  I understand that in order to add/edit from the PowerApp they need to have the relevant permissions for list in SharePoint.  

 

So the PowerApp will act as the front end for the submissions and the SharePoint list will act as the back end for the team processing the submissions.

 

I don't want people in the organisation to be able to access the SharePoint list and view other people's submissions/list items or have the ability to edit other people's submissions/list items.

 

I could hide the SharePoint list as much as I can by not having it on navigations etc and even create a default view that contains bare minimum info in case someone does navigate there but I feel it's still open to being discovered and information viewed.  This is a worry for any future apps that I might create that contain personal data or business sensitive information.

 

Does anyone have any suggestions about the best way to control this and prevent people from accessing the Sharepoint list that the PowerApp is connected to? 

 

Thanks,

 

Anna

40 REPLIES 40

Hi @stevegeall , it's working now. I think my original sharepoint site must've had all sorts of other permissions to lists and documents. I decided not to trace through and just created a brand new site and some new lists. Used the exact same steps and the access control to site and lists work fine now. Thanks very much for your help!

@stevegeall do you know if it prevents users from creating PowerBI reports of the list when you set things up this way?

NickiPT
Helper I
Helper I

I had trouble getting this to work properly on my existing site that had a couple other projects on it but based on another commenter’s suggestion I created a new site with the permissions levels as described... Then I created a simple test list and then created a PowerApp from that. It worked!

 

Next I added a data connection to another list and created a drop down that pulled values from it. I ended up giving that list the same special Contribute permissions in order for my tester to be able to see the values (the special Read permissions weren’t sufficient).

 

Then I added connectors for Office 365 Outlook and Office 365 Users; I didn’t actually use those in any formulas but the connectors were there and my tester didn’t have any issues. 

 

So as long as I don’t share the URL of the list then no one would know what to create a PowerBI report from! Seems like this could be our solution that allows us to hide data without having to resort to item-level permissions within the list!!

Anonymous
Not applicable

Hello @stevegeall  & @Adam_116 ,

 

Firstly thanks to both of you for the best solution , for power apps users with these custom permissions on sharepoint lists.

 

So, have tried this with my sharepoint list & site too , it's working as expected , users not able to see the list, but as we have unchecked few features for both READ & CONTRIBUTE permissions & allowed only few, will this anytime effect in future the working of sharepoint lists or in power apps if we use few fields from sharepoint lists, will there be any issues ahead ?

 

Also as you mentioned about "After stopping the inheritance of permissions on a particular list, and setting the custom permissions level, you may also see a greyed out "Limited Access" permission level. This isn't correct". So even I have seen this on too in lists , sites , so even I didn't see any harm not touching this of limited access as it's by default. So what you say ? will it be better to do the process you mentioned by removing & adding again or is it fine keeping it in the same way?

 

Kindly look into this it would be really helpful & most needed answer please. Thanks in advance.

Anonymous
Not applicable

Hi @stevegeall & @Adam_116 , Awaiting for your response. Kindly anyone among you reply to this please.

R58395
Helper III
Helper III

This would be the most ideal solution (@Microsoft - please implement this)

 

Instead of the typical Read, Contribute permissions we would normally assign people on the SP List, if custom permissions can be made called

 

Read (through PowerApps)

Contribute (through PowerApps)

 

which are just like the regular versions, but it means the access only works from a PowerApps interface. If the user tries to access the data from a SP List interface directly or REST API for example, then it's as if they have no permission at all.

 

This also solves the auditing problem since when they make changes to items from powerapps, their current user account will be tracked not some generic service account.

CCLam
Frequent Visitor

Hi everyone,

 

I implemented the solution by Adam_116 and stevegeall by following the steps exactly.

However my user who is placed in the Site Visitors group is still unable to see anything in the gallery in Power Apps which is supposed to contain the items from the concerned list.

 

My user got this error message:
You don't have permission to view this data. Server Response: <ListName> failed: Something went wrong

 

Did anyone encounter this issue? Not exactly sure what went wrong. I have checked the settings and confirmed I have followed exactly all the steps that are given in this solution.

 

Another thing I noticed is that the site still only contains 1 member (myself), when I have already added my user into the "Site visitors" group.

1member.jpg

If I go into the Cog > Site Permissions, you can see "Site visitors" group contains my user with Read access.

permissions.jpg

Have I missed out anything here?

Should the member count in my first picture be 2 instead of just 1? Is that why my user is still unable to see anything in the gallery of the concerned list in Power Apps?

 

Appreciate if anyone could help with this issue. Thank you!

 

EP3
Frequent Visitor

That looks smart, but I'd ask, what prevents someone within the organisation from making their own PowerApp to access this data? From what I can see there isn't anything restricting the user from gaining full access through any and eveery powerApp, and you can't prevent people from making their own, or even if you could (Mayme I missed that) you may not want to...

Easy, if Microsoft makes a new permission solution to only allow powerapps access, then they can add a feature for "allowed powerapps", where the admins can put in a list of powerapps either by selecting it from a picker or by ID.

anon23u9412
Frequent Visitor

Hi All,

 

Could you use Power Automate to set the permissions of new items to get around this issue?

 

See here:

 

https://steveknutson.blog/2021/12/10/setting-sharepoint-permissions-with-power-automate/

Helpful resources

Announcements
Microsoft 365 Conference – December 6-8, 2022

Microsoft 365 Conference – December 6-8, 2022

Join us in Las Vegas to experience community, incredible learning opportunities, and connections that will help grow skills, know-how, and more.

Difinity Conference 2022

Difinity Conference 2022

Register today for two amazing days of learning, featuring intensive learning sessions across multiple tracks, led by engaging and dynamic experts.

European SharePoint Conference

European SharePoint Conference

The European SharePoint Conference returns live and in-person November 28-December 1 with 4 Microsoft Keynotes, 9 Tutorials, and 120 Sessions.

Power Apps Ideas

Check out the New Ideas Site

We are excited to announce a new way to share your ideas for Power Apps!

Top Solution Authors
Top Kudoed Authors
Users online (5,240)