cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
CameronWilliams
Advocate II
Advocate II

PowerApps User SharePoint Online Permissions

I have a bit of a dilemma and I'm hoping someone someone may be able to help me solve it.


I've built a PowerApp to facilitate the hiring and termination process at my company. The PowerApp utilizes SharePoint list on a site that my department has access to as a backend because it is our only available option as of right now.


The PowerApp does not directly write to the site in question's lists, it writes to an entirely different site with lists containing very little information which bridge data to the main site's lists. This is to avoid giving any contribute access to the main site's lists, which have data we do not want to provide to the PowerApps users. However, though the app does not write data, it has to be able to read some data from the site in question to garner information about the new or terminating employee to display to the PowerApp users.


For further information about the main site, I have two lists facilitating this process, one for new hiring requests and an active employees list to facilitate terminations. I have one custom permissions group called PowerApps Users. Since the users do not need contribute access to these two lists, I haven't worried about that. At the top level, PowerApps Users has a custom permission called PA Users Read, which only contains Open permissions for the site and no list permissions. On the two lists, I have broken inheritance and given PowerApps Users a custom permission for each called PA Users VO (view only), which contains the following permissions: Site View/Open, List View.


These permissions are working flawlessly as intended regarding the new hire list, at least as far as I can tell. The PowerApps Users can see the new hire requests in the PowerApp, but when accessing the SharePoint site or the direct link to the SharePoint list, they get Access Denied.


However, when given the exact same permissions on the active employees list, PowerApps users who access the list do not get the Access Denied message and can see all items in the list. They cannot edit, add, or delete any of these items, but they can see all of the data. We don't want this, as not all the data in this list is info we want to be accessible by the users (private extension numbers, supervisor information, resources employees have been provided, etc). None of it is especially sensitive, but it isn't something we want accessible either. While the URL for the site has not been leaked or anything like that, the fact that it is accessible at all is concerning.


When comparing the permissions on the new hire list and the active employees list, we noticed that PowerApps Users were being granted Limited Access permission on the active employees list, while they were not on the new hire list. The only real difference between these lists is that some items in the active employees list have text documents attached to their attachments column which contain some information about specific tables the employee has access to in a database.

 

Would the attachments cause this? If so, what recommendations do you have to prevent access to this database. We would prefer to not remove the attachments column if at all possible because the document is provided to our DBA upon account termination.

1 ACCEPTED SOLUTION

Accepted Solutions

Wait! I found a solution. I don't know why this works... but it does. I went into the list permissions for the active employees list. I then restored inheritance, broke inheritance AGAIN using the permissions from the new hire list, deleted the PowerApps Users group, then re-added it with the view only permission level. Suddenly... miraculously... It works. Now to go back and do that for any lists that my end users have to access, haha. For anyone who stumbles across this post, here are my steps to secure the SharePoint backend as VIEW ONLY (not contribute). For those who need to allow your users to contribute to a list which has sensitive data, it may be better for you to create a bridge list or two, and update that instead, allowing Power Automate to process changes to the main list(s). This can be done by adding a column to the bridge lists called UniqueID and having the PowerApp update that field with the list item ID of the item in the main list.

 

  1.  Go to your Advanced Site Permissions
  2. Go to Permission Levels on the ribbon
  3. Add a new permission level, and name it something like PowerApps Users Read
  4. Don't check any of the list permissions, and only check Open for site permissions
  5. Submit, and then add a new permission level called something like PowerApps Users View Only
  6. Check View Items under list settings. This should automatically check View Pages and Open under site permissions, but if it doesn't go ahead and do that. Then submit.
  7. Create a new permission group under your advanced site permissions
  8. Name the group something like PowerApps Users
  9. Assign PowerApps Users the PowerApps Users Read permission on the site.
  10. Go to the lists you want the users to be able to view but not access and break inheritance.
  11. Change the permissions for PowerApps Users from PowerApps Users Read to PowerApps Users View Only.
  12. Add a dummy account to the group and share the PowerApp with the dummy account, then test the following:
    • Can the dummy account view the data in the PowerApp? (Should be able to)
    • Can the dummy account access the site's URL? (Should not be able to - Access Denied)
    • Can the dummy account access the list's URL or any views? (Should not be able to - Access Denied)
  13. If you don't see the Access Denied message on a list, go into the list permission settings and delete the PowerApps Users group.
  14. Click the grant permissions button and then enter the group name PowerApps Users.
  15. Click Show Options, uncheck send invite email, and then choose the PowerApps Users View Only Permission.
  16. Click Share, then run through the tests on step 12 again.

This seemed to work for me. I didn't have to remove any attachments or modify the list at all. The URLs are now properly hidden behind Access Denied messages! 

