cancel
Showing results for 
Search instead for 
Did you mean: 
Reply

PowerApps User SharePoint Online Permissions

I have a bit of a dilemma and I'm hoping someone someone may be able to help me solve it.


I've built a PowerApp to facilitate the hiring and termination process at my company. The PowerApp utilizes SharePoint list on a site that my department has access to as a backend because it is our only available option as of right now.


The PowerApp does not directly write to the site in question's lists, it writes to an entirely different site with lists containing very little information which bridge data to the main site's lists. This is to avoid giving any contribute access to the main site's lists, which have data we do not want to provide to the PowerApps users. However, though the app does not write data, it has to be able to read some data from the site in question to garner information about the new or terminating employee to display to the PowerApp users.


For further information about the main site, I have two lists facilitating this process, one for new hiring requests and an active employees list to facilitate terminations. I have one custom permissions group called PowerApps Users. Since the users do not need contribute access to these two lists, I haven't worried about that. At the top level, PowerApps Users has a custom permission called PA Users Read, which only contains Open permissions for the site and no list permissions. On the two lists, I have broken inheritance and given PowerApps Users a custom permission for each called PA Users VO (view only), which contains the following permissions: Site View/Open, List View.


These permissions are working flawlessly as intended regarding the new hire list, at least as far as I can tell. The PowerApps Users can see the new hire requests in the PowerApp, but when accessing the SharePoint site or the direct link to the SharePoint list, they get Access Denied.


However, when given the exact same permissions on the active employees list, PowerApps users who access the list do not get the Access Denied message and can see all items in the list. They cannot edit, add, or delete any of these items, but they can see all of the data. We don't want this, as not all the data in this list is info we want to be accessible by the users (private extension numbers, supervisor information, resources employees have been provided, etc). None of it is especially sensitive, but it isn't something we want accessible either. While the URL for the site has not been leaked or anything like that, the fact that it is accessible at all is concerning.


When comparing the permissions on the new hire list and the active employees list, we noticed that PowerApps Users were being granted Limited Access permission on the active employees list, while they were not on the new hire list. The only real difference between these lists is that some items in the active employees list have text documents attached to their attachments column which contain some information about specific tables the employee has access to in a database.

 

Would the attachments cause this? If so, what recommendations do you have to prevent access to this database. We would prefer to not remove the attachments column if at all possible because the document is provided to our DBA upon account termination.

1 ACCEPTED SOLUTION

Accepted Solutions

Wait! I found a solution. I don't know why this works... but it does. I went into the list permissions for the active employees list. I then restored inheritance, broke inheritance AGAIN using the permissions from the new hire list, deleted the PowerApps Users group, then re-added it with the view only permission level. Suddenly... miraculously... It works. Now to go back and do that for any lists that my end users have to access, haha. For anyone who stumbles across this post, here are my steps to secure the SharePoint backend as VIEW ONLY (not contribute). For those who need to allow your users to contribute to a list which has sensitive data, it may be better for you to create a bridge list or two, and update that instead, allowing Power Automate to process changes to the main list(s). This can be done by adding a column to the bridge lists called UniqueID and having the PowerApp update that field with the list item ID of the item in the main list.

 

  1.  Go to your Advanced Site Permissions
  2. Go to Permission Levels on the ribbon
  3. Add a new permission level, and name it something like PowerApps Users Read
  4. Don't check any of the list permissions, and only check Open for site permissions
  5. Submit, and then add a new permission level called something like PowerApps Users View Only
  6. Check View Items under list settings. This should automatically check View Pages and Open under site permissions, but if it doesn't go ahead and do that. Then submit.
  7. Create a new permission group under your advanced site permissions
  8. Name the group something like PowerApps Users
  9. Assign PowerApps Users the PowerApps Users Read permission on the site.
  10. Go to the lists you want the users to be able to view but not access and break inheritance.
  11. Change the permissions for PowerApps Users from PowerApps Users Read to PowerApps Users View Only.
  12. Add a dummy account to the group and share the PowerApp with the dummy account, then test the following:
    • Can the dummy account view the data in the PowerApp? (Should be able to)
    • Can the dummy account access the site's URL? (Should not be able to - Access Denied)
    • Can the dummy account access the list's URL or any views? (Should not be able to - Access Denied)
  13. If you don't see the Access Denied message on a list, go into the list permission settings and delete the PowerApps Users group.
  14. Click the grant permissions button and then enter the group name PowerApps Users.
  15. Click Show Options, uncheck send invite email, and then choose the PowerApps Users View Only Permission.
  16. Click Share, then run through the tests on step 12 again.

