现在越来越多的项目前端使用canvas, 后端使用SPO(SharePoint Online) 来做配合开发。
SPO做数据源大大减少了项目成本还减少了开发周期
如果我们使用SPO list做数据源, 那就要把当前list分享给所有的canvas 用户。并且如果list使用OOB的功能,这样的话用户可以轻易的通过URL来访问SPO list中的数据,并且做CRUD的动作。
所以我们需要一些技术来block掉用户访问SPO list的UI
配置:
1. 创建2个自定义的权限。并且移除(View Application Pages permission)。这样的话用户还是可以通过API来访问SPO。
- Read from Power Apps (Copied from Read)
- Collaborate from Power Apps (Copied from Collaborate)
2. 创建2个新user group用来访问SPO list
- Power Apps Readers
- Power Apps Contributors
3. 给两个user group赋值新的条件
- Power Apps Readers: Read from Power Apps
- Power Apps Contributors: Collaborate from Power Apps
4. 把list 从搜索结果中移除
使用Powershell来激活功能
我们也可以用power shell脚本来做以上的功能配置。
$currSiteCollectionUrl = “<your site URL>“
#Array with the names for the lists you want to apply the permissions, add more list names if needed
$listNames = @(“Test List”, “Second Test List”)
#Group names: Change to existing group names if you want to update existing group permissions instead of creating new groups
#For existing groups, they are not removed from root site. Permissions updated at list level only
$readersName = “Power Apps Readers”
$membersName = “Power Apps Contributors”
##keeps current permissions for other groups in the list
$keepOtherGroupsPemissions = $true
$readersName = “Site Visitors” # “Power Apps Readers”
$membersName = “Site Members”# “Power Apps Contributors”
#Connect to your site
Connect-PnPOnline -Url $currSiteCollectionUrl -UseWebLogin
#Permission level names
$paContribute = “Contribute from Power Apps”
$paRead = “Read from Power Apps”
$existingRoleDefinitions = Get-PnPRoleDefinition
##Custom permission levels (Assign the next calls to variables to avoid the dummy format-output errors):
$roleDefContribute = Add-PnPRoleDefinition -RoleName $paContribute -Clone “Contribute” `
-Exclude ViewFormPages
$roleDefRead = Add-PnPRoleDefinition -RoleName $paRead -Clone “Read” `
-Exclude ViewFormPages
##Creates the two new groups:
$readers = Get-PnPGroup -Identity $readersName -ErrorAction Ignore
$members = Get-PnPGroup -Identity $membersName -ErrorAction Ignore
$readersExisted = ($readers -ne $null)
$membersExisted = ($members -ne $null)
if(!$readersExisted){ $readers = New-PnPGroup -Title $readersName }
if(!$membersExisted){ $members = New-PnPGroup -Title $membersName }
##Iterates through the specified lists and do the configuration in each
$listNames | ForEach-Object {
$listName = $_
$list = Get-PnPList -Identity $listName -Includes HasUniqueRoleAssignments,Title
if($list.HasUniqueRoleAssignments -and !$keepOtherGroupsPemissions){
##Resets role inheritance to break it later clearing it
$list.ResetRoleInheritance()
$list.Context.Load($list)
Invoke-PnPQuery
}
##Excludes from search results
$list.NoCrawl = $True
$list.Update()
##Breaks role inheritance if it was not done before
if(!$list.HasUniqueRoleAssignments){
$list.BreakRoleInheritance($keepOtherGroupsPemissions,$false)
}
$list.Context.Load($list)
Invoke-PnPQuery
if($keepOtherGroupsPemissions -and ($membersExisted -or $readersExisted)){
##If not clearing current permissions, remove any for current groups to add them later
$existingRoleDefinitions | ForEach-Object {
if($readersExisted){
Set-PnPListPermission -Identity $listName -Group $membersName `
-RemoveRole $_.Name -ErrorAction Ignore
}
if($membersExisted){
Set-PnPListPermission -Identity $listName -Group $readersName `
-RemoveRole $_.Name -ErrorAction Ignore
}
}
}
##Grants right permisisons to groups
Set-PnPListPermission -Identity $listName -Group $membersName `
-AddRole $paContribute
Set-PnPListPermission -Identity $listName -Group $readersName `
-AddRole $paRead
}
Disconnect-PnPOnline