View solution in original post

5 REPLIES 5
cwebb365
Most Valuable Professional
Most Valuable Professional

Usually if you are seeing limited permissions then your individual items have permissions added directly to them and inheritance broke at the room. Or some of the items are being shared.

Maybe under list settings / advanced options the item level security option is set so they can only see their own entries? If not that could be an option which will hide entries other than your own unless you have full access permissions to the list then you can see all items.

@cwebb365 This doesn't work, as the user is unable to see the items in the PowerApp. The user must be able to READ the items, but NOT be able to access the link if it were to ever be leaked. 

 

The individual items do not have any permissions added directly to them, I already confirmed that. None of the items are being shared, either, as sharing permissions are turned off for the whole site.

 

However, as stated in my original post, the items in the active employees list contain items in their Attachments columns. I'm under the impression that the Attachments column is like a miniature document library. Forgive me if I'm incorrect. What I need to know is if this is what is causing the issues with limited access. If so, I can use Power Automate to break the attachments, which are simple text documents, up into their own individual columns. However, I don't want to put in that effort if it is going to be meaningless in eliminating the limited access issue.

Update: I think that attachments might truly be what is causing the limited access issue. I'm looking at the advanced settings right now, and I'm showing that permissions are enabled for users to upload their own attachments:

chrome_VjuBwZTpNP.png

While this is also enabled on the new hire list, no items in that list actually include attachments.

 

However, marking this disabled says that it will delete all currently attached items. I don't want this. I suspect that this is going to involve more trial and error. My next test will be to add attachments to the new hire list items and see if that causes broken inheritance issues.

Wait! I found a solution. I don't know why this works... but it does. I went into the list permissions for the active employees list. I then restored inheritance, broke inheritance AGAIN using the permissions from the new hire list, deleted the PowerApps Users group, then re-added it with the view only permission level. Suddenly... miraculously... It works. Now to go back and do that for any lists that my end users have to access, haha. For anyone who stumbles across this post, here are my steps to secure the SharePoint backend as VIEW ONLY (not contribute). For those who need to allow your users to contribute to a list which has sensitive data, it may be better for you to create a bridge list or two, and update that instead, allowing Power Automate to process changes to the main list(s). This can be done by adding a column to the bridge lists called UniqueID and having the PowerApp update that field with the list item ID of the item in the main list.

 

  1.  Go to your Advanced Site Permissions
  2. Go to Permission Levels on the ribbon
  3. Add a new permission level, and name it something like PowerApps Users Read
  4. Don't check any of the list permissions, and only check Open for site permissions
  5. Submit, and then add a new permission level called something like PowerApps Users View Only
  6. Check View Items under list settings. This should automatically check View Pages and Open under site permissions, but if it doesn't go ahead and do that. Then submit.
  7. Create a new permission group under your advanced site permissions
  8. Name the group something like PowerApps Users
  9. Assign PowerApps Users the PowerApps Users Read permission on the site.
  10. Go to the lists you want the users to be able to view but not access and break inheritance.
  11. Change the permissions for PowerApps Users from PowerApps Users Read to PowerApps Users View Only.
  12. Add a dummy account to the group and share the PowerApp with the dummy account, then test the following:
    • Can the dummy account view the data in the PowerApp? (Should be able to)
    • Can the dummy account access the site's URL? (Should not be able to - Access Denied)
    • Can the dummy account access the list's URL or any views? (Should not be able to - Access Denied)
  13. If you don't see the Access Denied message on a list, go into the list permission settings and delete the PowerApps Users group.
  14. Click the grant permissions button and then enter the group name PowerApps Users.
  15. Click Show Options, uncheck send invite email, and then choose the PowerApps Users View Only Permission.
  16. Click Share, then run through the tests on step 12 again.

This seemed to work for me. I didn't have to remove any attachments or modify the list at all. The URLs are now properly hidden behind Access Denied messages! 

Hi @CameronWilliams  and @cwebb365 

 

I tested the options above, but there is a security point that is not functional.

Users who have access to the list are able to consume the list through a Power Automate Flow and a Power Apps App through their account using the Site link.

Any solution for this security point?

 

Thanks,

Helpful resources

Announcements

Update! June 13th, Community Ambassador Call for User Group Leaders and Super Users

Calling all Super Users & User Group Leaders     UPDATE:  We just wrapped up June's Community Ambassador monthly calls for Super Users and User Group Leaders. We had a fantastic call with lots of engagement. We are excited to share some highlights with you!    Big THANK YOU to our special guest Thomas Verhasselt, from the Copilot Studio Product Team for sharing how to use Power Platform Templates to achieve next generation growth.     A few key takeaways: Copilot Studio Cookbook Challenge:  Week 1 results are posted, Keep up the great work!Summer of Solutions:  Starting on Monday, June 17th. Just by providing solutions in the community, you can be entered to win tickets to Power Platform Community Conference.Super User Season 2: Coming SoonAll communities moving to the new platform end of July We also honored two different community members during the call, Mohamed Amine Mahmoudi and Markus Franz! We are thankful for both leaders' contributions and engagement with their respective communities. 🎉   Be sure to mark your calendars and register for the meeting on July 11th and stay up to date on all of the changes that are coming. Check out the Super User Forum boards for details.   We're excited to connect with you and continue building a stronger community together.   See you at the call!  

