cancel
Showing results for 
Search instead for 
Did you mean: 

Removing user ability to access data source without using the app

Problem:

One of the biggest issues in PowerApps right now is that we cannot protect our data. If we connect any data source to PowerApps (Excel, SharePoint List, SQL Server Connection) it has to be shared with all users for them to be able to use the app.

This creates a problem where user has access directly to data source and can bypass the app to do direct modifications to the data source as well as see information not meant to be seen by them. If your app was built to limit users access to some data, for example:

  1. Showing users only their vacation requests and hiding other user vacations
  2. Showing user only their travel request and hiding other user travels

That means that all users can see all data as well as they can modify it without any trace.

 

In case of Excel file on OneDrive we need to give users access to this file, that means that user can just go on OneDrive and find the excel file and edit it.

In case of SharePoint List, that means that user needs to have Edit rights to that list and can just find it on the SharePoint Site and go in and edit.

In case of SQL Server Connection, that means that user can open PowerApps, click create new app, open Data Sources and the shared SQL connection will be there and he can connect to it. This will allow the user to see all tables in that SQL connection with edit rights.

 

Idea:

I believe the best way to fix it, and this will allow PowerApps to become truly powerful tool to replace most of organization applications is to give the App itself write rights to the Excel sheets, SharePoint lists or SQL Connection and not the user. This way the user will have no access to the files, SharePoint List or SQL Connection and the only way to interact with data will be through the App.

Status: Under Review
Comments
Level: Powered On

If only Microsoft spelt that out when I was learning to use PowerApps I and a colleague would have avoided wasting a good few weeks work. 

This has put me off using PowerApps full stop.

 

Not impressed Microsoft !!!

 

Level: Powered On

@aabrinyour solution is exactly what I would expect.  I create a connection, and I chose the app that can use the connection.... not 'Hey Everybody here's a cool app for you to use, and oh by the way feel free to use my data for anything else you want, because the keys to the castle are right here for you'

Level: Powered On

Great points, We need this soon, please.

Level: Powered On

This feature is needed. I am running into this issue as well with sensitive HR information stored in SharePoint.

Nyk
Level: Powered On

I am in the same boat as many of you. I made this app that took me a couple of weeks, only to find out that I need to share the private information with all of the employees. PLEASE FIX THIS.

Level: Powered On

This is essentially the same issue as https://powerusers.microsoft.com/t5/PowerApps-Ideas/Making-SQL-Connector-Secure/idc-p/302124, strongly recommend everyone go vote for that as well so this gets traction.

Level: Powered On

Well i found this out by surprise and honestly this is an EXTREMELY serious data security flaw that cannot be acceptable at all. Microsoft must plug this gap urgently because increasingly there are apps that are used organization wide and having full organization able to access an SQL somehow is very dangerous.

Level: Power Up

Wow. Given how Microsoft rebranded the Power Platform I would have though security issues like this would be buttoned up. I’m glad I found this before venturing down this path to create an app for purposely accessing SQL Server tables. 

 

Is is there any timeline on this fix?

CP9
Level: Power Up

Any updates on this??????????

or is there a way to hide the CDS?

Level: Powered On

Same exact situation here. Tremendous potential, but allowing users to see the data source is completely unacceptable.  This will kill our efforts immediately.

 

we are using a sp list to store the data in our app, but we only want the users to use the app to submit data to the list and not be able to edit directly or see other users data.  

 

can someone post some of the work arounds?  

What about using a flow to elevate permission to admin to write data from powerapps to the list.  Then only admin would need rights and users would never even see it?