cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Willy_
Frequent Visitor

Limit users their owner items in a list preview fill a form

Hi everybody,

 

I want to manage employee vacations. When users fill out vacation request with a form it will start an approval process with power automate and it will register everything in a sharepoint list.
I would like to know how to give access to users so that they only see their items. If I use the option "Read items that were created by the user" in advanced seetings list, only the user who created the form has access, not the users that fill in it

Perhaps the approach is not correct, what I have clear is that it must be through a form and I was thinking in have two list, one to consult the state the request and other to can consult total days, used days, pending days.....

 

Can someone guide me with this?

 

Thans so much

1 ACCEPTED SOLUTION

Accepted Solutions
ChadVKealey
Memorable Member
Memorable Member

Rolling back a bit. You create a Microsoft Forms form for users to fill out with their leave request. You create a flow to run when a new form response is submitted and have it create an item in the Leave Requests (SharePoint) list. When that runs, it will run using the SharePoint connection you define in the flow (typically your own account or a service account if you have one); it cannot run as the person who submitted the form. So, assuming you use your own account/SharePoint connection, all of those list items will be "Created by" you. In this case, forget about the "Item Level Permissions" settings - they won't help you.

 

You want each user to only see their own items, so you could use the Grant permissions action to give the submitter of the form View access to the item that was created. However, that gives them permission to the item, but not the list. If they don't have some type of access to the list itself, they won't be able to "get to" their item. So, you would need to give them "Read" permission to the list. However, as you pointed out, that does give them the ability to read other user's items. The way to prevent this is to (before granting permission), use the "Stop sharing an item or file" action. This breaks the inherited permissions, so you then need to grant permissions to those who need it. The "permissions" part of the flow would be:

  1. Create item
  2. Stop sharing item
  3. Grant form creator view access to item
  4. (if needed) Grant other permissions as needed (for example, how is "approval" being done? Will another person - the manager, maybe, need edit permission to the item?)

Again, even without the complication of a Power App, I think you need to clearly lay out and define your process so that you can identify exactly who is going to be involved and determine what permissions people will need to to the Leave Request items. A lot of people think "oh, the manager is going to approve, so they need edit permission to the item" when in reality, they don't. If the "approval" process is running as you (or, again, a service account) that has site collection admin access, then the manager does not need any access to the item (assuming you include the relevant details about the request in the approval message). Also, you're saying that the user shouldn't be able to edit their item. What happens if they need to change or cancel a leave request? It will happen, so you need to know how to address that.

Maybe you have already defined all those specs and requirements, but based on the questions you're asking, I think you may have overlooked some details. I'm not trying to make things more difficult for you, but it sounds like you may need to more clearly define your process and requirements. It's not an easy process, but it is necessary.

View solution in original post

8 REPLIES 8
ChadVKealey
Memorable Member
Memorable Member

When you say "form", do you mean a Microsoft Forms form? If so, any flow that runs based on submission of that form will run with the connections configured in the flow (typically the flow author/creator). So, Person A creates the form and associated flow that takes the form data and creates an item in the "leave request" list. Person B fills out the form and the flow runs, but the "create item" action is running with Person A's SharePoint connection, so the "created by" will be Person A. In this case, the "Item level permissions" in the list won't help.

 

So, if you're using a Microsoft Forms form, that flow could also set permissions on the leave request item that's created, but eventually (most likely) you will hit the unique item permissions scope limit (max of 50,000 uniquely-permissioned items per list or library). Also, as a general rule, I discourage this approach unless there is a plan to clean up those uniquely permissioned items (e.g.: after 30 days, delete the item or move it to another location where it is NOT uniquely permissioned).

 

If you are NOT using a Microsoft Forms form (for example, you're going to use the out-of-the-box SharePoint form or a Power Apps app form), then Item-level permissions should work fine. That's how I set up our leave request system (using a Power Apps app) and it's been working well for almost 2 years. Now, our system is simply used for approval, notification and as a "calendar" of who's in/out. We're not tracking time earned, time used, etc., so I can't comment on that part of your question. However, I would probably handle that via a separate flow that's triggered when the leave request is Approved. That is, the user submits a request, the manager (or whomever) approves it, and then, with a separate "when an item is modified" flow, you adjust the counts in that other list. Otherwise, you'll again have to assign unique permissions to those list items and run the risk of someone manually manipulating the data.

