cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
CameronWilliams
Advocate II
Advocate II

PowerApps User SharePoint Online Permissions

I have a bit of a dilemma and I'm hoping someone someone may be able to help me solve it.


I've built a PowerApp to facilitate the hiring and termination process at my company. The PowerApp utilizes SharePoint list on a site that my department has access to as a backend because it is our only available option as of right now.


The PowerApp does not directly write to the site in question's lists, it writes to an entirely different site with lists containing very little information which bridge data to the main site's lists. This is to avoid giving any contribute access to the main site's lists, which have data we do not want to provide to the PowerApps users. However, though the app does not write data, it has to be able to read some data from the site in question to garner information about the new or terminating employee to display to the PowerApp users.


For further information about the main site, I have two lists facilitating this process, one for new hiring requests and an active employees list to facilitate terminations. I have one custom permissions group called PowerApps Users. Since the users do not need contribute access to these two lists, I haven't worried about that. At the top level, PowerApps Users has a custom permission called PA Users Read, which only contains Open permissions for the site and no list permissions. On the two lists, I have broken inheritance and given PowerApps Users a custom permission for each called PA Users VO (view only), which contains the following permissions: Site View/Open, List View.


These permissions are working flawlessly as intended regarding the new hire list, at least as far as I can tell. The PowerApps Users can see the new hire requests in the PowerApp, but when accessing the SharePoint site or the direct link to the SharePoint list, they get Access Denied.


However, when given the exact same permissions on the active employees list, PowerApps users who access the list do not get the Access Denied message and can see all items in the list. They cannot edit, add, or delete any of these items, but they can see all of the data. We don't want this, as not all the data in this list is info we want to be accessible by the users (private extension numbers, supervisor information, resources employees have been provided, etc). None of it is especially sensitive, but it isn't something we want accessible either. While the URL for the site has not been leaked or anything like that, the fact that it is accessible at all is concerning.


When comparing the permissions on the new hire list and the active employees list, we noticed that PowerApps Users were being granted Limited Access permission on the active employees list, while they were not on the new hire list. The only real difference between these lists is that some items in the active employees list have text documents attached to their attachments column which contain some information about specific tables the employee has access to in a database.

 

Would the attachments cause this? If so, what recommendations do you have to prevent access to this database. We would prefer to not remove the attachments column if at all possible because the document is provided to our DBA upon account termination.

1 ACCEPTED SOLUTION

Accepted Solutions

Wait! I found a solution. I don't know why this works... but it does. I went into the list permissions for the active employees list. I then restored inheritance, broke inheritance AGAIN using the permissions from the new hire list, deleted the PowerApps Users group, then re-added it with the view only permission level. Suddenly... miraculously... It works. Now to go back and do that for any lists that my end users have to access, haha. For anyone who stumbles across this post, here are my steps to secure the SharePoint backend as VIEW ONLY (not contribute). For those who need to allow your users to contribute to a list which has sensitive data, it may be better for you to create a bridge list or two, and update that instead, allowing Power Automate to process changes to the main list(s). This can be done by adding a column to the bridge lists called UniqueID and having the PowerApp update that field with the list item ID of the item in the main list.

 

  1.  Go to your Advanced Site Permissions
  2. Go to Permission Levels on the ribbon
  3. Add a new permission level, and name it something like PowerApps Users Read
  4. Don't check any of the list permissions, and only check Open for site permissions
  5. Submit, and then add a new permission level called something like PowerApps Users View Only
  6. Check View Items under list settings. This should automatically check View Pages and Open under site permissions, but if it doesn't go ahead and do that. Then submit.
  7. Create a new permission group under your advanced site permissions
  8. Name the group something like PowerApps Users
  9. Assign PowerApps Users the PowerApps Users Read permission on the site.
  10. Go to the lists you want the users to be able to view but not access and break inheritance.
  11. Change the permissions for PowerApps Users from PowerApps Users Read to PowerApps Users View Only.
  12. Add a dummy account to the group and share the PowerApp with the dummy account, then test the following:
    • Can the dummy account view the data in the PowerApp? (Should be able to)
    • Can the dummy account access the site's URL? (Should not be able to - Access Denied)
    • Can the dummy account access the list's URL or any views? (Should not be able to - Access Denied)
  13. If you don't see the Access Denied message on a list, go into the list permission settings and delete the PowerApps Users group.
  14. Click the grant permissions button and then enter the group name PowerApps Users.
  15. Click Show Options, uncheck send invite email, and then choose the PowerApps Users View Only Permission.
  16. Click Share, then run through the tests on step 12 again.

This seemed to work for me. I didn't have to remove any attachments or modify the list at all. The URLs are now properly hidden behind Access Denied messages! 

