cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
AnnaBrodnicki
Advocate I
Advocate I

Prevent people from accessing SharePoint list that the PowerApp is connected to

I'm building a marketing studio time request app that doesn't contain personal information but business sensitive information from the point of view that we don't want people to see other people's submissions due to the inernal politics that might result from it.

 

I am setting up the powerapp so that staff can submit their time requests and then can go back into the app and view/edit their own submissions only using a formula based on user.  The data source is a SharePoint list.  I understand that in order to add/edit from the PowerApp they need to have the relevant permissions for list in SharePoint.  

 

So the PowerApp will act as the front end for the submissions and the SharePoint list will act as the back end for the team processing the submissions.

 

I don't want people in the organisation to be able to access the SharePoint list and view other people's submissions/list items or have the ability to edit other people's submissions/list items.

 

I could hide the SharePoint list as much as I can by not having it on navigations etc and even create a default view that contains bare minimum info in case someone does navigate there but I feel it's still open to being discovered and information viewed.  This is a worry for any future apps that I might create that contain personal data or business sensitive information.

 

Does anyone have any suggestions about the best way to control this and prevent people from accessing the Sharepoint list that the PowerApp is connected to? 

 

Thanks,

 

Anna

35 REPLIES 35


@stevegeall wrote:

Hiding SharePoint lists that are used as datasources in PowerApps.

 

Do you have a PowerApp that uses SharePoint lists as datasources, and you don't want the users of the PowerApp to be able to view the SharePoint site/lists?


This sets up the SharePoint site/lists so that the PowerApp users can't view the SharePoint site or lists, but they can still perform read/add/edit functions from within the PowerApp.

 

So finally, we've set up the SharePoint site so any people added to the Visitors group will get read access across the site which we've modified so they won't see any of the site or lists (will be prompted to request access). However, for certain lists (the ones we as PowerApp datasources), the permission inheritance has been broken and we're applying a special (modified) Contribute permission which allows the users to perform the read/add/edit functions when they are in the PowerApp.
Owners and Members (users in the owners [full control] and members [edit] groups) will have the same access they always had.


This sort of works if you believe in security by obscurity but in reality it doesn't work. If the users gain knowledge of the direct access link to the list they can see everything in it. Further you can just search on M365 / SharePoint search and find it. Yes the front door to the site is locked but you can just look through the side window and see everything. I would caution anyone from using this method and thinking it is actually secure. Unless I am really missing something. I added one user to the Visitors and followed all the instructions and that user could see everything in the List once they got to it.

stevegeall
Advocate II
Advocate II

You might not have the permissions quite right. I use this method often and the end users don't have access to the lists, but the edits to the lists from powerapps continues to work.

BrianHFASPS
Responsive Resident
Responsive Resident

Even if they enter the URL directly for the List? I don't mean they can go to site and click on it but they have the exact URL or search for it. I will double check the procedure again.

Hi Brian, were you able to validate if this works? I need to be able to restrict users' access via the powerapp as a front end and basically restrict their access via the powerapp form.

stevegeall
Advocate II
Advocate II

Oops I forgot to reply.

 

Brian had me double-guessing the solution so I went through and tested the access on a site where I have implemented this and can confirm it works as expected.

 

The end user has zero access to the sharepoint site and zero access to the list (attempting to browse to it directly using the url). But the user can make edits to the list via the powerapp that they have access to.

Hi @stevegeall 

 

Thanks for this! I've followed the exact same steps, but for some reason, a user only gets Access Denied if they are going to the site eg https://xyz.sharepoint.com/sites/TestSite. But if they tried to go direct to the list URL, eg https://xyx.sharepoint.com/sites/TestSite/TestList, they can see the entire list.

Is there something I missed, or am I doing something incorrectly? I created the Sharepoint site through Teams.

Thanks in advance for your help!

Probably something you've missed? Did you change the permissions on each list that you want hidden?

Don't think I missed anything as I followed the steps you detailed..

 

These are the un-inherited permissions. Assigned Contribute to the Visitors group

sp1.png

Members inside the Visitors Group

sp2.png

and the modified Contribute permissions configured under Site Permissions

 

sp3.png

Any suggestions? Thanks!

stevegeall
Advocate II
Advocate II

1) Modify the 'Read' permissions level for the site.

