Unanswered

Powerapps and Sharepoint Online Permissions

(3) Share

Report

Posted on by Community Power Pla...

Hello,

I created a PowerApp with a Sharepoint custom list as the data source. I granted all 315 users of the app "Site Member" status (R/W/E).

Problem:

The PowerApp has a LOT of validation in place (no blanks, min char counts for comments, etc.)
The Sharepoint URL leaked out and users have been creating new records DIRECTLY in the Sharepoint list instead of using the PowerApp
This has resulted in many partial records that make reporting impossible.

Question:

How can I grant the correct permissions to allow users access to the Custom List but NOT give them permission to edit the Sharepoint list directly if they have the URL?

Thank you

Categories:

Building Power Apps

I have the same question (0)

All responses (49)

Answers (1)

Jeff_Thorpe 6,085 Super User 2024 Season 1 on at

Like (5)

Report

If you are using a SharePoint custom list as a backend to a stand alone PowerApps app then I am not aware on any way to block them from accessing the SharePoint list because the PowerApps/SharePoint intergration requires the user to have access.

I would recommend creating a PowerApps custom form in the SharePoint library. Then give the users contribute access to the list to prevent any user from changing your PowerApps custom form. After that go into the List Settings page and click on Advance Settings and set the "Quick property editing" to "No". This prevents users from bypassing your custom form and adding or changing items in the quick edit view or the details pane.

Was this reply helpful? Yes No
Community Power Pla... on at

Like (8)

Report

Hi @Jeff_Thorpe, Thanks for the response.

This is indeed a stand alone PowerApp with SP List as a back end.

Unfortunately, creating a PowerApps custom form in the Sharepoint Library would necessitate developing another "app" then supporting two versions of the same. I can't go there with this particular project. \

Hm. Bummer. Would be nice to have the ability to control access to the "back end" of the app. I think whats missing is the concept of an APP ID between stand alone PowerApps and Sharepoint lists.

Ideally, I would control USER access to the PowerApp via AD Security Groups, then control APP access to the Sharepoint list with an App ID. Then only the APP has read/write/delete/etc. permissions on the list, not individual USERS.

Was this reply helpful? Yes No
Community Power Pla... on at

Like (4)

Report
Aha! Our AWESOME internal Sharepoint Admin showed me a method that just might work. I'll line it out here before I try it:

Permission groups:
Site Owners
Site Members (PowerApps USERS)
List Permissions:
Site Members (full Read/Write access to the list)
How to prevent PowerApps users from editing a Sharepoint List:
Edit the Sharepoint List Web Part
Select Target Audience:
Groups/Site Owners
Add another Web Part with a custom message (like: "Keep your hands off this list!")
Select Target Audience:
Groups/Site Members
What should happen is that PowerApps USERS with the SP List URL will be presented with the custom message. Site Owners will get to see the List itself and make edits/etc.

I'll try to implement this (next week) and report back.

Was this reply helpful? Yes No
v-xida-msft on at

Like (0)

Report

Hi @ericonline,

Do you want to assign all 315 users of your app access permission rather than edit permisson to the SP list?

Have you solved your problem?

If you only want to assign all 315 users of your app access permission rather than edit permission to your SP list, you could consider take a try to assign "Site Visitors" permission (Read-Only) to them.

More details about assigning "Site Visitors" permission to SP list, please check the following gif image:

In addition, I also agree with the solution that you provided. If the issue is solved on your side, please go ahead and click “Accept as Solution” so that this thread will be marked for other users to easily identify.

Best regards,

Kris

Was this reply helpful? Yes No
Community Power Pla... on at

Like (0)

Report
Hi @v-xida-msft.

RE: Do you want to assign all 315 users of your app access permission rather than edit permisson to the SP list?
I'm unable to do this because the PowerApp will throw errors.
Users must have Edit perms on the List in order to submit results from the PowerApp
RE: Have you solved your problem?
Almost. I can't seem to find a way to apply Target Audiences to the "New Experience" Custom Lists
All the documentation I've been able to find only shows how to apply Target Audiences to "Classis Experience" Web Parts
RE: If you only want to assign all 315 users of your app access permission rather than edit permission to your SP list, you could consider take a try to assign "Site Visitors" permission (Read-Only) to them.
In my case, this will not work.
Since the List is the Data Source for the PowerApp, users need Site Member permissions and List Edit permissions.
I just want to "hide" the List from their View/Interaction if they visit the List URL directly.
When I find the solution, I will post it back. Thanks for your input.

Was this reply helpful? Yes No
panand99 641 on at

Like (0)

Report

Hi,
You can simply hide 'New Item' link and Top level navigation from your SP list by using JavaScript to be added on your webpart.

or by using toolbar properties

Was this reply helpful? Yes No
Verified answer

Akinlaw 29 on at

Like (11)

Report

Here’s how I did it...
In your list give everyone vistior acces so they can see the data but not edit. Create a field for field structural copy of the list name it something like temp-list. Give everyone write access to this list. In your power app, pull the record from the original list. Base your update form on the temp-list. Create a flow using a user That has enough privilege to write to the original list. Attach it to the temp list and have it update the original list with the new data then delete the new data from the temp list. You must trigger the flow from the temp list create or update trigger and not directly from the flow. Auto triggered flows will use the elevated permissions of the flow creator.

Was this reply helpful? Yes No
mbrocchi1 110 on at

Like (5)

Report

I have posted a video that demonstrates adjusting List item permissions based from PowerApps / Flow that I think will be useful -

SharePoint Item Level Security in PowerApps and Flow

Hopefully it helps!

Was this reply helpful? Yes No
simb55 88 on at

Like (0)

Report

This will not solve the problem, tho.
If the link for the original list leaked, it is as well possible, that the link to your temp lists will soon be known to your coworkers.
So they just go ahead and make changes to the temp lists which will then duplicate to the original data source.

ericonline wrote:
Here’s how I did it...
In your list give everyone vistior acces so they can see the data but not edit. Create a field for field structural copy of the list name it something like temp-list. Give everyone write access to this list. In your power app, pull the record from the original list. Base your update form on the temp-list. Create a flow using a user That has enough privilege to write to the original list. Attach it to the temp list and have it update the original list with the new data then delete the new data from the temp list. You must trigger the flow from the temp list create or update trigger and not directly from the flow. Auto triggered flows will use the elevated permissions of the flow creator.

This would be a nice approach for this problem.

Was this reply helpful? Yes No
simb55 88 on at

Like (1)

Report

But this means, that you embedded your SharePoint List in a List Webpart on a SharePoint Site, is that correct?
In this case, users could still find out the direct URL to you SharePoint List, where the layout and design of the List Webpart are not applied. So with a link like this http://mySharePoint.com/sites/mySiteName/lists/myListName there would still be a way to reach the data source.

I don't think there is any good solution for this right now.

Was this reply helpful? Yes No