cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
CameronWilliams
Advocate II
Advocate II

PowerApps User SharePoint Online Permissions

I have a bit of a dilemma and I'm hoping someone someone may be able to help me solve it.


I've built a PowerApp to facilitate the hiring and termination process at my company. The PowerApp utilizes SharePoint list on a site that my department has access to as a backend because it is our only available option as of right now.


The PowerApp does not directly write to the site in question's lists, it writes to an entirely different site with lists containing very little information which bridge data to the main site's lists. This is to avoid giving any contribute access to the main site's lists, which have data we do not want to provide to the PowerApps users. However, though the app does not write data, it has to be able to read some data from the site in question to garner information about the new or terminating employee to display to the PowerApp users.


For further information about the main site, I have two lists facilitating this process, one for new hiring requests and an active employees list to facilitate terminations. I have one custom permissions group called PowerApps Users. Since the users do not need contribute access to these two lists, I haven't worried about that. At the top level, PowerApps Users has a custom permission called PA Users Read, which only contains Open permissions for the site and no list permissions. On the two lists, I have broken inheritance and given PowerApps Users a custom permission for each called PA Users VO (view only), which contains the following permissions: Site View/Open, List View.


These permissions are working flawlessly as intended regarding the new hire list, at least as far as I can tell. The PowerApps Users can see the new hire requests in the PowerApp, but when accessing the SharePoint site or the direct link to the SharePoint list, they get Access Denied.


However, when given the exact same permissions on the active employees list, PowerApps users who access the list do not get the Access Denied message and can see all items in the list. They cannot edit, add, or delete any of these items, but they can see all of the data. We don't want this, as not all the data in this list is info we want to be accessible by the users (private extension numbers, supervisor information, resources employees have been provided, etc). None of it is especially sensitive, but it isn't something we want accessible either. While the URL for the site has not been leaked or anything like that, the fact that it is accessible at all is concerning.


When comparing the permissions on the new hire list and the active employees list, we noticed that PowerApps Users were being granted Limited Access permission on the active employees list, while they were not on the new hire list. The only real difference between these lists is that some items in the active employees list have text documents attached to their attachments column which contain some information about specific tables the employee has access to in a database.

 

Would the attachments cause this? If so, what recommendations do you have to prevent access to this database. We would prefer to not remove the attachments column if at all possible because the document is provided to our DBA upon account termination.

1 ACCEPTED SOLUTION

Accepted Solutions

Wait! I found a solution. I don't know why this works... but it does. I went into the list permissions for the active employees list. I then restored inheritance, broke inheritance AGAIN using the permissions from the new hire list, deleted the PowerApps Users group, then re-added it with the view only permission level. Suddenly... miraculously... It works. Now to go back and do that for any lists that my end users have to access, haha. For anyone who stumbles across this post, here are my steps to secure the SharePoint backend as VIEW ONLY (not contribute). For those who need to allow your users to contribute to a list which has sensitive data, it may be better for you to create a bridge list or two, and update that instead, allowing Power Automate to process changes to the main list(s). This can be done by adding a column to the bridge lists called UniqueID and having the PowerApp update that field with the list item ID of the item in the main list.

 

  1.  Go to your Advanced Site Permissions
  2. Go to Permission Levels on the ribbon
  3. Add a new permission level, and name it something like PowerApps Users Read
  4. Don't check any of the list permissions, and only check Open for site permissions
  5. Submit, and then add a new permission level called something like PowerApps Users View Only
  6. Check View Items under list settings. This should automatically check View Pages and Open under site permissions, but if it doesn't go ahead and do that. Then submit.
  7. Create a new permission group under your advanced site permissions
  8. Name the group something like PowerApps Users
  9. Assign PowerApps Users the PowerApps Users Read permission on the site.
  10. Go to the lists you want the users to be able to view but not access and break inheritance.
  11. Change the permissions for PowerApps Users from PowerApps Users Read to PowerApps Users View Only.
  12. Add a dummy account to the group and share the PowerApp with the dummy account, then test the following:
    • Can the dummy account view the data in the PowerApp? (Should be able to)
    • Can the dummy account access the site's URL? (Should not be able to - Access Denied)
    • Can the dummy account access the list's URL or any views? (Should not be able to - Access Denied)
  13. If you don't see the Access Denied message on a list, go into the list permission settings and delete the PowerApps Users group.
  14. Click the grant permissions button and then enter the group name PowerApps Users.
  15. Click Show Options, uncheck send invite email, and then choose the PowerApps Users View Only Permission.
  16. Click Share, then run through the tests on step 12 again.

