I've created some PowerApps apps for SharePoint lists because I needed to provide custom forms and control what information is provided to and can be changed by users. Is there any way prevent users from simply creating their own app and connecting it to my list to bypass whatever customizations and restrictions I put in my app?
No, there is no way to prevent people from creating an app that connects to a SharePoint list if they have write/read access to the list.
I think this is also not the right way to think about this problem. Even if you could prevent them from creating an app, they can always go directly to the list and then bypass your customizations. The only way to secure your list is to ensure that you put restrictions in the SharePoint list itself.
Thanks for your reply, @sarafankit. Actually, I can prevent users from going directly to the list and viewing or editing items that way. I found the right combination of permissions that allows users to add, edit, and delete items in the list in PowerApps but prevents them from accessing the list directly through the site. If they try to browse to the list or click on a direct link to the list, they get the "access denied" page.
In trying to control what users can do in a list, your only options in SharePoint are to allow users to read and/or edit all items, allow users to read and/or edit only items they created, or set up unique permissions on each item. These options are probably sufficient in most scenarios, but definitely not all. Plus, you can't apply permissions to specific columns in the list. PowerApps gives you that extra level of control that's simply not available in SharePoint alone. Unfortunately, PowerApps also makes it very easy for someone with only basic permissions to the list to create their own app and bypass the restrictions you built into the "official" app for that list.
There really needs to be some way for site owners to control who can add a connection to their SharePoint lists in PowerApps. Ideally, a unique permission specifically for this might be nice, but even simply requiring at least the Design permission level would work, too.
You could make controls visible or hidden based on the user (which you previously queried from a list and put in a variable), this is how I do this in my screens... And in the gallery or new/display forms, hide controls based on these 🙂
Thank you, @Anonymous, for responding. Unfortunately, that doesn't answer my question about how to prevent someone from connecting their own app to my SharePoint list.
@scotthanks I somewhere lost that sentance when reading you question.
In fact thats a really good question, wouldn't know the answer to it but I'm also curious about this one!!
What permissions did you give to "allows users to add, edit, and delete items in the list in PowerApps but prevents them from accessing the list directly through the site."? Thank you!
Hi, @S_Harvey. I created a couple of custom permission levels. For lists where users need to add and edit items in PowerApps, I gave these permissions: Add Items, Edit Items, View Items, View Versions, Delete Versions, View Pages, Browse User Information, and Open.
For lists where users only needed to read items in PowerApps, I gave these permissions: View Items, View Pages, Browse User Information, and Open.
It's also necessary to activate the "Limited-access user permission lockdown mode" site collection feature for this to work.
I've read through but I still don't understand if anyone has managed to do what OP is asking. Taking it one step further:
How can I create a PowerApp connected to ListA, that grants the users the permission to read/write/delete list items through the PowerApp, but block direct access to ListA itself?
Hope someone can clarify.