Power Apps SharePoint List Security | Item Level Permissions & Folder Security with Power Automate
HTML-код
- Опубликовано: 26 июн 2024
- In this video we will explore the security & permissions needed to work with SharePoint as a data source for your Power Apps.
We will set item level permissions using a simple setting in SharePoint lists, we will create custom item level security using Power Automate flows, break permissions, grant permissions, reset role inheritance and more.
This is true security of data in SharePoint which PowerApps will respect.
This video includes both Power Apps & Power Automate to setup and lock down access to your SharePoint data.
✅ How SharePoint Permissions with Power Apps works?
✅ Working with 🔒 item level permissions in Power Apps.
✅ Set custom Item level permissions via Power Automate flows based on conditions.
✅ Flow to move item to specific folders dynamically & inherit folder security.
🔗 Blog Link - Power Automate - How to move SharePoint Online list items to folders
michelcarlo.com/2019/03/04/mi...
⬇️ Download flows to set permissions, break permissions & more:
github.com/rdorrani/Microsoft...
Code for Trigger Condition:
@equals(triggerOutputs()?['body/Progress/Value'],'Completed')
Flow Approvals:
• Flow Approvals Cookbook
Dynamic approvers Power Automate:
• Dynamic Approvers & lo...
SharePoint item level / folder level permission limits:
support.microsoft.com/en-us/o...
docs.microsoft.com/en-us/offi...
Flow Trigger Conditions:
• Flow trigger conditions
Table of Contents:
00:00 - Introduction
00:34 - Create a Power App from SharePoint List
02:49 - Share Power App with Users
03:23 - Does user need SharePoint Permissions for Power Apps?
06:12 - Grant access to users (Edit, Read permissions) on SharePoint (Owners, Members Groups)
07:34 - Audience Targeting Vs Security of SharePoint data in Power Apps
09:25 - Item Level Permissions List / Library setting (Read data created by user & edit data created by user)
13:07 - Owners Group has full control (No Item Level Permissions)
13:59 - Set Custom Item Level Permissions to list items via Power Automate flow
15:06 - Create flow to set row security / list item permissions
21:56 - Flow Set List Item Permissions based on Conditions
22:35 - Set Folder Security
24:31 - Create flow to Move Items and Reset Role Inheritance (Folder Security)
33:12 - Subscribe to Reza Dorrani channel
#PowerApps #SharePoint #Permissions #Security
🤝 Let’s connect on social:
🔗 LinkedIn: / rezadorrani
🐦 Twitter: / rezadorrani
Great stuff Reza - Plenty of new tricks on item security and that item move nugget, wasn't aware of that one - thanks, have bookmarked Michel's blog!
Loads to consider for a current build - Many thanks 🙏
Awesome! Thanks Gerard.
You cannot even imagine how useful your tutorials are for my current project :) Thanks a lot
Happy to hear that and thanks for the appreciation.
I too was about to abandon an approach until I saw this video; it was precisely on point. Thank you so much!
There is always a way out :)
You did it again Reza... you bailed my ass out again with a solution that cut my development in half and resolved an issue I made complicated. Thanks!!!
Most welcome and glad to hear the video is helpful.
Impresionante! So many of my doubts answered in a half an hour video. Thank you so much!
Glad it was helpful!
So concise and precise.
You really are a master of the subject matter.
Thank you for this.
Most welcome
Hi Reza, Thanks for the video! learnt plenty of new stuff on item level permissions. This is what excites me about your videos every week (fundamentals to advance level concepts covered). Thanks again, have great week ahead.
Awesome! Thanks Pawan.
I hope to keep the momentum going. I’m trying to mix it up with a variety of topics. Let’s see how it goes.
And here i was thinking i know everything about SP Lists... Thank you Reza!
Honestly, even I learned a lot while making this video.
Reza still a legend! I like how it covers the majority of use case scenarios. Great job!
Thanks so much! This is one of my fav videos :)
Reza you just keep churning out amazing things. Definitely reached Power Apps Rockstar status. Thank you!
Great to hear! Thanks for watching.
Reza - you are a true master. Another great video which provides solutions to what I’m trying to achieve in my work place.
Thanks for your continued work on this content! Many people owe you a lot; including myself.
Thank You Simon!
Such a fantastic description. Great stuff, thank you!
Thanks Marc
Reza, you are brilliant!!! Thank you for all the free videos you create for us. This has helped me get an app done.
Glad to hear that! Thanks for watching.
Brother you are that "Indian" guy who can explain and concise the entire universe into one small cube! Its so easy to understand and the flow is perfect, thank you so much.