This seemed to work for me. I didn't have to remove any attachments or modify the list at all. The URLs are now properly hidden behind Access Denied messages! 

View solution in original post

5 REPLIES 5
cwebb365
Most Valuable Professional
Most Valuable Professional

Usually if you are seeing limited permissions then your individual items have permissions added directly to them and inheritance broke at the room. Or some of the items are being shared.

Maybe under list settings / advanced options the item level security option is set so they can only see their own entries? If not that could be an option which will hide entries other than your own unless you have full access permissions to the list then you can see all items.

@cwebb365 This doesn't work, as the user is unable to see the items in the PowerApp. The user must be able to READ the items, but NOT be able to access the link if it were to ever be leaked. 

 

The individual items do not have any permissions added directly to them, I already confirmed that. None of the items are being shared, either, as sharing permissions are turned off for the whole site.

 

However, as stated in my original post, the items in the active employees list contain items in their Attachments columns. I'm under the impression that the Attachments column is like a miniature document library. Forgive me if I'm incorrect. What I need to know is if this is what is causing the issues with limited access. If so, I can use Power Automate to break the attachments, which are simple text documents, up into their own individual columns. However, I don't want to put in that effort if it is going to be meaningless in eliminating the limited access issue.

Update: I think that attachments might truly be what is causing the limited access issue. I'm looking at the advanced settings right now, and I'm showing that permissions are enabled for users to upload their own attachments:

chrome_VjuBwZTpNP.png

While this is also enabled on the new hire list, no items in that list actually include attachments.

 

However, marking this disabled says that it will delete all currently attached items. I don't want this. I suspect that this is going to involve more trial and error. My next test will be to add attachments to the new hire list items and see if that causes broken inheritance issues.

Wait! I found a solution. I don't know why this works... but it does. I went into the list permissions for the active employees list. I then restored inheritance, broke inheritance AGAIN using the permissions from the new hire list, deleted the PowerApps Users group, then re-added it with the view only permission level. Suddenly... miraculously... It works. Now to go back and do that for any lists that my end users have to access, haha. For anyone who stumbles across this post, here are my steps to secure the SharePoint backend as VIEW ONLY (not contribute). For those who need to allow your users to contribute to a list which has sensitive data, it may be better for you to create a bridge list or two, and update that instead, allowing Power Automate to process changes to the main list(s). This can be done by adding a column to the bridge lists called UniqueID and having the PowerApp update that field with the list item ID of the item in the main list.

 

  1.  Go to your Advanced Site Permissions
  2. Go to Permission Levels on the ribbon
  3. Add a new permission level, and name it something like PowerApps Users Read
  4. Don't check any of the list permissions, and only check Open for site permissions
  5. Submit, and then add a new permission level called something like PowerApps Users View Only
  6. Check View Items under list settings. This should automatically check View Pages and Open under site permissions, but if it doesn't go ahead and do that. Then submit.
  7. Create a new permission group under your advanced site permissions
  8. Name the group something like PowerApps Users
  9. Assign PowerApps Users the PowerApps Users Read permission on the site.
  10. Go to the lists you want the users to be able to view but not access and break inheritance.
  11. Change the permissions for PowerApps Users from PowerApps Users Read to PowerApps Users View Only.
  12. Add a dummy account to the group and share the PowerApp with the dummy account, then test the following:
    • Can the dummy account view the data in the PowerApp? (Should be able to)
    • Can the dummy account access the site's URL? (Should not be able to - Access Denied)
    • Can the dummy account access the list's URL or any views? (Should not be able to - Access Denied)
  13. If you don't see the Access Denied message on a list, go into the list permission settings and delete the PowerApps Users group.
  14. Click the grant permissions button and then enter the group name PowerApps Users.
  15. Click Show Options, uncheck send invite email, and then choose the PowerApps Users View Only Permission.
  16. Click Share, then run through the tests on step 12 again.

