cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
WarrenBelz
Most Valuable Professional
‎12-02-2023 05:12 PM

Locking down SharePoint so only Integrated App can be used

This is an issue that has been the subject of many questions and below is the series of processes which I believe adequately addresses the structure needed.

Firstly, the three initial things to do (which I will not go into any depth with) are: -

  • Configuring any SharePoint Views to display only the columns the users need to see.
  • Filtering the View data so that it displays only the records required to be available for choosing. I am assuming here that the users need to see records other than those they created.
  • Configuring the Integrated App to restrict the users (or the particular user) to only be able to do and see what they need.

However, there are a number of inbuilt SharePoint functions that allow a reasonably knowledgeable user to circumvent these controls and do/see things they should not be able to do.


Personal Views

The first thing to do is stop users from creating a Personal View to their liking. Firstly, go to Site Permissions > Permission Levels

WarrenBelz_0-1701563981138.png

Select Contribute and then at the bottom select Copy Permission Level

 

WarrenBelz_1-1701564014275.png

A name is then required (I call mine “No Personal Views”) and this new item can then be edited. There are some other permissions that may need excluding such as deleting items, but the main ones necessary here are the bottom category

WarrenBelz_2-1701564107549.png

This permission level should then be applied to all relevant users on the Lists/Libraries/Site connected to the function.


Grid View Editing

Next problem is Edit in Grid View, which allows again circumventing of field level restrictions. One way is to group any views by a field (or two), however a more robust alternative is to turn it off at List/Library level. To do this, go into all the List/Library Settings and in Advanced Settings, turn off the Quick Editing Property

WarrenBelz_3-1701564232997.png

 

Multiple Selection Bulk Editing

Next, users will notice that if they select several items, a different bulk editing form will appear (actually the SharePoint default form). One way to stop this is to disable bulk editing by not allowing users to select multiple records. This is done at View Level, so select Edit Current View

WarrenBelz_4-1701564458273.png

Then scroll down to Tabular View and de-select Allow individual item checkboxes

WarrenBelz_5-1701564499973.png

 

New Items

This may not be quite done yet – what if the user should not create new records or upload new files (Library) – the options are still there. Again at View level, except this time choose Format View and paste this code into the JSON box

{
   "$schema": "https://developer.microsoft.com/json-schemas/sp/v2/row-formatting.schema.json",
   "commandBarProps": 
   {
      "commands": 
      [
         {
            "key": "new",
            "hide": true
         },
         {
            "key": "upload",
            "hide": true
         }
      ]
   }
}

WarrenBelz_7-1701564856101.png

 

Library menus

One last item if dealing with a Library is that the default SharePoint appears in the right pane initially (selecting Edit All opens the Integrated form) – firstly select Edit Columns

WarrenBelz_10-1701565082836.png

 

And then de-select any fields that should not be edited on this form

WarrenBelz_9-1701565047143.png

This should put plugs in most of the "plugholes" of concern and allow proper controlled management of the data.

Comments
Helper I
‎12-04-2023 07:17 AM

Thanks @WarrenBelz for the very well-written post. I particularly appreciated the 'Bulk Editing' section, which I had overlooked and never really considered before.

 

However, reading the title, I was expecting an article addressing one of the major challenges in data security with SPO and Power Apps: Specifically, how can we prevent users from creating their own apps and connecting them to the SPO list independently?

 

Nevertheless, it was a great post, and I learned something new from it!

Most Valuable Professional
‎12-04-2023 01:14 PM

For the integrated app the user needs Design privilages to do this and the limited permissions in the first section do not allow this. For standard-alone apps, you can define a Security Role for the users and exclude Canvas Apps

 

0 Kudos