When using SharePoint lists as the data source in Power Apps it is important to note that the users need access to the underlining data to use the app, typically you would share the SharePoint site with the user to grant the access required, but this opens the door to the users going to the data source directly and making changes to the list avoiding the use of the app, which can cause you problems in terms of data accuracy, duplication, auditing and many other factors.

Below we address the ways you can use tricks, set permissions, or hide the list to avoid users accessing the data source directly we break this down into several ideas, you can combine some of these to secure the list even further.

1. Creating a view that shows nothing in a calendar view and make it default. In addition, remove the list from navigation as well as site content button from navigation.

2. Hide all columns, create a new view, and have a condition on the view which always doesn’t bring results back then set this view as the default view, for example a status column and have the filter action bring back results that equal 1 when you know there will never be any results equal to

3. Turn off indexing on the list. Go to list settings, advanced settings, then look for search and change the Yes value to no. Then scroll to the bottom on the same advanced settings screen set the Automatic Index Management to no.

4. You can remove view permissions and just give allow add permissions. To do this you would need to create a new permission level (Site Settings, Site Permissions, Permission Levels then add new) , once created remove inherited permissions from the list permissions and grant the newly created permission level and assign a group or members to it, it would also be a good idea to grant access based on a Microsoft security group for easier control over access management(if you have access to Microsoft Active Directory/Entra)

5. Use PowerShell to completely hide the list from the site contents:

$listName = “YOUR LIST NAME”

$site = “https://Your SharePoint Site address/”

 

Connect-PnPOnline -Url $site -UseWebLogin

Set-PnPList -Identity $listName -Hidden $true

• Create the lists in a private Teams channel/SharePoint site that only you or other App admins have access to. Then remove inherited permissions on the lists in advanced permissions and add a security group to the list which grants direct access add members of the app to the group in active directory.

• Depending on the app requirements you could use a different data source such as MS SQL or Dataverse for greater control over permissions to the data source. 

• Consider using a Power Automate flow that brings data into Power Apps and writes to the SP list using your service account credentials. This way users only need access to the app and would not need access to SharePoint lists, this option could have unintended consequences, in terms of app performance, data write delays, errors with file writes due to time delay and offline working issues, so not recommended. 

6. Another alternative method for setting permissions on the list, is using the Item level Permissions in SharePoint list Advanced Settings, you can set it so that the user can only read all items, or read items created by them, or edit their own items, using a mixture of these settings might answer your security needs when using SharePoint as a data source for Power Apps.

Use Power Automate to restrict item level permissions.

Create a new automated cloud flow, with the trigger set to when an item is created,

When adding recipients ensure you have a “;” between recipients if there is more than one.

Set Permissions on SP items so that only the user who created and the users manager can see the data(and users with full control permissions on the list):

If you would like to see how to set permissions using the HTTP connector and how to move items to other folders based on conditions using Power Automate, then we recommend watching Reza’s video on this here:

https://www.youtube.com/watch?v=EJyZfYMi4n0

Conclusion

While SharePoint might not be the optimal choice for safeguarding data in Power Apps, its widespread usage underscores the importance of comprehending various strategies to secure or conceal information effectively. We explored numerous techniques for data concealment and introduced a method for setting item-level permissions.

However, the crucial lesson regarding permissions in SharePoint lists is to prioritise their consideration during the data model design phase. Don’t overlook or sideline the design of the permissions structure, ensure this is discussed and well established early in the data design phase.

If you have any questions about the topics discussed in this blog, please respond to the blog post on Linked In here.