This seemed to work for me. I didn't have to remove any attachments or modify the list at all. The URLs are now properly hidden behind Access Denied messages! 

Hi @CameronWilliams  and @cwebb365 

 

I tested the options above, but there is a security point that is not functional.

Users who have access to the list are able to consume the list through a Power Automate Flow and a Power Apps App through their account using the Site link.

Any solution for this security point?

 

Thanks,

Helpful resources

Announcements

April 4th Copilot Studio Coffee Chat | Recording Now Available

Did you miss the Copilot Studio Coffee Chat on April 4th? This exciting and informative session with Dewain Robinson and Gary Pretty is now available to watch in our Community Galleries!   This AMA discussed how Copilot Studio is using the conversational AI-powered technology to aid and assist in the building of chatbots. Dewain is a Principal Program Manager with Copilot Studio. Gary is a Principal Program Manager with Copilot Studio and Conversational AI. Both of them had great insights to share with the community and answered some very interesting questions!     As part of our ongoing Coffee Chat AMA series, this engaging session gives the Community the unique opportunity to learn more about the latest Power Platform Copilot plans, where we’ll focus, and gain insight into upcoming features. We’re looking forward to hearing from the community at the next AMA, so hang on to your questions!   Watch the recording in the Gallery today: April 4th Copilot Studio Coffee Chat AMA

Tuesday Tip: Subscriptions & Notifications

TUESDAY TIPS are our way of communicating helpful things we've learned or shared that have helped members of the Community. Whether you're just getting started or you're a seasoned pro, Tuesday Tips will help you know where to go, what to look for, and navigate your way through the ever-growing--and ever-changing--world of the Power Platform Community! We cover basics about the Community, provide a few "insider tips" to make your experience even better, and share best practices gleaned from our most active community members and Super Users.   With so many new Community members joining us each week, we'll also review a few of our "best practices" so you know just "how" the Community works, so make sure to watch the News & Announcements each week for the latest and greatest Tuesday Tips!   This Week: All About Subscriptions & Notifications We don't want you to a miss a thing in the Community! The best way to make sure you know what's going on in the News & Announcements, to blogs you follow, or forums and galleries you're interested in is to subscribe! These subscriptions ensure you receive automated messages about the most recent posts and replies. Even better, there are multiple ways you can subscribe to content and boards in the community! (Please note: if you have created an AAD (Azure Active Directory) account you won't be able to receive e-mail notifications.)   Subscribing to a Category  When you're looking at the entire category, select from the Options drop down and choose Subscribe.     You can then choose to Subscribe to all of the boards or select only the boards you want to receive notifications. When you're satisfied with your choices, click Save.   Subscribing to a Topic You can also subscribe to a single topic by clicking Subscribe from the Options drop down menu, while you are viewing the topic or in the General board overview, respectively.     Subscribing to a Label Find the labels at the bottom left of a post.From a particular post with a label, click on the label to filter by that label. This opens a window containing a list of posts with the label you have selected. Click Subscribe.           Note: You can only subscribe to a label at the board level. If you subscribe to a label named 'Copilot' at board #1, it will not automatically subscribe you to an identically named label at board #2. You will have to subscribe twice, once at each board.   Bookmarks Just like you can subscribe to topics and categories, you can also bookmark topics and boards from the same menus! Simply go to the Topic Options drop down menu to bookmark a topic or the Options drop down to bookmark a board. The difference between subscribing and bookmarking is that subscriptions provide you with notifications, whereas bookmarks provide you a static way of easily accessing your favorite boards from the My subscriptions area.   Managing & Viewing Your Subscriptions & Bookmarks To manage your subscriptions, click on your avatar and select My subscriptions from the drop-down menu.     From the Subscriptions & Notifications tab, you can manage your subscriptions, including your e-mail subscription options, your bookmarks, your notification settings, and your email notification format.     You can see a list of all your subscriptions and bookmarks and choose which ones to delete, either individually or in bulk, by checking multiple boxes.     A Note on Following Friends on Mobile Adding someone as a friend or selecting Follow in the mobile view does not allow you to subscribe to their activity feed. You will merely be able to see your friends’ biography, other personal information, or online status, and send messages more quickly by choosing who to send the message to from a list, as opposed to having to search by username.