You are most welcome
Thank you Reza. Very well explained. The way you explained the Permission change was an eye opener for me.
You're very welcome. Thank You for watching.
Understood so much from this!! My basics have improved now thank you so much!!
Most welcome
True security is key when you don't want to have all the data accessible. Working with personal data, i've been wanting to grasp how to truly secure data and this video helped outline ways to do it!
Happy to hear that! Thanks Chris
Awesome job as always Reza. Thanks for putting all those techniques together in one place. So many people miss the security part.
It is a pity Microsoft make use jimp through hoops to do some of these basic security functions through the http action. I had that debate with the PM at the time but they wanted to keep permissions actions simple and not get into using SharePoint groups etc.
Thanks Phil.
I agree 100% with your comment.
Thank you Brother! Everything in your channel amazing! Salaam from Turkey.
Thank You and welcome to my channel.
Great insight! Your video is just what I'm looking for. Thank you!!
Awesome! Thanks
Thanks again for an amazing video Reza. This is exactly what I was looking for (after I almost gave up). Your videos make me realise how much more I have to learn!😀
Glad to hear it!
This is such a help. I work in education and it can be tricky creating apps when you have to worry about clever students discovering the back end SharePoint.
One thing I noticed, If you select a view in the first step, (When an item is created > Limit Columns by View), you must make sure the 'Created By' field is included in that view otherwise Power Automate will not display that as an option in the 'search dynamic content' options.
As always, thank you so much for your great tips and advice.
Thank You for watching and liking the video. Agree with all your points.
This is the best tutorial on this I've seen! Thanks!
I agree 😉
I was searching for this for ages... thanks
You're very welcome. Thank You for watching.
Life-changing, show-stopping, Bravo
Thanks Amber
Good work Reja, one of the most awaited video. You covered everything well. I am going try this thing today.
Thanks Mayank
Amazing information! I have been facing difficulties with the security settings. Thank you very much.
Most welcome!
This was great! Thanks for the effort you put into these videos.
Glad you like them! Thank You for watching.
Very very useful! This is exactly what I was looking for!
Great to hear!
Thank you so much for sharing. Your content helps me everytime!
You are so welcome!
Always learning new things with Reza ! 👏👏
Glad to hear that!
Thank you very much, Sir! This is what I was looking for. Really appreciate your content
You're very welcome!
I have subbed on all my 3 google accounts so I don’t miss any of your videos
Thank You!!!
Thank you Reza, This Video brought my trust back to PowerApps
Trust power apps
Hi, nice video and great explanation.
But I think you had to be clearer on two things, which could be concerning for anyone using large lists.
1. Sharepoint has a limit for unique permissions, it depends on your administrator settings. But it’s around 5000 (optimal). As you reach this limit, you cannot break inheritance, nor grant access to users to list items.
2. The “Completed” folder procedure showcased in this video is a palliative to the issue mentioned above and it won’t work in large lists. The unique permissions limit works at a LIST/LIBRARY level. Hence, the “Completed” folder is also adding up to that limit in the list in general.
So final comment, as Microsoft recommends for SharePoint, you should use as few unique permissions for items as you can in lists/libraries in general.
A workaround to this, in case item level security is a priority, the only workaround seems to keep creating libraries/lists as you get closer to this limit. For example creating a new list every quarter, month, etc.
1) 5000 item limit optimal is accurate. This is item level including folders.
2) Permission is broken only at folder level. Items within folder adhere to the parent permissions. Hence, a folder and all of its contents (list items) will count as 1 for breaking permission inheritance. Would still work well for large lists.
MSFT recommendation is around 5000 item level permissions. With 5000 folders (as an example) and 100s and 1000s of files with them, this approach would suffice.
SharePoint, I mean, Reza - you never stop suprising me! What is 'not possible' with SharePoint? This opens up so much possibility on what business solution I can offer. Great tip as always!
Thank You!
Thank you Reza. It is a great tutorial!
You are most welcome & thanks so much!
Thanks a lot for sharing these very useful insights for item level security!!
Your most welcome
I really thought I’d have to abandon my plan to use a list to allocate tasks to various individuals without them being able to see or access other people’s items - Until now! Thank you so much for this!! On to the next ‘list’ roadblock 😂
Happy to hear the video is useful. Thanks for watching
Another extremely insightful video very rich in content which is very practical and useful. Thanks for sharing.
Glad you enjoyed it! Thank You for watching.