View solution in original post

5 REPLIES 5
cwebb365
Super User
Super User

Usually if you are seeing limited permissions then your individual items have permissions added directly to them and inheritance broke at the room. Or some of the items are being shared.

Maybe under list settings / advanced options the item level security option is set so they can only see their own entries? If not that could be an option which will hide entries other than your own unless you have full access permissions to the list then you can see all items.

@cwebb365 This doesn't work, as the user is unable to see the items in the PowerApp. The user must be able to READ the items, but NOT be able to access the link if it were to ever be leaked. 

 

The individual items do not have any permissions added directly to them, I already confirmed that. None of the items are being shared, either, as sharing permissions are turned off for the whole site.

 

However, as stated in my original post, the items in the active employees list contain items in their Attachments columns. I'm under the impression that the Attachments column is like a miniature document library. Forgive me if I'm incorrect. What I need to know is if this is what is causing the issues with limited access. If so, I can use Power Automate to break the attachments, which are simple text documents, up into their own individual columns. However, I don't want to put in that effort if it is going to be meaningless in eliminating the limited access issue.

Update: I think that attachments might truly be what is causing the limited access issue. I'm looking at the advanced settings right now, and I'm showing that permissions are enabled for users to upload their own attachments:

chrome_VjuBwZTpNP.png

While this is also enabled on the new hire list, no items in that list actually include attachments.

 

However, marking this disabled says that it will delete all currently attached items. I don't want this. I suspect that this is going to involve more trial and error. My next test will be to add attachments to the new hire list items and see if that causes broken inheritance issues.

Wait! I found a solution. I don't know why this works... but it does. I went into the list permissions for the active employees list. I then restored inheritance, broke inheritance AGAIN using the permissions from the new hire list, deleted the PowerApps Users group, then re-added it with the view only permission level. Suddenly... miraculously... It works. Now to go back and do that for any lists that my end users have to access, haha. For anyone who stumbles across this post, here are my steps to secure the SharePoint backend as VIEW ONLY (not contribute). For those who need to allow your users to contribute to a list which has sensitive data, it may be better for you to create a bridge list or two, and update that instead, allowing Power Automate to process changes to the main list(s). This can be done by adding a column to the bridge lists called UniqueID and having the PowerApp update that field with the list item ID of the item in the main list.

 

  1.  Go to your Advanced Site Permissions
  2. Go to Permission Levels on the ribbon
  3. Add a new permission level, and name it something like PowerApps Users Read
  4. Don't check any of the list permissions, and only check Open for site permissions
  5. Submit, and then add a new permission level called something like PowerApps Users View Only
  6. Check View Items under list settings. This should automatically check View Pages and Open under site permissions, but if it doesn't go ahead and do that. Then submit.
  7. Create a new permission group under your advanced site permissions
  8. Name the group something like PowerApps Users
  9. Assign PowerApps Users the PowerApps Users Read permission on the site.
  10. Go to the lists you want the users to be able to view but not access and break inheritance.
  11. Change the permissions for PowerApps Users from PowerApps Users Read to PowerApps Users View Only.
  12. Add a dummy account to the group and share the PowerApp with the dummy account, then test the following:
    • Can the dummy account view the data in the PowerApp? (Should be able to)
    • Can the dummy account access the site's URL? (Should not be able to - Access Denied)
    • Can the dummy account access the list's URL or any views? (Should not be able to - Access Denied)
  13. If you don't see the Access Denied message on a list, go into the list permission settings and delete the PowerApps Users group.
  14. Click the grant permissions button and then enter the group name PowerApps Users.
  15. Click Show Options, uncheck send invite email, and then choose the PowerApps Users View Only Permission.
  16. Click Share, then run through the tests on step 12 again.

This seemed to work for me. I didn't have to remove any attachments or modify the list at all. The URLs are now properly hidden behind Access Denied messages! 

Hi @CameronWilliams  and @cwebb365 

 

I tested the options above, but there is a security point that is not functional.

Users who have access to the list are able to consume the list through a Power Automate Flow and a Power Apps App through their account using the Site link.

Any solution for this security point?

 

Thanks,

Helpful resources

Announcements

Power Platform Connections Ep 15 | L. Baybutt | Thursday, 1 June 2023

Episode Fifteen of Power Platform Connections sees David Warner and Hugo Bernier talk to Microsoft MVP Lewis Baybutt aka Low Code Lewis, alongside the latest news and community blogs.   Use the hashtag #PowerPlatformConnects on social media for a chance to have your work featured on the show.      Action requested: Feel free to provide feedback on how we can make our community more inclusive and diverse.  This episode premiers live on our YouTube at 12pm PST on Thursday 1st June 2023.  Video series available at Power Platform Community YouTube channel.    Upcoming events:  European Power Platform conference – Jun. 20-22nd - Dublin Microsoft Power Platform Conference – Oct. 3-5th - Las Vegas  Join our Communities:  Power Apps Community Power Automate Community Power Virtual Agents Community Power Pages Community  If you’d like to hear from a specific community member in an upcoming recording and/or have specific questions for the Power Platform Connections team, please let us know. We will do our best to address all your requests or questions.   