Monthly Community User Group Update | April 2024

The monthly Community User Group Update is your resource for discovering User Group meetings and events happening around the world (and virtually), welcoming new User Groups to our Community, and more! Our amazing Community User Groups are an important part of the Power Platform Community, with more than 700 Community User Groups worldwide, we know they're a great way to engage personally, while giving our members a place to learn and grow together.   This month, we welcome 3 new User Groups in India, Wales, and Germany, and feature 8 User Group Events across Power Platform and Dynamics 365. Find out more below. New Power Platform User Groups   Power Platform Innovators (India) About: Our aim is to foster a collaborative environment where we can share upcoming Power Platform events, best practices, and valuable content related to Power Platform. Whether you’re a seasoned expert or a newcomer looking to learn, this group is for you. Let’s empower each other to achieve more with Power Platform. Join us in shaping the future of digital transformation!   Power Platform User Group (Wales) About: A Power Platform User Group in Wales (predominantly based in Cardiff but will look to hold sessions around Wales) to establish a community to share learnings and experience in all parts of the platform.   Power Platform User Group (Hannover) About: This group is for anyone who works with the services of Microsoft Power Platform or wants to learn more about it and no-code/low-code. And, of course, Microsoft Copilot application in the Power Platform.   New Dynamics365 User Groups   Ellucian CRM Recruit UK (United Kingdom) About: A group for United Kingdom universities using Ellucian CRM Recruit to manage their admissions process, to share good practice and resolve issues.    Business Central Mexico (Mexico City) About:  A place to find documentation, learning resources, and events focused on user needs in Mexico. We meet to discuss and answer questions about the current features in the standard localization that Microsoft provides, and what you only find in third-party locations. In addition, we focus on what's planned for new standard versions, recent legislation requirements, and more. Let's work together to drive request votes for Microsoft for features that aren't currently found—but are indispensable.   Dynamics 365 F&O User Group (Dublin) About: The Dynamics 365 F&O User Group - Ireland Chapter meets up in person at least twice yearly in One Microsoft Place Dublin for users to have the opportunity to have conversations on mutual topics, find out what’s new and on the Dynamics 365 FinOps Product Roadmap, get insights from customer and partner experiences, and access to Microsoft subject matter expertise.  Upcoming Power Platform Events    PAK Time (Power Apps Kwentuhan) 2024 #6 (Phillipines, Online) This is a continuation session of Custom API. Sir Jun Miano will be sharing firsthand experience on setting up custom API and best practices. (April 6, 2024)       Power Apps: Creating business applications rapidly (Sydney) At this event, learn how to choose the right app on Power Platform, creating a business application in an hour, and tips for using Copilot AI. While we recommend attending all 6 events in the series, each session is independent of one another, and you can join the topics of your interest. Think of it as a “Hop On, Hop Off” bus! Participation is free, but you need a personal computer (laptop) and we provide the rest. We look forward to seeing you there! (April 11, 2024)     April 2024 Cleveland Power Platform User Group (Independence, Ohio) Kickoff the meeting with networking, and then our speaker will share how to create responsive and intuitive Canvas Apps using features like Variables, Search and Filtering. And how PowerFx rich functions and expressions makes configuring those functionalities easier. Bring ideas to discuss and engage with other community members! (April 16, 2024)     Dynamics 365 and Power Platform 2024 Wave 1 Release (NYC, Online) This session features Aric Levin, Microsoft Business Applications MVP and Technical Architect at Avanade and Mihir Shah, Global CoC Leader of Microsoft Managed Services at IBM. We will cover some of the new features and enhancements related to the Power Platform, Dataverse, Maker Portal, Unified Interface and the Microsoft First Party Apps (Microsoft Dynamics 365) that were announced in the Microsoft Dynamics 365 and Power Platform 2024 Release Wave 1 Plan. (April 17, 2024)     Let’s Explore Copilot Studio Series: Bot Skills to Extend Your Copilots (Makati National Capital Reg... Join us for the second installment of our Let's Explore Copilot Studio Series, focusing on Bot Skills. Learn how to enhance your copilot's abilities to automate tasks within specific topics, from booking appointments to sending emails and managing tasks. Discover the power of Skills in expanding conversational capabilities. (April 30, 2024)   Upcoming Dynamics365 Events    Leveraging Customer Managed Keys (CMK) in Dynamics 365 (Noida, Uttar Pradesh, Online) This month's featured topic: Leveraging Customer Managed Keys (CMK) in Dynamics 365, with special guest Nitin Jain from Microsoft. We are excited and thankful to him for doing this session. Join us for this online session, which should be helpful to all Dynamics 365 developers, Technical Architects and Enterprise architects who are implementing Dynamics 365 and want to have more control on the security of their data over Microsoft Managed Keys. (April 11, 2024)     Stockholm D365 User Group April Meeting (Stockholm) This is a Swedish user group for D365 Finance and Operations, AX2012, CRM, CE, Project Operations, and Power BI.  (April 17, 2024)         Transportation Management in D365 F&SCM Q&A Session (Toronto, Online) Calling all Toronto UG members and beyond! Join us for an engaging and informative one-hour Q&A session, exclusively focused on Transportation Management System (TMS) within Dynamics 365 F&SCM. Whether you’re a seasoned professional or just curious about TMS, this event is for you. Bring your questions! (April 26, 2024)   Leaders, Create Your Events!    Leaders of existing User Groups, don’t forget to create your events within the Community platform. By doing so, you’ll enable us to share them in future posts and newsletters. Let’s spread the word and make these gatherings even more impactful! Stay tuned for more updates, inspiring stories, and collaborative opportunities from and for our Community User Groups.   P.S. Have an event or success story to share? Reach out to us – we’d love to feature you. Just leave a comment or send a PM here in the Community!