Thanks so much! Great Video
Most welcome
Thank you Reza, this came very useful in project I was working on
Glad it helped and Thank You!
great explanation. yours is the only explanation I found useful. thanks.
Glad to hear that! Thanks for watching
Thanks for the video Reza, very interesting
Thank You for watching
Thanks alot for creating easily understandable videos....
Your most welcome!
As always amazing stuff, very informative 👏 👏👏
Thanks a lot
Your most welcome!
Thanks for sharing!!!...as usual very nice explanation and presentation. Love to learn from your videos.🙏🙏
Thanks Bharti! Glad you like the videos.
Awesome video! Thank you so much!
You are most welcome!
Thank you Riza. A lot of good information
Most welcome
Hello Reza, very nice Video. Content is still relevant today so thanks for doing the video for the community. Best regards Aleksej
Most welcome and thanks for watching
Great stuff as usual... Thank you
You are most welcome
Great video as always
Thanks!
You are the best!
Wow! Thank You.
Very well presented... thank you
Most welcome
Reza, can't express how grateful I am for your videos, this is just another masterpiece. Thanks to you I recently finished a power apps project on my own, and one of my great concerns was SharePoint list security. Definitely I'll put these tricks into practice.
I was wondering, how does security work on Dataverse tables when using my own Teams environment? By any chance do you have a video on that topic?
Thanks again!
Awesome! Thanks so much for watching the videos and thanks for sharing.
This video saved me an absolute sh*tload of research. Thanks Reza!
You are most welcome
Brilliant, Reza
Thank You
Great Work, very Informative lots of techniques. Thank you so much for sharing.
You are most welcome
@@RezaDorraniI need help, how will i filter or hide the folder i made inside my list. It show the folder when I use the ThisItem
@@ellimalasan6145 Check my videos on doc library. I think I may have shown it there.
Thanks!
Thank You
This is another pearl from your Reza. Please start with Dataverse Security as well. I see few comments on it as well.
Thanks. I have a few requests on Dataverse. I will need a lot more on it. I have 4-5 topics planned out currently.
💥💥Nice work Reza💥💥. I have always used a second "Archive" list and a flow to recreate the item (and delete the existing one - but as you point out, this loses the history. I did also have an audit list). Will definitely have a look at folders. Thanks
Awesome! Thanks for watching.
Move item is a neat feature indeed.
Wish there was a direct action for it in Power Automate.
excellent😇
Thanks
Great
Thanks
Nice
👍
Thank Reza, this was exactly what I was looking for!
One follow up question. Can I add user groups to an item using the flow?
Yes, but that would require the rest api actions. You would need to look into the syntax for that.
Hi Reza, Absolutely brilliant! Thank you! Can you use the flow that moves the item to the Completed folder to also move items between lists and also retain the version history and permissions (with modifications to the URLs of course)?
Thank You.
I believe move item can move between lists as well. Version history should be maintained.
Key would be to have same columns on both lists (use Content Types). If columns (names and types) do not match, you could lose data.
Thanks
👍
you look like you'll be the batman one day
🦇
Hi Reza,
Great video. Do we need a cloud flow license to grant/revoke access flow or E3 would be sufficient?
E3 would be sufficient as we are dealing with SharePoint which is a standard connector
Hey Reza, another awesome video, thanks for this.
I tried getting managers the access too, it worked. Is there a way to keep that current/dynamic? Like lets a manager of user A has gotten access via the flow, when A's manager changes how does it update the access level
To make it dynamic based on org changes would be extremely complex. Not an area I have explored.
This is great! What about permissions to a list item based on if they’re name is either in a requestor person field, a contacts multi person field, or within a specific user group?
I do not have a reference video on this scenario & would have to try it out to provide guidance. I would recommend posting your query on the forums at powerusers.microsoft.com in case someone has done something similar.
Reza, thanks for the excellent video. Could you provide guidance on the process of giving access to an O365 group or SharePoint group?
Most welcome!
I have not tried with groups but the API does support it. Best to check the documentation.
Thanks Rezza..Great video once again. Could you please share same video on Dataverse? As sometime we share apps with outside organisation users. So what should be taken care for that case?
Dataverse security is in my backlog but very low on priority. I will need a lot more folks requesting that topic to rank it higher.
As always great content, thank you for sharing Reza. Would you mind to clarify a doubt, if I will not create a new item, I will upload a database with several fields and among them there are some that I want to use to grant access, for instance the line manager email or the HR Manager, is it possible?
Im not sure I understood the question.
Il take a shot at it though.
You can have a separate list of users based on categorizations (example line managers).