Win free tickets to the Power Platform Conference | Summer of Solutions

We are excited to announce the Summer of Solutions Challenge!    This challenge is kicking off on Monday, June 17th and will run for (4) weeks.  The challenge is open to all Power Platform (Power Apps, Power Automate, Copilot Studio & Power Pages) community members. We invite you to participate in a quest to provide solutions in the Forums to as many questions as you can. Answers can be provided in all the communities.    Entry Period: This Challenge will consist of four weekly Entry Periods as follows (each an “Entry Period”)   - 12:00 a.m. PT on June 17, 2024 – 11:59 p.m. PT on June 23, 2024 - 12:00 a.m. PT on June 24, 2024 – 11:59 p.m. PT on June 30, 2024 - 12:00 a.m. PT on July 1, 2024 – 11:59 p.m. PT on July 7, 2024 - 12:00 a.m. PT on July 8, 2024 – 11:59 p.m. PT on July 14, 2024   Entries will be eligible for the Entry Period in which they are received and will not carryover to subsequent weekly entry periods.  You must enter into each weekly Entry Period separately.   How to Enter: We invite you to participate in a quest to provide "Accepted Solutions" to as many questions as you can. Answers can be provided in all the communities. Users must provide a solution which can be an “Accepted Solution” in the Forums in all of the communities and there are no limits to the number of “Accepted Solutions” that a member can provide for entries in this challenge, but each entry must be substantially unique and different.    Winner Selection and Prizes: At the end of each week, we will list the top ten (10) Community users which will consist of: 5 Community Members & 5 Super Users and they will advance to the final drawing. We will post each week in the News & Announcements the top 10 Solution providers.  At the end of the challenge, we will add all of the top 10 weekly names and enter them into a random drawing.  Then we will randomly select ten (10) winners (5 Community Members & 5 Super Users) from among all eligible entrants received across all weekly Entry Periods to receive the prize listed below. If a winner declines, we will draw again at random for the next winner.  A user will only be able to win once overall. If they are drawn multiple times, another user will be drawn at random.  Individuals will be contacted before the announcement with the opportunity to claim or deny the prize.  Once all of the winners have been notified, we will post in the News & Announcements of each community with the list of winners.   Each winner will receive one (1) Pass to the Power Platform Conference in Las Vegas, Sep. 18-20, 2024 ($1800 value). NOTE: Prize is for conference attendance only and any other costs such as airfare, lodging, transportation, and food are the sole responsibility of the winner. Tickets are not transferable to any other party or to next year’s event.   ** PLEASE SEE THE ATTACHED RULES for this CHALLENGE**

Copilot Cookbook Challenge | Week 2 Results | Win Tickets to the Power Platform Conference

We are excited to announce the "The Copilot Cookbook Community Challenge is a great way to showcase your creativity and connect with others. Plus, you could win tickets to the Power Platform Community Conference in Las Vegas in September 2024 as an amazing bonus.   Two ways to enter: 1. Copilot Studio Cookbook Gallery: https://aka.ms/CS_Copilot_Cookbook_Challenge 2. Power Apps Copilot Cookbook Gallery: https://aka.ms/PA_Copilot_Cookbook_Challenge   There will be 5 chances to qualify for the final drawing: Early Bird Entries: March 1 - June 2Week 1: June 3 - June 9Week 2: June 10 - June 16Week 3: June 17 - June 23Week 4: June 24 - June 30     At the end of each week, we will draw 5 random names from every user who has posted a qualifying Copilot Studio template, sample or demo in the Copilot Studio Cookbook or a qualifying Power Apps Copilot sample or demo in the Power Apps Copilot Cookbook. Users who are not drawn in a given week will be added to the pool for the next week. Users can qualify more than once, but no more than once per week. Four winners will be drawn at random from the total qualifying entrants. If a winner declines, we will draw again at random for the next winner.  A user will only be able to win once. If they are drawn multiple times, another user will be drawn at random. Prizes:  One Pass to the Power Platform Conference in Las Vegas, Sep. 18-20, 2024 ($1800 value, does not include travel, lodging, or any other expenses) Winners are also eligible to do a 10-minute presentation of their demo or solution in a community solutions showcase at the event. To qualify for the drawing, templates, samples or demos must be related to Copilot Studio or a Copilot feature of Power Apps, Power Automate, or Power Pages, and must demonstrate or solve a complete unique and useful business or technical problem. Power Automate and Power Pagers posts should be added to the Power Apps Cookbook. Final determination of qualifying entries is at the sole discretion of Microsoft. Weekly updates and the Final random winners will be posted in the News & Announcements section in the communities on July 29th, 2024. Did you submit entries early?  Early Bird Entries March 1 - June 2:  If you posted something in the "early bird" time frame complete this form: https://aka.ms/Copilot_Challenge_EarlyBirds if you would like to be entered in the challenge.   Week 1 Results:  Congratulations to the Week 1 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge. Copilot Cookbook Gallery:Power Apps Cookbook Gallery:1.  @Mathieu_Paris 1.   @SpongYe 2.  @Dhanush 2.   @Deenuji 3.  n/a3.   @Nived_Nambiar  4.  n/a4.   @ManishSolanki 5.  n/a5.    n/a   Week 2 Results:  Congratulations to the Week 2 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge. Copilot Cookbook Gallery:Power Apps Cookbook Gallery:1. Kasun_Pathirana1. ManishSolanki2. cloudatica2. madlad3. n/a3. SpongYe4. n/a4. n/a5. n/a5. n/a