Exclusive LIVE Community Event: Power Apps Copilot Coffee Chat with Copilot Studio Product Team

We have closed kudos on this post at this time. Thank you to everyone who kudo'ed their RSVP--your invitations are coming soon!  Miss the window to RSVP? Don't worry--you can catch the recording of the meeting this week in the Community.  Details coming soon!   *****   It's time for the SECOND Power Apps Copilot Coffee Chat featuring the Copilot Studio product team, which will be held LIVE on April 3, 2024 at 9:30 AM Pacific Daylight Time (PDT).     This is an incredible opportunity to connect with members of the Copilot Studio product team and ask them anything about Copilot Studio. We'll share our special guests with you shortly--but we want to encourage to mark your calendars now because you will not want to miss the conversation.   This live event will give you the unique opportunity to learn more about Copilot Studio plans, where we’ll focus, and get insight into upcoming features. We’re looking forward to hearing from the community, so bring your questions!   TO GET ACCESS TO THIS EXCLUSIVE AMA: Kudo this post to reserve your spot! Reserve your spot now by kudoing this post.  Reservations will be prioritized on when your kudo for the post comes through, so don't wait! Click that "kudo button" today.   Invitations will be sent on April 2nd.Users posting Kudos after April 2nd. at 9AM PDT may not receive an invitation but will be able to view the session online after conclusion of the event. Give your "kudo" today and mark your calendars for April 3rd, 2024 at 9:30 AM PDT and join us for an engaging and informative session!