When item is created, via flow you can read the related list information and accordingly assign security.
Good security 🔐 a
👍
Hi Reza, Wonderful explanations i luv it, and kindly let me know how to do specific item level permission not for complete list for specific users, please do the needful, thaks
I do not have a video reference on that. Its possible to do that using rest api calls and more. I recommend checking on forums in case someone has done something similar powerusers.microsoft.com
Hi Reza,
thanks again for another great video. Is it possible with Power Automate to grant access to an entire SharePoint list (all items) to a single user?
Possible using rest api in flow but I do not have a video reference on it.
Great,explanation,I just want to do like I want to give edit acees to someone and he can interact with canvas app through power app but I want to prevent him 1) to visit that sharepoint site , Or lets say
if we can't do lile first condition then i want to say like if though he visited i don't want him to edit any record from that site (site content the many list)
User will need access in SharePoint to perform the action in flow. The SharePoint connector does not impersonate.
There is a more complicated technique which may help. Check ruclips.net/video/ts-ggDAy7IQ/видео.html
Great Information 🙏🙏
Can we do it for Document Folders as well?
Possible but I have not tried it
This is awesome stuff, fixed my first problem (using power automate for record level permissions). I do have a question though, I've followed similar steps but added a subsequent step to grant read access to the same record. My only problem is I get an error if that read value(s) is empty, which sometimes it is. Do you have a recommendation on how to incorporate a statement to skip that step if those fields are empty? I have 4 possible fields where groups/persons can be entered, but are not required.
I have not come across this issue and hence not sure. I recommend posting your issue/query with screenshots on the forums at powerusers.microsoft.com
Thank you for posting this, Reza! You solved yet another one of my Power App issues. When I share the site from the list, am I sharing everything on the site - folders, docs, etc. or just the list? I'm trying to only share the list with Power App users but it looks like when I share the site I am sharing the whole site but when I just share the list through the 'Share' button, users are not able to submit a request through the Power App. If sharing the site does share the whole site, not just the list you are on, is there a way to share just the list that will allow Power App users to use the functionality of the Power App? Thank you!
Glad to hear the video is useful!
Sharing is very much dependent upon type of site - communication or team. docs.microsoft.com/en-us/microsoft-365/community/team-site-or-communication-site
You can have cases where users only have access to list. You would need to work with security by setting permissions for groups at list/library level.
Permissions is a broad topic, not something I can cover here on chat :)
Awesome video and such a life saver really ! thanks a lot :D I just want to mention that for the Replace function to work, we need to remove the space in the new url
replace(triggerOutputs()?['body/{FullPath}'],'TerritoryAlignmentRequest/','TerritoryAlignmentRequest/Rejected/')
Thanks Shaima
Great information! What would be the trigger condition if the Assigned to user gets modified by an owner or manager so that only the owners and assigned to person can edit or view that item automatically? The created or modified trigger runs every time any changes are made to the item but I only want it to run if the Assigned to person or user is changed or created.
You would need to look into flow trigger conditions for that. I do not have a reference video on this scenario & would have to try it out to provide guidance. I would recommend posting your issue/query with screenshots on the forums at powerusers.microsoft.com
Hello Reza. Thanks for the Great Session. I have a doubt @18:01,The multi people picker column can be placed here?
Could be done.
@23:40 When using folder, I was wondering, how can you ensure that users can only view items they've created? This is very useful. Thank you for sharing.
In that case you would need to set item level permissions. Challenge with that is for large lists you would see performance degradation. There is only so much that SharePoint can do.
Super like..only question is if i create folder structure how much flexibility i will get interm of limitation i.e. 10K records.
I have explained that in video. All items within folder will follow same security protocol as parent. So technically I can have up to 10k folders with unique permissions.
Thanks for sharing. Is it possible to grant item-level permission access to external users through the flow?
Great question. Never tried that :)
I would say Yes.
This could be just what I’m looking for. I thought it was going to have to move my HR app over to SQL but I’m hoping that this will mean I can keep the sensitive data on an SP list.
Item level permissions works well for lists up to 5k records. Beyond that you would see performance challenges.
@@RezaDorrani Aah ok - I may end up having thousands of rows. Can SP lists be moved over to a SQL server quite easily?
@@CarFinanceSimplified Im not familiar with that process.
Great video Rezza as always!!
I had a relevant question on one of my interview, " How would you differentiate a O365 security group owner and a Member of that group using power automate".
Still now I'm not able to find solution to this question on the internet.
Not sure to be honest. Most of the actions are to check group members only. May be the graph api has something.