Celebrating the June Super User of the Month: Markus Franz

Markus Franz is a phenomenal contributor to the Power Apps Community. Super Users like Markus inspire others through their example, encouragement, and active participation.    The Why: "I do this to help others achieve what they are trying to do. As a total beginner back then without IT background I know how overwhelming things can be, so I decided to jump in and help others. I also do this to keep progressing and learning myself." Thank you, Markus Franz, for your outstanding work! Keep inspiring others and making a difference in the community! 🎉  Keep up the fantastic work! 👏👏   Markus Franz | LinkedIn  Power Apps: mmbr1606  

Your Moment to Shine: 2024 PPCC’s Got Power Awards Show

For the third year, we invite you, our talented community members, to participate in the grand 2024 Power Platform Community Conference's Got Power Awards. This event is your opportunity to showcase solutions that make a significant business impact, highlight extensive use of Power Platform products, demonstrate good governance, or tell an inspirational story. Share your success stories, inspire your peers, and show off some hidden talents.  This is your time to shine and bring your creations into the spotlight!  Make your mark, inspire others and leave a lasting impression. Sign up today for a chance to showcase your solution and win the coveted 2024 PPCC’s Got Power Award. This year we have three categories for you to participate in: Technical Solution Demo, Storytelling, and Hidden Talent.      The Technical solution demo category showcases your applications, automated workflows, copilot agentic experiences, web pages, AI capabilities, dashboards, and/or more. We want to see your most impactful Power Platform solutions!  The Storytelling category is where you can share your inspiring story, and the Hidden Talent category is where your talents (such as singing, dancing, jump roping, etc.) can shine! Submission Details:  Fill out the submission form https://aka.ms/PPCCGotPowerSignup by July 12th with details and a 2–5-minute video showcasing your Solution impact. (Please let us know you're coming to PPCC, too!)After review by a panel of Microsoft judges, the top storytellers will be invited to present a virtual demo presentation to the judges during early August. You’ll be notified soon after if you have been selected as a finalist to share your story live at PPCC’s Got Power!  The live show will feature the solution demos and storytelling talents of the top contestants, winner announcements, and the opportunity to network with your community.  It's not just a showcase for technical talent and storytelling showmanship, show it's a golden opportunity to make connections and celebrate our Community together! Let's make this a memorable event! See you there!   Mark your calendars! Date and Time: Thursday, Sept 19th Location: PPCC24 at the MGM Grand, Las Vegas, NV 

Tuesday Tip | Accepting Solutions

It's time for another TUESDAY TIPS, your weekly connection with the most insightful tips and tricks that empower both newcomers and veterans in the Power Platform Community! Every Tuesday, we bring you a curated selection of the finest advice, distilled from the resources and tools in the Community. Whether you’re a seasoned member or just getting started, Tuesday Tips are the perfect compass guiding you across the dynamic landscape of the Power Platform Community.   To enhance our collaborative environment, it's important to acknowledge when your question has been answered satisfactorily. Here's a quick guide on how to accept a solution to your questions: Find the Helpful Reply: Navigate to the reply that has effectively answered your question.Accept as Solution: Look for the "Accept as Solution" button or link, usually located at the bottom of the reply.Confirm Your Selection: Clicking this button may prompt you for confirmation. Go ahead and confirm that this is indeed the solution.Acknowledgment: Once accepted, the reply will be highlighted, and the original post will be marked as "Solved". This helps other community members find the same solution quickly. By marking a reply as an accepted solution, you not only thank the person who helped you but also make it easier for others with similar questions to find answers. Let's continue to support each other by recognizing helpful contributions. 

Users online (5,112)