  • Cog - Site Permissions
  • Advanced Permission settings
  • Ribbon - Permission levels
  • Read
  • Uncheck EVERYTHING except...
    a) SITE PERMISSIONS: "Open - Allows users to open a Web site, list, or folder in order to access items inside that container."
    • NOTE: If performing this on a subsite, the Read permisison level also requires:
      • SITE PERMISSIONS: Browse User Information
      • SITE PERMISSIONS: Use Remote Interfaces
  • If you're applying this to a subsite, you may need to go to the parent site's Permission levels and add a new "Read" permission level (like SubSiteNameRead) that will be used on the subsite. Then once added, go to the subsite advanced Permissions and change the permission level for say "SubsiteName Visitors" from Read to SubSiteNameRead.

* this means any group or person with read access won't have access to anything (site, pages, libraries, lists ... everything)

 

2) Modify the 'Contribute' permissions level for the site.

  • Cog - Site Permissions
  • Advanced Permission settings
  • Ribbon - Permission levels
  • Contribute
  • Uncheck EVERYTHING except...
    a) LIST PERMISSIONS: "View Items - View items in lists and documents in document libraries."
    b) LIST PERMISSIONS: "Edit Items - Edit items in lists, edit documents in document libraries, and customize Web Part Pages in document libraries."
    c) LIST PERMISSIONS: "Add Items - Add items to lists and add documents to document libraries."
    * if users need to open attachments from list items, then the "Open Items" checkbox needs to be checked also
    d) SITE PERMISSIONS: "Open - Allows users to open a Web site, list, or folder in order to access items inside that container." (might have automatically been selected from the list selections)
    e) SITE PERMISSIONS: "View Pages - View pages in a Web site." (might have automatically been selected from the list selections)
  • If you're applying this to a subsite, you may need to go to the parent site's Permission levels and add a new "Contribute" permission level (like SubSiteNameContribute) that will be used on the subsite.

* sets the Contribute permission level so that it allows reading/adding/editing list items

 

3) Stop inheriting permissions on the lists used by the PowerApp

  • Go to list/s
  • Cog - List Settings
  • Permissions for this list
  • Ribbon - Stop Inheriting Permissions - OK

* so we can set special permissions for the lists used by the PowerApp

 

4) For the concerned lists change the Visitors user group access from Read to Contribute access.

  • Go to list/s
  • Cog - List Settings
  • Permissions for this list
  • SiteName Visitors - check the checkbox
  • Ribbon - Edit User Permissions
  • Uncheck Read (or SubSiteName Read)
  • Check Contribute (or SubSiteName Contribute)

* sets up the Visitors user group to be the group we put the PowerApp users in. This group now has special access to the required list/s, but still only has read access to the rest of the site.

 

5) Add the PowerApp users to the 'Site Visitors' group

  • Cog - Site Permissions
  • Advanced Permission settings
  • SiteName Visitors
  • Add people / group

* these are the people who will have the ability to read/add/edit list items (from the PowerApp only!) but if they try and view the SharePoint site or list, they won't have access! Perfect!

 

note: After stopping the inheritance of permissions on a particular list, and setting the custom permissions level, you may also see a greyed out "Limited Access" permission level. This isn't correct. It can be rectified by going back to the site or subsite top level and removing the "SiteName Visitors" User Permissions (select checkbox, Remove User Permissions from the ribbon). Then adding it back in via Grant Permissions, searching for SiteName Visitors and selecting the newly created custom SiteNameRead Permission Level. Now you have to go through the lists that you set unique permissions on and also do the same, granting the "SiteName Visitors" permission level, and choosing the SiteNameContribute Permission Level (because this is the permission on the list where we want the PowerApp users to be able to add/edit items via PowerApp). I've only seen this happen once, it might've just been SharePoint getting its knickers in a twist.
 

So finally, we've set up the SharePoint site so any people added to the Visitors group will get read access across the site which we've modified so they won't see any of the site or lists (will be prompted to request access). However, for certain lists (the ones we as PowerApp datasources), the permission inheritance has been broken and we're applying a special (modified) Contribute permission which allows the users to perform the read/add/edit functions when they are in the PowerApp.
Owners and Members (users in the owners [full control] and members [edit] groups) will have the same access they always had.

Thanks...let me give it a shot and update here again once I'm done 🙂

Helpful resources

Announcements
PA_User Group Leader_768x460.jpg

Manage your user group events

Check out the News & Announcements to learn more.

Power Query PA Forum 768x460.png

Check it out!

Did you know that you can visit the Power Query Forum in Power BI and now Power Apps

Carousel 2021 Release Wave 2 Plan 768x460.jpg

2021 Release Wave 2 Plan

Power Platform release plan for the 2021 release wave 2 describes all new features releasing from October 2021 through March 2022.

PowerPlatform 768x460.png

Microsoft Learn

Check out our new Discover Your Career Path blog post series and get all the details.

Users online (1,578)