I am currently working on a project where I am using a powerapp to modify and read share point list entries.
However the issue is that everybody that wants to use this powerapp has to have full access to the share point list.
Up until this point I thought that my setup connection would be used however I was wrong which is quite annoying.
I basically would like to control who can edit, view entries etc. in the powerapp itself. So for example there are people with specific roles in Azure that can edit and view any entry and there are people who can only view themselves and some who can only edit themselves and people below them. This is all managed by the powerapp.
Is there any way to restrict the permissions to the powerapp/share my connection with everyone else that opens up the powerapp? In the end I do not want anybody without admin like permission to edit or view the sharepoint list directly. I know you can restrict role access to a share point list but this would not allow all those different permission levels as in the powerapp itself.
Do flows work on the same principal or could I at least create a flow that manages the edit related actions on the sharepoint list instead and then give everyone else only read access to the list? Basically do flows use my setup connection or the user's whoever triggers them in the powerapp?
Or is the only way I could achieve this a SQL like Connection because as far as I know the SQL Connection is obviously limited to my setup and thus the powerapp does not ask everyone who uses it to setup a connection right?
PowerApps isn't designed to be a security layer. It simply reflects the security applied in the datasource itself. So to implement the model you are sugesting you would need to change the item level permissions on each item in the list to apply the restrictions you are specifying. A PowerApp runs in the security context of the user running the app. So if the user doesn't have permission to the list or an item in the list then they won't see that item. Flows that are started by a button in PowerApps work the same way. Flows started by a trigger run in the context of the person who authored the Flow.
The SQL connector does use a connection account and all users of the App will have the permissions of that connection account.
Thank you for that quick answer.
However Item Level permission inside Sharepoint lists do not allow for any advanced logic right?
Is there a way to apply those permissions from inside the PowerApp? Which would make it much easier.
So let's say I have a flow that adds or changes an element in my sharepoint list. The parameters are passed through powerapps and the flow is of course also triggered by the app. What permissions/connection would the end user need when clicking the button/opening the app itself? Would that be a solution to restrict access/write permission the list? So basically I do not have to give each user different permission in the app but simply disable the button that triggers the flow?
Regarding SQL: The connection however cannot be abused right? So a user has no way to use the connection to send custom requests to the SQL server and is limited by the code behind the powerapp if I understand that correctly?
Using HTTP REST calls inside a PowerApp you can modify the item level permissions in a SharePoint list, but you are right the permissions are the permissions and there is no logic involved. Here's the documentation on how to set item level permissions using REST. https://docs.microsoft.com/en-us/sharepoint/dev/sp-add-ins/set-custom-permissions-on-a-list-by-using...
Flows started by a button in a PowerApp run in the context of the user who pressed the button. So the user will need the permissions necessary to complete the actions in the Flow. Disabling the button in the App would keep the user from using the App to do what the Flow does. But if they have permission they can access the SharePoint list and do the action directly.
Regarding SQL: The problem is that once the conneciton is created a user can create their own PowerApp and re-use that connection. At that point they can do anything in SQL that the connection account allows.
Thanks yet again for the detailed answer.
So how is the powerapp creator intended to add security to his powerapp/even the layer behind it? I mean even when using a SQL connection there seems to be no way to make it secure. Because lets say you have different roles that are supposed to have different access rights. If they can use the SQL connection however they want to and I cannot dynamically create a SQL connection based on the user how am I supposed to add different access roles to my powerapp? Is there no way to do this? Creating different powerapps and simply copy pasting the interface might work but that is kinda tedious.
So a directly triggered flow is no solution either. When making REST calls it probably also uses the permission of the user and thus it makes no sense to do it that way right? So basically what is going on is: Let's say some users can edit 5 out of 100 entries. And some can edit 5 different entries and some can edit all of them in the app. Now those entries aren't existing yet but created on the go. Would I need to create them in advance and then using my all powerfull connection I could assign the different access permissions to the different users and entries using a button in the app with code?
What about creating a seperate list that everybody has access to and then a final list is "cloned" by an automatically triggered flow? This way I could deny access to the final list right? Is there a way to limit access to a certain column to only a specific user/group (so I could create a field that when set to true by an authorized user will trigger the automatic flow for said column)?. In general is the only user based permission or also group based permission for list entries?
As I mentioned in my First post, PowerApps and Flow are not designed to provide a security layer. Security is managed directly in the data source itself. If a user doesn't have permission in the data source then they won't have permission in PowerApps and Flow.
The closest you can come is to use HTTP Rest calls to change the item level permission when an item is created in the PowerApp. If permission is changed when the item is created to restrict access to a specific user or group then other users/groups won't even see that item in the data source or in SharePoint itself. But the permissions are maintained in the SharePoint list/item, not in PowerApps.
I know that PowerApps is not meant to add a security layer but this makes me wonder how I am supposed to add a security layer even inside the backend of my data source for multiple roles? For example for SQL the user that I specify for database access cannot be switched per powerapps user which means everyone still has the same permission. I cannot add a role based backend to anything as far as I can see. And when it comes to share point it might be worth a try to play around with its permission system.
WARNING: Powerapps Rant
Thanks for your help, you are not to blame for the issues I mentioned but it's quite frustrating because I expected much more from this. If anyone else has a solution feel free to post about it.
I'm sorry you are disappointed with the product. I actually find it a very useful tool when used within the confines of the way it was designed.
Watch Microsoft Business Applications Summit sessions on-demand.
Features releasing from April 2020 through September 2020