Restrict Power Bi Access to Sharepoint List

HeihoSilver · ‎11-02-2022

Hi,

I have an apps (powerapps) connected to Sharepoint List. I don't want the user to work from the Sharepoint list or retrieve data from it.

So I created a permission group and set permission setting so that the user has limited access and not able to change the view which I have set to be "hidden". The Sharepoint URL is not shared though, but if they found out, at least there is hidden data view there.

The data/item is somehow needs to be opened to different groups of user (certain data for certain groups), and therefore I cannot set edit/view for creators only.

From the "Hidden" point of view here, I feel quite ok in terms of access.

However, if the user found out the Sharepoin link and skillful in PowerBI, then they can use "Get Data" and have all information open for them. I have tested with my colleague and he has access to all data which is restricted by view in the apps.

So I was wondering, is there a way to limit access connection or to prevent data retrieval from Sharepoint List to Power BI?

axrookie · ‎02-23-2023

Hi, anyone knows if Microsoft will address this? It's a big backdoor. MS is encouraging to use powerapps, with lists and sharepoint to store information as it's easy, but they should have implemented mechanisms to not expose data juat doing a simple connection to a site.
Yes, I know, you can restrict direct access by modifying the list permissions but as you have read permissions, because powerapp needs it, powerbi allow access.

MS should give a answer to this establishing policies to restrict some connectors, even datasources, in a corporate environments

HeihoSilver · ‎11-03-2022

Hi @v-rzhou-msft ,

Thank for your response.

The user/member is definitely has to have access to the Sharepoint in order to work from the apps (PowerApps). The intention here is that I create an apps (PowerApps) for the users where they don't know anything about the Sharepoint list. In other words, they just work from the Apps.

It's just like when we are using Twitter apps but we don't know where the data source is and we don't need to update directly in Twitter's datasource.

I created filter view in the PowerApps so that user is only able to view their project only.

To put in a simple way, I have 1 sharepoint list called Project Table as a data source for the apps. It collects data for different projects.

Person A, B, C, D have view in the Apps to Project Cat (they are only able to see Project Cat).

Person C, D, E, F have view in the Apps to Project Dog, etc.

C and D have view for both Projects (Cat and Dog) in the apps, but the rest only see theirs.

Everything is saved in 1 Project Table list as data source for the apps.

In summary, the user is definitely has access to the Sharepoint in order to work from the Apps.

I don't want them to know the URL to sharepoint list (even though for those who are curious can search in our Organization sharepoint)

To mitigate, I have set specific permission to the user in Sharepoint so that they are only see blank view in the list.

If the user figure out the URL and skillful to use PowerBi, then they can get data from it and see all the Project Data (which is not allowed).

I'm wondering if there is any way to restrict data connection or view from PowerBi to Sharepoint.

Here I will give you some suggests.

1. Create specific sites with specific data sources for different users.

--> I don't think this will meet the intention of PowerApps. We have 50+ projects and growing. It will be cumbersome to create new site for each new projects, manage user permission and to update the PowerApps.

2. You may try RLS to your users and do not give them build permission, they you can restrict the data they see from your sharepoint.

--> Yes, we also created PowerBi dashboard and RLS for the users, no build permission also allowed from the Workspace. But the question is, if the user is skillfull in PowerBI and somehow figure out the Sharepoint URL, then they can pull the data by themselves via PowerBi desktop or his own workspace and able to see all project information which is not allowed.

Is there any other advice?

Regards,

v-rzhou-msft · ‎11-03-2022

Hi @HeihoSilver ,

As far as I know, user will connect to SharePoint Online List by Site URL. They need to anthenticate by microsoft account which has access to the site.

For reference: Create a report on a SharePoint List in Power BI Desktop - Power BI | Microsoft Learn

If they know how to anthenticate to your site, I think they should be a member of your site. So they could see all data source in your site. If you block access to them, they will loss access to the site.

Here I will give you some suggests.

1. Create specific sites with specific data sources for different users.

2. You may try RLS to your users and do not give them build permission, they you can restrict the data they see from your sharepoint.

For reference:

Row-level security (RLS) with Power BI - Power BI | Microsoft Learn

Best Regards,
Rico Zhou

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.