May 2023 Community Newsletter and Upcoming Events

Welcome to our May 2023 Community Newsletter, where we'll be highlighting the latest news, releases, upcoming events, and the great work of our members inside the Biz Apps communities. If you're new to this LinkedIn group, be sure to subscribe here in the News & Announcements to stay up to date with the latest news from our ever-growing membership network who "changed the way they thought about code".       LATEST NEWS "Mondays at Microsoft" LIVE on LinkedIn - 8am PST - Monday 15th May  - Grab your Monday morning coffee and come join Principal Program Managers Heather Cook and Karuana Gatimu for the premiere episode of "Mondays at Microsoft"! This show will kick off the launch of the new Microsoft Community LinkedIn channel and cover a whole host of hot topics from across the #PowerPlatform, #ModernWork, #Dynamics365, #AI, and everything in-between. Just click the image below to register and come join the team LIVE on Monday 15th May 2023 at 8am PST. Hope to see you there!     Executive Keynote | Microsoft Customer Success Day CVP for Business Applications & Platform, Charles Lamanna, shares the latest #BusinessApplications product enhancements and updates to help customers achieve their business outcomes.     S01E13 Power Platform Connections - 12pm PST - Thursday 11th May Episode Thirteen of Power Platform Connections sees Hugo Bernier take a deep dive into the mind of co-host David Warner II, alongside the reviewing the great work of Dennis Goedegebuure, Keith Atherton, Michael Megel, Cat Schneider, and more. Click below to subscribe and get notified, with David and Hugo LIVE in the YouTube chat from 12pm PST. And use the hashtag #PowerPlatformConnects on social media for a chance to have your work featured on the show.     UPCOMING EVENTS   European Power Platform Conference - early bird ticket sale ends! The European Power Platform Conference early bird ticket sale ends on Friday 12th May 2023! #EPPC23 brings together the Microsoft Power Platform Communities for three days of unrivaled days in-person learning, connections and inspiration, featuring three inspirational keynotes, six expert full-day tutorials, and over eighty-five specialist sessions, with guest speakers including April Dunnam, Dona Sarkar, Ilya Fainberg, Janet Robb, Daniel Laskewitz, Rui Santos, Jens Christian Schrøder, Marco Rocca, and many more. Deep dive into the latest product advancements as you hear from some of the brightest minds in the #PowerApps space. Click here to book your ticket today and save!      DynamicMinds Conference - Slovenia - 22-24th May 2023 It's not long now until the DynamicsMinds Conference, which takes place in Slovenia on 22nd - 24th May, 2023 - where brilliant minds meet, mingle & share! This great Power Platform and Dynamics 365 Conference features a whole host of amazing speakers, including the likes of Georg Glantschnig, Dona Sarkar, Tommy Skaue, Monique Hayward, Aleksandar Totovic, Rachel Profitt, Aurélien CLERE, Ana Inés Urrutia de Souza, Luca Pellegrini, Bostjan Golob, Shannon Mullins, Elena Baeva, Ivan Ficko, Guro Faller, Vivian Voss, Andrew Bibby, Tricia Sinclair, Roger Gilchrist, Sara Lagerquist, Steve Mordue, and many more. Click here: DynamicsMinds Conference for more info on what is sure an amazing community conference covering all aspects of Power Platform and beyond.    Days of Knowledge Conference in Denmark - 1-2nd June 2023 Check out 'Days of Knowledge', a Directions 4 Partners conference on 1st-2nd June in Odense, Denmark, which focuses on educating employees, sharing knowledge and upgrading Business Central professionals. This fantastic two-day conference offers a combination of training sessions and workshops - all with Business Central and related products as the main topic. There's a great list of industry experts sharing their knowledge, including Iona V., Bert Verbeek, Liza Juhlin, Douglas Romão, Carolina Edvinsson, Kim Dalsgaard Christensen, Inga Sartauskaite, Peik Bech-Andersen, Shannon Mullins, James Crowter, Mona Borksted Nielsen, Renato Fajdiga, Vivian Voss, Sven Noomen, Paulien Buskens, Andri Már Helgason, Kayleen Hannigan, Freddy Kristiansen, Signe Agerbo, Luc van Vugt, and many more. If you want to meet industry experts, gain an advantage in the SMB-market, and acquire new knowledge about Microsoft Dynamics Business Central, click here Days of Knowledge Conference in Denmark to buy your ticket today!   COMMUNITY HIGHLIGHTS Check out our top Super and Community Users reaching new levels! These hardworking members are posting, answering questions, kudos, and providing top solutions in their communities.   Power Apps:  Super Users: @WarrenBelz, @LaurensM  @BCBuizer  Community Users:  @Amik@ @mmollet, @Cr1t    Power Automate:  Super Users: @Expiscornovus , @grantjenkins, @abm  Community Users: @Nived_Nambiar, @ManishSolanki    Power Virtual Agents:  Super Users: @Pstork1, @Expiscornovus  Community Users: @JoseA, @fernandosilva, @angerfire1213    Power Pages: Super Users: @ragavanrajan  Community Users: @Fubar, @Madhankumar_L,@gospa  LATEST COMMUNITY BLOG ARTICLES  Power Apps Community Blog  Power Automate Community Blog  Power Virtual Agents Community Blog  Power Pages Community Blog  Check out 'Using the Community' for more helpful tips and information:  Power Apps , Power Automate, Power Virtual Agents, Power Pages 

