禁止Power Apps Canvas使用者通過SharePoint Online UI介面訪問站點list
阿新 • • 發佈:2021-07-18
現在越來越多的專案前端使用canvas, 後端使用SPO(SharePoint Online) 來做配合開發。
SPO做資料來源大大減少了專案成本還減少了開發週期
如果我們使用SPO list做資料來源, 那就要把當前list分享給所有的canvas 使用者。並且如果list使用OOB的功能,這樣的話使用者可以輕易的通過URL來訪問SPO list中的資料,並且做CRUD的動作。
所以我們需要一些技術來block掉使用者訪問SPO list的UI
配置:
1. 建立2個自定義的許可權。並且移除(View Application Pagespermission)。這樣的話使用者還是可以通過API來訪問SPO。
- Read from Power Apps (Copied fromRead)
- Collaborate from Power Apps (Copied from Collaborate)
2. 建立2個新user group用來訪問SPO list
- Power Apps Readers
- Power Apps Contributors
3. 給兩個user group賦值新的條件
- Power Apps Readers: Read from Power Apps
- Power Apps Contributors: Collaborate from Power Apps
4. 把list 從搜尋結果中移除
使用Powershell來啟用功能
我們也可以用power shell指令碼來做以上的功能配置。
$currSiteCollectionUrl = “<your site URL>“ #Array with the names for the lists you want to apply the permissions, add more list names if needed $listNames = @(“Test List”, “Second Test List”) #Group names: Change to existing group names if you want to update existing group permissions instead of creating new groups#For existing groups, they are not removed from root site. Permissions updated at list level only $readersName = “Power Apps Readers” $membersName = “Power Apps Contributors” ##keeps current permissions for other groups in the list $keepOtherGroupsPemissions = $true $readersName = “Site Visitors” # “Power Apps Readers” $membersName = “Site Members”# “Power Apps Contributors” #Connect to your site Connect-PnPOnline -Url $currSiteCollectionUrl -UseWebLogin #Permission level names $paContribute = “Contribute from Power Apps” $paRead = “Read from Power Apps” $existingRoleDefinitions = Get-PnPRoleDefinition ##Custom permission levels (Assign the next calls to variables to avoid the dummy format-output errors): $roleDefContribute = Add-PnPRoleDefinition -RoleName $paContribute -Clone “Contribute” ` -Exclude ViewFormPages $roleDefRead = Add-PnPRoleDefinition -RoleName $paRead -Clone “Read” ` -Exclude ViewFormPages ##Creates the two new groups: $readers = Get-PnPGroup -Identity $readersName -ErrorAction Ignore $members = Get-PnPGroup -Identity $membersName -ErrorAction Ignore $readersExisted = ($readers -ne $null) $membersExisted = ($members -ne $null) if(!$readersExisted){ $readers = New-PnPGroup -Title $readersName } if(!$membersExisted){ $members = New-PnPGroup -Title $membersName } ##Iterates through the specified lists and do the configuration in each $listNames | ForEach-Object { $listName = $_ $list = Get-PnPList -Identity $listName -Includes HasUniqueRoleAssignments,Title if($list.HasUniqueRoleAssignments -and !$keepOtherGroupsPemissions){ ##Resets role inheritance to break it later clearing it $list.ResetRoleInheritance() $list.Context.Load($list) Invoke-PnPQuery } ##Excludes from search results $list.NoCrawl = $True $list.Update() ##Breaks role inheritance if it was not done before if(!$list.HasUniqueRoleAssignments){ $list.BreakRoleInheritance($keepOtherGroupsPemissions,$false) } $list.Context.Load($list) Invoke-PnPQuery if($keepOtherGroupsPemissions -and ($membersExisted -or $readersExisted)){ ##If not clearing current permissions, remove any for current groups to add them later $existingRoleDefinitions | ForEach-Object { if($readersExisted){ Set-PnPListPermission -Identity $listName -Group $membersName ` -RemoveRole $_.Name -ErrorAction Ignore } if($membersExisted){ Set-PnPListPermission -Identity $listName -Group $readersName ` -RemoveRole $_.Name -ErrorAction Ignore } } } ##Grants right permisisons to groups Set-PnPListPermission -Identity $listName -Group $membersName ` -AddRole $paContribute Set-PnPListPermission -Identity $listName -Group $readersName ` -AddRole $paRead } Disconnect-PnPOnline