Before proceeding, here’s some information you need to know:
- The app is handled by an internal team only, so there was no guest user access.
- The database is SharePoint (Lists) only.
- The app was built inside a solution that has 4 cloud flows, 1 canvas app, and 25 environment variables.
- All environment variables are accessed in the Flows only and not in the PowerApps because for that, we need to use the Dataverse connector to access environment variabled inside app, and we don’t want to spend money for a premium plan π
Problem I Faced -
So, I was building an Internal tool for my team, and there we had a question:
- If I leave the company, then who is going to approve the request and manage the app?
- Is there a way that a co-owner can get access request notifications?
- Transferring the app to a Service account is great, but we don’t want to go through a lot of technical aspects.
Solution I Implemented -
Well, the complete app is using SharePoint as a database, and there we have permission groups. So why not use these groups to manage access requests? and then, the very first thing I did was share the App with ‘Everyone except external users’……..Wait a minute… What…….!!!!!! π€
You might be surprised, but it's not the end π
FYI...DON'T FORGET TO UNCHECK THE ‘SEND EMAIL’ OPTION WHILE SHARING π
So what I did was created an ‘Unauthorized Access Screen’ in PowerApps that displays a message and a ‘Request Access’ button (as shown in the image below)
Then I created 2 lists in SharePoint:
- Access Control List - Only users in this list can access the app.
- Access Request List - Users who send access requests are stored in this list.
Important Note: For these 2 lists, break the permission inheritance, delete all existing groups, and then share this list with ‘Everyone except external users’ with ‘Contribute’ permission.
Here is the point where all users in the organization have access to your app and the 2 lists I mentioned above. *** I created various sharepoint groups and given access to them to site and lists, you have to manage permissons in such a way that all users have access to these lists only until they get authorized
I have 12 SharePoint lists which are shared only with 3 groups which SharePoint defaults to:
- Owner
- Member
- Visitors
Power Automate Flow
Now, I have a SharePoint group called ‘Global Admin’, and in that, I have 3 users:
- GA 1
- GA 2
- GA 3
So when any user (whos entry is not in Access Control List) plays the app, it will first check in the ‘Access Control List’ whether the user's entry is already present in the list or not. If not, then it will show the ‘Unauthorized Access Screen’.
The start screen can be managed by the PowerApps property.
Refer article: https://medium.com/@melzoghbi/startscreen-a-new-declarative-way-to-set-the-first-screen-in-power-apps-b07499f6ff32
If the user requests access by clicking the ‘Request access’ button, it will create an entry in the ‘Access Request List’ which has 1 column:
- UserEmail (Text) - User who sent the request (captured using User().Email)
When an entry is created in the ‘Access Control List’, my workflow starts, and here are the step-by-step actions:
- When an item is created in the list
- Get all the users from the ‘Global Admin’ group using a trigger called ‘Send HTTP request to SharePoint’
- You will get JSON, and you need to get user emails only and store them in a variable
- The approval process will begin by using ‘Start & Wait for approval’Type - Anyone can respond
- So the email will go to 3 users GA 1, GA 2, GA 3 where they can Approve or Reject the access request.
- Once approved by any one of them, it will create an entry of that user in the ‘Access Control List’, and then it will delete the entry from the ‘Access Request List’ when approved. Also, if the request is rejected, it will delete the entry from the ‘Access Request List’.
So in this way, the user will get added to the ‘Access Control List’ and can access your app.
Just FYI -
I am using various user roles (Global Admin, Project Admin, Reader, Sales Member, etc…) as well, and based on the roles, I have created several SharePoint groups which have different permissions like Contribute, Read, Edit, etc… So in the approval workflow, I’m using custom responses and adding the user in the respective groups using the ‘Send HTTP request to SharePoint’ action, which is a lengthy process. Above
Comments