This seemed to work for me. I didn't have to remove any attachments or modify the list at all. The URLs are now properly hidden behind Access Denied messages! 

View solution in original post

5 REPLIES 5
cwebb365
Most Valuable Professional
Most Valuable Professional

Usually if you are seeing limited permissions then your individual items have permissions added directly to them and inheritance broke at the room. Or some of the items are being shared.

Maybe under list settings / advanced options the item level security option is set so they can only see their own entries? If not that could be an option which will hide entries other than your own unless you have full access permissions to the list then you can see all items.

@cwebb365 This doesn't work, as the user is unable to see the items in the PowerApp. The user must be able to READ the items, but NOT be able to access the link if it were to ever be leaked. 

 

The individual items do not have any permissions added directly to them, I already confirmed that. None of the items are being shared, either, as sharing permissions are turned off for the whole site.

 

However, as stated in my original post, the items in the active employees list contain items in their Attachments columns. I'm under the impression that the Attachments column is like a miniature document library. Forgive me if I'm incorrect. What I need to know is if this is what is causing the issues with limited access. If so, I can use Power Automate to break the attachments, which are simple text documents, up into their own individual columns. However, I don't want to put in that effort if it is going to be meaningless in eliminating the limited access issue.

Update: I think that attachments might truly be what is causing the limited access issue. I'm looking at the advanced settings right now, and I'm showing that permissions are enabled for users to upload their own attachments:

chrome_VjuBwZTpNP.png

While this is also enabled on the new hire list, no items in that list actually include attachments.

 

However, marking this disabled says that it will delete all currently attached items. I don't want this. I suspect that this is going to involve more trial and error. My next test will be to add attachments to the new hire list items and see if that causes broken inheritance issues.

Wait! I found a solution. I don't know why this works... but it does. I went into the list permissions for the active employees list. I then restored inheritance, broke inheritance AGAIN using the permissions from the new hire list, deleted the PowerApps Users group, then re-added it with the view only permission level. Suddenly... miraculously... It works. Now to go back and do that for any lists that my end users have to access, haha. For anyone who stumbles across this post, here are my steps to secure the SharePoint backend as VIEW ONLY (not contribute). For those who need to allow your users to contribute to a list which has sensitive data, it may be better for you to create a bridge list or two, and update that instead, allowing Power Automate to process changes to the main list(s). This can be done by adding a column to the bridge lists called UniqueID and having the PowerApp update that field with the list item ID of the item in the main list.

 

  1.  Go to your Advanced Site Permissions
  2. Go to Permission Levels on the ribbon
  3. Add a new permission level, and name it something like PowerApps Users Read
  4. Don't check any of the list permissions, and only check Open for site permissions
  5. Submit, and then add a new permission level called something like PowerApps Users View Only
  6. Check View Items under list settings. This should automatically check View Pages and Open under site permissions, but if it doesn't go ahead and do that. Then submit.
  7. Create a new permission group under your advanced site permissions
  8. Name the group something like PowerApps Users
  9. Assign PowerApps Users the PowerApps Users Read permission on the site.
  10. Go to the lists you want the users to be able to view but not access and break inheritance.
  11. Change the permissions for PowerApps Users from PowerApps Users Read to PowerApps Users View Only.
  12. Add a dummy account to the group and share the PowerApp with the dummy account, then test the following:
    • Can the dummy account view the data in the PowerApp? (Should be able to)
    • Can the dummy account access the site's URL? (Should not be able to - Access Denied)
    • Can the dummy account access the list's URL or any views? (Should not be able to - Access Denied)
  13. If you don't see the Access Denied message on a list, go into the list permission settings and delete the PowerApps Users group.
  14. Click the grant permissions button and then enter the group name PowerApps Users.
  15. Click Show Options, uncheck send invite email, and then choose the PowerApps Users View Only Permission.
  16. Click Share, then run through the tests on step 12 again.