Tuesday Tip: Blogging in the Community is a Great Way to Start

TUESDAY TIPS are our way of communicating helpful things we've learned or shared that have helped members of the Community. Whether you're just getting started or you're a seasoned pro, Tuesday Tips will help you know where to go, what to look for, and navigate your way through the ever-growing--and ever-changing--world of the Power Platform Community! We cover basics about the Community, provide a few "insider tips" to make your experience even better, and share best practices gleaned from our most active community members and Super Users.   With so many new Community members joining us each week, we'll also review a few of our "best practices" so you know just "how" the Community works, so make sure to watch the News & Announcements each week for the latest and greatest Tuesday Tips!   This Week's Topic: Blogging in the Community Are you new to our Communities and feel like you may know a few things to share, but you're not quite ready to start answering questions in the forums? A great place to start is the Community blog! Whether you've been using Power Platform for awhile, or you're new to the low-code revolution, the Community blog is a place for anyone who can write, has some great insight to share, and is willing to commit to posting regularly! In other words, we want YOU to join the Community blog.    Why should you consider becoming a blog author? Here are just a few great reasons. 🎉   Learn from Each Other: Our community is like a bustling marketplace of ideas. By sharing your experiences and insights, you contribute to a dynamic ecosystem where makers learn from one another. Your unique perspective matters! Collaborate and Innovate: Imagine a virtual brainstorming session where minds collide, ideas spark, and solutions emerge. That’s what our community blog offers—a platform for collaboration and innovation. Together, we can build something extraordinary. Showcase the Power of Low-Code: You know that feeling when you discover a hidden gem? By writing about your experience with your favorite Power Platform tool, you’re shining a spotlight on its capabilities and real-world applications. It’s like saying, “Hey world, check out this amazing tool!” Earn Trust and Credibility: When you share valuable information, you become a trusted resource. Your fellow community members rely on your tips, tricks, and know-how. It’s like being the go-to friend who always has the best recommendations. Empower Others: By contributing to our community blog, you empower others to level up their skills. Whether it’s a nifty workaround, a time-saving hack, or an aha moment, your words have impact. So grab your keyboard, brew your favorite beverage, and start writing! Your insights matter and your voice counts! With every blog shared in the Community, we all do a better job of tackling complex challenges with gusto. 🚀   Welcome aboard, future blog author! ✍️✏️🌠 Get started blogging across the Power Platform Communities today! Just follow one of the links below to begin your blogging adventure.   Power Apps: https://powerusers.microsoft.com/t5/Power-Apps-Community-Blog/bg-p/PowerAppsBlog Power Automate: https://powerusers.microsoft.com/t5/Power-Automate-Community-Blog/bg-p/MPABlog Copilot Studio: https://powerusers.microsoft.com/t5/Copilot-Studio-Community-Blog/bg-p/PVACommunityBlog Power Pages: https://powerusers.microsoft.com/t5/Power-Pages-Community-Blog/bg-p/mpp_blog   When you follow the link, look for the Message Admins button like this on the page's right rail, and let us know you're interested. We can't wait to connect with you and help you get started. Thanks for being part of our incredible community--and thanks for becoming part of the community blog!

Launch Event Registration: Redefine What's Possible Using AI

Join Microsoft product leaders and engineers for an in-depth look at the latest features in Microsoft Dynamics 365 and Microsoft Power Platform. Learn how advances in AI and Microsoft Copilot can help you connect teams, processes, and data, and respond to changing business needs with greater agility. We’ll share insights and demonstrate how 2024 release wave 1 updates and advancements will help you:   Streamline business processes, automate repetitive tasks, and unlock creativity using the power of Copilot and role-specific insights and actions. Unify customer data to optimize customer journeys with generative AI and foster collaboration between sales and marketing teams. Strengthen governance with upgraded tools and features. Accelerate low-code development  using natural language and streamlined tools. Plus, you can get answers to your questions during our live Q&A chat! Don't wait--register today by clicking the image below!  

Users online (8,138)