Microsoft Power Platform Conference | Registration Open | Oct. 3-5 2023

We are so excited to see you for the Microsoft Power Platform Conference in Las Vegas October 3-5 2023! But first, let's take a look back at some fun moments and the best community in tech from MPPC 2022 in Orlando, Florida.   Featuring guest speakers such as Charles Lamanna, Heather Cook, Julie Strauss, Nirav Shah, Ryan Cunningham, Sangya Singh, Stephen Siciliano, Hugo Bernier and many more.   Register today: https://www.powerplatformconf.com/   

Check out the new Power Platform Communities Front Door Experience!

We are excited to share the ‘Power Platform Communities Front Door’ experience with you!   Front Door brings together content from all the Power Platform communities into a single place for our community members, customers and low-code, no-code enthusiasts to learn, share and engage with peers, advocates, community program managers and our product team members. There are a host of features and new capabilities now available on Power Platform Communities Front Door to make content more discoverable for all power product community users which includes ForumsUser GroupsEventsCommunity highlightsCommunity by numbersLinks to all communities Users can see top discussions from across all the Power Platform communities and easily navigate to the latest or trending posts for further interaction. Additionally, they can filter to individual products as well.       Users can filter and browse the user group events from all power platform products with feature parity to existing community user group experience and added filtering capabilities.     Users can now explore user groups on the Power Platform Front Door landing page with capability to view all products in Power Platform.    Explore Power Platform Communities Front Door today. Visit Power Platform Community Front door to easily navigate to the different product communities, view a roll up of user groups, events and forums.

Welcome to the Power Apps Community

Welcome! Congratulations on joining the Microsoft Power Apps community! You are now a part of a vibrant group of peers and industry experts who are here to network, share knowledge, and even have a little fun! Now that you are a member, you can enjoy the following resources:   The Microsoft Power Apps Community Forums If you are looking for support with any part of Microsoft Power Apps, our forums are the place to go. They are titled "Get Help with Microsoft Power Apps " and there you will find thousands of technical professionals with years of experience who are ready and eager to answer your questions. You now have the ability to post, reply and give "kudos" on the Power Apps community forums! Make sure you conduct a quick search before creating a new post because your question may have already been asked and answered!   Microsoft Power Apps IdeasDo you have an idea to improve the Microsoft Power Apps experience, or a feature request for future product updates? Then the "Power Apps Ideas" section is where you can contribute your suggestions and vote for ideas posted by other community members. We constantly look to the most voted Ideas when planning updates, so your suggestions and votes will always make a difference.   Community Blog & NewsOver the years, more than 600 Power Apps Community Blog Articles have been written and published by our thriving community. Our community members have learned some excellent tips and have keen insights on building Power Apps. On the Power Apps Community Blog, read the latest Power Apps related posts from our community blog authors around the world. Let us know if you would like to become an author and contribute your own writing — everything Power Apps related is welcome!   Power Apps Samples, Learning and Videos GalleriesOur galleries have a little bit of everything to do with Power Apps. Our galleries are great for finding inspiration for your next app or component. You can view, comment and kudo the apps and component gallery to see what others have created! Or share Power Apps that you have created with other Power Apps enthusiasts. Along with all of that awesome content, there is the Power Apps Community Video & MBAS gallery where you can watch tutorials and demos by Microsoft staff, partners, and community gurus in our community video gallery.   Again, we are excited to welcome you to the Microsoft Power Apps community family! Whether you are brand new to the world of process automation or you are a seasoned Power Apps veteran. Our goal is to shape the community to be your ‘go to’ for support, networking, education, inspiration and encouragement as we enjoy this adventure together!   Let us know in the Community Feedback if you have any questions or comments about your community experience.To learn more about the community and your account be sure to visit our Community Support Area boards to learn more! We look forward to seeing you in the Power Apps Community!The Power Apps Team

Users online (3,133)