This seemed to work for me. I didn't have to remove any attachments or modify the list at all. The URLs are now properly hidden behind Access Denied messages! 

Hi @CameronWilliams  and @cwebb365 

 

I tested the options above, but there is a security point that is not functional.

Users who have access to the list are able to consume the list through a Power Automate Flow and a Power Apps App through their account using the Site link.

Any solution for this security point?

 

Thanks,

Helpful resources

Announcements

Community will be READ ONLY July 16th, 5p PDT -July 22nd

Dear Community Members,   We'd like to let you know of an upcoming change to the community platform: starting July 16th, the platform will transition to a READ ONLY mode until July 22nd.   During this period, members will not be able to Kudo, Comment, or Reply to any posts.   On July 22nd, please be on the lookout for a message sent to the email address registered on your community profile. This email is crucial as it will contain your unique code and link to register for the new platform encompassing all of the communities.   What to Expect in the New Community: A more unified experience where all products, including Power Apps, Power Automate, Copilot Studio, and Power Pages, will be accessible from one community.Community Blogs that you can syndicate and link to for automatic updates. We appreciate your understanding and cooperation during this transition. Stay tuned for the exciting new features and a seamless community experience ahead!

Summer of Solutions | Week 4 Results | Winners will be posted on July 24th

We are excited to announce the Summer of Solutions Challenge!   This challenge is kicking off on Monday, June 17th and will run for (4) weeks.  The challenge is open to all Power Platform (Power Apps, Power Automate, Copilot Studio & Power Pages) community members. We invite you to participate in a quest to provide solutions in the Forums to as many questions as you can. Answers can be provided in all the communities.    Entry Period: This Challenge will consist of four weekly Entry Periods as follows (each an “Entry Period”)   - 12:00 a.m. PT on June 17, 2024 – 11:59 p.m. PT on June 23, 2024 - 12:00 a.m. PT on June 24, 2024 – 11:59 p.m. PT on June 30, 2024 - 12:00 a.m. PT on July 1, 2024 – 11:59 p.m. PT on July 7, 2024 - 12:00 a.m. PT on July 8, 2024 – 11:59 p.m. PT on July 14, 2024   Entries will be eligible for the Entry Period in which they are received and will not carryover to subsequent weekly entry periods.  You must enter into each weekly Entry Period separately.   How to Enter: We invite you to participate in a quest to provide "Accepted Solutions" to as many questions as you can. Answers can be provided in all the communities. Users must provide a solution which can be an “Accepted Solution” in the Forums in all of the communities and there are no limits to the number of “Accepted Solutions” that a member can provide for entries in this challenge, but each entry must be substantially unique and different.    Winner Selection and Prizes: At the end of each week, we will list the top ten (10) Community users which will consist of: 5 Community Members & 5 Super Users and they will advance to the final drawing. We will post each week in the News & Announcements the top 10 Solution providers.  At the end of the challenge, we will add all of the top 10 weekly names and enter them into a random drawing.  Then we will randomly select ten (10) winners (5 Community Members & 5 Super Users) from among all eligible entrants received across all weekly Entry Periods to receive the prize listed below. If a winner declines, we will draw again at random for the next winner.  A user will only be able to win once overall. If they are drawn multiple times, another user will be drawn at random.  Individuals will be contacted before the announcement with the opportunity to claim or deny the prize.  Once all of the winners have been notified, we will post in the News & Announcements of each community with the list of winners.   Each winner will receive one (1) Pass to the Power Platform Conference in Las Vegas, Sep. 18-20, 2024 ($1800 value). NOTE: Prize is for conference attendance only and any other costs such as airfare, lodging, transportation, and food are the sole responsibility of the winner. Tickets are not transferable to any other party or to next year’s event.   ** PLEASE SEE THE ATTACHED RULES for this CHALLENGE**   Week 1 Results: Congratulations to the Week 1 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge. Community MembersNumber of SolutionsSuper UsersNumber of Solutions @anandm08  23 @WarrenBelz  31 @DBO_DV  10 @Amik  19 AmínAA 6 @mmbr1606  12 @rzuber  4 @happyume  7 @Giraldoj  3@ANB 6 (tie)   @SpongYe  6 (tie)     Week 2 Results: Congratulations to the Week 2 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge. Community MembersSolutionsSuper UsersSolutions @anandm08  10@WarrenBelz 25 @DBO_DV  6@mmbr1606 14 @AmínAA 4 @Amik  12 @royg  3 @ANB  10 @AllanDeCastro  2 @SunilPashikanti  5 @Michaelfp  2 @FLMike  5 @eduardo_izzo  2   Meekou 2   @rzuber  2   @Velegandla  2     @PowerPlatform-P  2   @Micaiah  2     Week 3 Results: Congratulations to the Week 3 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge.   Week 3:Community MembersSolutionsSuper UsersSolutionsPower Apps anandm0861WarrenBelz86DBO_DV25Amik66Michaelfp13mmbr160647Giraldoj13FLMike31AmínAA13SpongYe27     Week 4 Results: Congratulations to the Week 4 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge.   Week 4:Community MembersSolutionsSuper UsersSolutionsPower Apps DBO-DV21WarranBelz26Giraldoj7mmbr160618Muzammmil_0695067Amik14samfawzi_acml6FLMike12tzuber6ANB8   SunilPashikanti8

