现在越来越多的项目前端使用canvas, 后端使用SPO(SharePoint Online) 来做配合开发。
SPO做数据源大大减少了项目成本还减少了开发周期
如果我们使用SPO list做数据源, 那就要把当前list分享给所有的canvas 用户。并且如果list使用OOB的功能,这样的话用户可以轻易的通过URL来访问SPO list中的数据,并且做CRUD的动作。
所以我们需要一些技术来block掉用户访问SPO list的UI
配置:
1. 创建2个自定义的权限。并且移除(View Application Pages permission)。这样的话用户还是可以通过API来访问SPO。
- Read from Power Apps (Copied from Read)
- Collaborate from Power Apps (Copied from Collaborate)
2. 创建2个新user group用来访问SPO list
- Power Apps Readers
- Power Apps Contributors
3. 给两个user group赋值新的条件
- Power Apps Readers: Read from Power Apps
- Power Apps Contributors: Collaborate from Power Apps
4. 把list 从搜索结果中移除
使用Powershell来激活功能
我们也可以用power shell脚本来做以上的功能配置。
$currSiteCollectionUrl = “<your site URL>“ #Array with the names for the lists you want to apply the permissions, add more list names if needed $listNames = @(“Test List”, “Second Test List”) #Group names: Change to existing group names if you want to update existing group permissions instead of creating new groups #For existing groups, they are not removed from root site. Permissions updated at list level only $readersName = “Power Apps Readers” $membersName = “Power Apps Contributors” ##keeps current permissions for other groups in the list $keepOtherGroupsPemissions = $true $readersName = “Site Visitors” # “Power Apps Readers” $membersName = “Site Members”# “Power Apps Contributors” #Connect to your site Connect-PnPOnline -Url $currSiteCollectionUrl -UseWebLogin #Permission level names $paContribute = “Contribute from Power Apps” $paRead = “Read from Power Apps” $existingRoleDefinitions = Get-PnPRoleDefinition ##Custom permission levels (Assign the next calls to variables to avoid the dummy format-output errors): $roleDefContribute = Add-PnPRoleDefinition -RoleName $paContribute -Clone “Contribute” ` -Exclude ViewFormPages $roleDefRead = Add-PnPRoleDefinition -RoleName $paRead -Clone “Read” ` -Exclude ViewFormPages ##Creates the two new groups: $readers = Get-PnPGroup -Identity $readersName -ErrorAction Ignore $members = Get-PnPGroup -Identity $membersName -ErrorAction Ignore $readersExisted = ($readers -ne $null) $membersExisted = ($members -ne $null) if(!$readersExisted){ $readers = New-PnPGroup -Title $readersName } if(!$membersExisted){ $members = New-PnPGroup -Title $membersName } ##Iterates through the specified lists and do the configuration in each $listNames | ForEach-Object { $listName = $_ $list = Get-PnPList -Identity $listName -Includes HasUniqueRoleAssignments,Title if($list.HasUniqueRoleAssignments -and !$keepOtherGroupsPemissions){ ##Resets role inheritance to break it later clearing it $list.ResetRoleInheritance() $list.Context.Load($list) Invoke-PnPQuery } ##Excludes from search results $list.NoCrawl = $True $list.Update() ##Breaks role inheritance if it was not done before if(!$list.HasUniqueRoleAssignments){ $list.BreakRoleInheritance($keepOtherGroupsPemissions,$false) } $list.Context.Load($list) Invoke-PnPQuery if($keepOtherGroupsPemissions -and ($membersExisted -or $readersExisted)){ ##If not clearing current permissions, remove any for current groups to add them later $existingRoleDefinitions | ForEach-Object { if($readersExisted){ Set-PnPListPermission -Identity $listName -Group $membersName ` -RemoveRole $_.Name -ErrorAction Ignore } if($membersExisted){ Set-PnPListPermission -Identity $listName -Group $readersName ` -RemoveRole $_.Name -ErrorAction Ignore } } } ##Grants right permisisons to groups Set-PnPListPermission -Identity $listName -Group $membersName ` -AddRole $paContribute Set-PnPListPermission -Identity $listName -Group $readersName ` -AddRole $paRead } Disconnect-PnPOnline
或者我们可以使用power automate来隐藏list
