So you made a PowerApp...
You are the local Microsoft 365 Power User on your team. You can easily whip up powerful solutions to solve complex business problems using your arsenal of tools: SharePoint lists, PowerApps, Power Automate and, of course, Excel. But are your solutions secure?
You’ve developed a Vacation Requests PowerApp that uses SharePoint lists as a data source:
- Vacation Requests (Custom SharePoint List), stores all employee leave requests
- Approval Tasks (SharePoint Task List), stores all approval tasks assigned as part of each leave request
The following business rules exist in your PowerApp:
- Each employee has the ability to see other employees’ vacation requests.
- Each employee can modify their request if it hasn’t been approved.
But there's a potential risk
What’s preventing an employee from creating their own PowerApp that connects to the same SharePoint lists as data sources, and accidentally changing the data?
Your SharePoint lists have the following permissions in place:
- Vacation Requests, all employees have the Contribute permission level (can add/edit list items)
- Approval Tasks, all employees have the Contribute permission level (can add/edit list items)
Your PowerApp has logic to prevent employees from editing their own approved requests, but if someone created their own PowerApp, they technically already have the necessary permissions in place to manipulate that same SharePoint list data, without being held back by any business rules (e.g. Modifying requests after they’re already approved, modifying another employee’s request, setting their own requests as approved, etc.).
We could reduce the permissions that each employee has to each list, but that could jeopardize required business functionality. Also, can the robustness of the solution’s security be increased, without making the solution overly-complicated?
How can we prevent this?
There may be multiple methods (to varying degrees of robustness) to address the above problem scenario, but the following method is described as a simple solution that may help to prevent similar undesired scenarios.
To get started, you’ll need to have a few things handy:
- “Manage Lists” permission in the SharePoint Online site where your list is located
- Access to SharePoint Designer OR Powershell
If you don’t have these, check with your Administrator and see if they can help.
Ways to hide lists in SharePoint
When connecting to a SharePoint list through PowerApps, if your lists don’t appear, this makes it that much more difficult to be able to connect to these lists and use them as data sources. By setting your SharePoint lists to Hidden, you must know the name of the lists to be able to use them as a data sources in both PowerApps and Power Automate.
To hide your SharePoint lists:
Method 1: Open Windows Powershell ISE
Method 2: Connect to your site in SharePoint Designer, your list settings have the “Hide from browser” setting.
While solutions like these can help to incrementally increase the security of your Power Platform solutions, it is always recommended to plan and implement a robust governance plan surrounding the creation, use, and administration of your PowerApps and Power Automate environments. At Blueshift, we work with clients to establish a model that enables true Citizen Developers to contribute to the organization through the use of the Power Platform, while maintaining the security and integrity of your critical business data.