My Bookmark
06:24 Place in SharePoint List where we need to grant access to the user of powerApps
07:40 To give users access only to the content which was created by them (Audience Targeting)
08:50 Audience Targeting vs True security
09:30 Item Level Security through SP List
13:10 Item level Security doesn't restrict Owner's or Super Users
15:00 Breaking existing permissions on the item based on custom requirements using Power Automate
👍
Going through several of your videos in recent months as I learn to use Power Apps and Automate within our organization. I'm struggling on how to set list permissions when an approval flow is used. I really only want users (including approvers) to have view access to the Sharepoint list, but they would need create and/or edit permissions in order for their approval value to be updated in the list, correct, since it shows up as "Modified" within the list? In the video you show how to change the permissions after the fact, but I'm not sure that is quite the solution I'm looking for.
Check ruclips.net/video/ts-ggDAy7IQ/видео.html
For manually triggered flows, you can select under which account flow connections can run
Hi Reza, I found that if you uncheck "View Application Pages - View forms, views, and application pages. Enumerate lists." in the site permission levels you can set groups to stop accessing any sharepoint list on SharePoint without affecting their level of access from Powerapps.
That is because it blocks users access through SP pages only. However a smart user can get to the data via APIs.
@@RezaDorrani looks like to be more secure, apply permission at each record will be best way to go.
Hi Reza, thanks for your vedio. Does sharepoint support item-level permission for document library? I didn't find it in library advanced settings.
Not for libraries. You could set it using flow. I think I may have done a video on it. Check approvals playlist on my channel.
@@RezaDorrani thanks a lot.
Hello Reza, Thanks for the Great Session. My question is, can we also manage item level permission when Oracle DB as Data Source instead of SharePoint List. Could you please clarify?
I have done no work with Oracle DB. My guess would be No but it’s a guess.
Great video, thank you for sharing. Is there a way to set permissions on a column basis in case I want to some information in an item to only be visible to owners?
SharePoint does not support column level permissions.
@@RezaDorrani thank you for your reply. I tested out the trigger condition setting but I have run into an issue. Once the trigger column is set to true the trigger is activated whenever I change any data in the item. What I am trying to accomplish is to grant access to certain users when with a trigger condition and for them to then be able to edit the list item, but when they do the original trigger gets triggered. Any idea how to avoid this?
@@mrjinks06 Not sure unless I try it out. I will recommend posting your issue with screenshots on the forums at powerusers.microsoft.com/
Hi Reza. Can we automate the resetting of permissions for a Sharepoint List folder?
There is a rest api endpoint to reset inheritance as well.
Very useful, thank you.
You're welcome!
This is helping me so much learning Power apps from the very beginning and diving deep into different topics.
One question i did not find so far: Is it possible, somehow, to give item level permission based on the value of a column in a related table?
Example: Tasks and Projects. Two different tables and I want to give only access to tasks to people, which have the permission to see the project in the other table. E.g. just the project members. Is this possible?
Possible. You would need to query for items in related table and then loop through those items and assign permissions one by one. Would be a bit complex.
@@RezaDorrani Thanks for answering. Even the chance that it could be possible will let me search the solution!
Hi Reza great video, just wanted to know through your expertise if this would apply to my case. I'm an intern creating a power apps system for generating tickets for special requests through a form. There are 3 apps, the first is a form app that needs to be shared with everyone in the org, which can cause some problems b/c then everyone has to be shared the SP list and will be able to see other peoples data. Next once the form is submitted the manager of the employee must enter another app and view/edit the request to approve it, so the manager would need edit rights on that item to approve. Finally, there is an admin app with a ticket gallery to approve tickets, so some admins will have to view/edit the SP list items. My biggest worry is mainly everyone being able to go to the SP list and see the other items that they do not really have to see. So, would following your power automate structure be the best thing to do here? Or do you recommend something else?
You will need to explore item level permissions. Power apps respects SharePoint security. Whatever user can do in SharePoint they can do in power apps.
Hi Reza! If in a list, each row has a field with an email address, how could be the flow to let that user edit and see only his/her list items?. I can imagine that "Apply to each" action then inside a "Grant access to an item or folder" action and picking the mail field as ID in order to assign the permissions, but not clear how.. please do you have any idea or suggestion?, if could you kindly detail it a bit, it would be great. Thank you for sharing knowledge Reza!
You would have to set permissions inside that for loop experience. I do not have a video reference on this scenario and would have to try it out to provide guidance. I will recommend checking on the forums at powerusers.microsoft.com/ in case someone has done something similar.