Check Out | 2024 Release Wave 2 Plans for Microsoft Dynamics 365 and Microsoft Power Platform

On July 16, 2024, we published the 2024 release wave 2 plans for Microsoft Dynamics 365 and Microsoft Power Platform. These plans are a compilation of the new capabilities planned to be released between October 2024 to March 2025. This release introduces a wealth of new features designed to enhance customer understanding and improve overall user experience, showcasing our dedication to driving digital transformation for our customers and partners.    The upcoming wave is centered around utilizing advanced AI and Microsoft Copilot technologies to enhance user productivity and streamline operations across diverse business applications. These enhancements include intelligent automation, AI-powered insights, and immersive user experiences that are designed to break down barriers between data, insights, and individuals. Watch a summary of the release highlights.    Discover the latest features that empower organizations to operate more efficiently and adaptively. From AI-driven sales insights and customer service enhancements to predictive analytics in supply chain management and autonomous financial processes, the new capabilities enable businesses to proactively address challenges and capitalize on opportunities.    

Updates to Transitions in the Power Platform Communities

We're embarking on a journey to enhance your experience by transitioning to a new community platform. Our team has been diligently working to create a fresh community site, leveraging the very Dynamics 365 and Power Platform tools our community advocates for.  We started this journey with transitioning Copilot Studio forums and blogs in June. The move marks the beginning of a new chapter, and we're eager for you to be a part of it. The rest of the Power Platform product sites will be moving over this summer.   Stay tuned for more updates as we get closer to the launch. We can't wait to welcome you to our new community space, designed with you in mind. Let's connect, learn, and grow together.   Here's to new beginnings and endless possibilities!   If you have any questions, observations or concerns throughout this process please go to https://aka.ms/PPCommSupport.   To stay up to date on the latest details of this migration and other important Community updates subscribe to our News and Announcements forums: Copilot Studio, Power Apps, Power Automate, Power Pages

Users online (2,285)