Willy_
Frequent Visitor

Many thanks @ChadVKealy for your quickly answer 

 

Yes, I am refering to Microsoft Forms form, I understand.... I suposse that when you speak about set permissions  is with "Grant access to an item......" isn't it? 

 

Willy__1-1614861783983.png

 

Kindly could you give me a little information about how do it with power apps? I have never used it before, so I have some reference where to start to look for or doing.... 

 

Thanks you again

ChadVKealey
Memorable Member
Memorable Member

Yes, that is the action you would use. If you plan on using that, I would suggest giving all users of this system read permission to the list and granting them edit permission to their own items. In terms of the unique permissions scope limit, it may take you a long time to hit 50,000 items (or you may never), just know that the limit is out there and it's a hard, unbreakable limit (not a "threshold" that you can sometimes exceed). 

 

Creating a Power Apps app to serve as the user interface to a system like this can be challenging. The nice thing about this approach is that you can build it exactly to your specifications. The painful thing is that you need to explicitly build in whatever functionality you want. There is a "leave request" app template that you could look at to get some idea of what's involved. I would recommend building a few simpler apps first to get comfortable with Power Apps in general. There are a bunch of great resources here: https://docs.microsoft.com/en-us/learn/browse/?products=power-apps&WT.mc_id=webupdates_GEP_Powerapps... and instructor-led training available (at a cost) from a number of different sources. However, unless you hire someone specifically to build (or help you build) it, you won't find a step-by-step guide to creating your own leave request app.

 

If you want to pursue that option, though, it's best to start with a clear set of design specifications. Talk to the people who are asking for it and also those who will use it (not all of them, but at least a representative cross-section of the user base) to determine what functionality is actually needed. Also, identify all of the data that's going to be involved. Obviously, the leave request list itself is one table, but there will likely be others. Who will "approve" the requests? If it will always be the "Manager" of the user in the O365 user profile, then you don't need a separate list to identify the approver. However, if even ONE person has an approver other than their manager, you need to have a way to handle those exceptions. Also, it sounds like you've got another table of data (leave accrued, leave used, etc.), so you need to think about how that is populated and maintained. Daniel Christian did a wonderful series of videos on how to plan SharePoint list relationships for use with Power Apps; the first one is here: https://youtu.be/qU22DiaIPpU

 

Also, check out the YouTube channels belonging to Shane Young, Reza Dorani, April Dunnam and Mr. Dang. Most of what I know about Power Apps I learned from a video by one of those 5 people. 

Many thanks for you extend explanation

About set permissions in the item list I don't understand how do it.

 

The idea is user A is the "created by" the form and he has access to read/modify all items

Rest of the users fill in the form and can to see their items only and not all.

So, even I set up in the flow "Grant access to an item...." with roles "Can view" if I choose "Read items that were created by the user" in advanced settings list only the user A "Created by" can to see the all items (this is not an issue) and any other user can't to see the items, any.

And if I set up "Read all items" in advanced settings in the list, all users can to see all items, their and those of others. User B can to see items of the user C and conversely, and this is not desirable.

 

How can I to set up every user to see only their items?

By other side, the users should not be able modify any item.

 

About limit items I found this

 

https://support.microsoft.com/en-us/office/manage-large-lists-and-libraries-b8588dae-9387-48c2-9248-...

 

Thanks you

ChadVKealey
Memorable Member
Memorable Member

Rolling back a bit. You create a Microsoft Forms form for users to fill out with their leave request. You create a flow to run when a new form response is submitted and have it create an item in the Leave Requests (SharePoint) list. When that runs, it will run using the SharePoint connection you define in the flow (typically your own account or a service account if you have one); it cannot run as the person who submitted the form. So, assuming you use your own account/SharePoint connection, all of those list items will be "Created by" you. In this case, forget about the "Item Level Permissions" settings - they won't help you.

 

You want each user to only see their own items, so you could use the Grant permissions action to give the submitter of the form View access to the item that was created. However, that gives them permission to the item, but not the list. If they don't have some type of access to the list itself, they won't be able to "get to" their item. So, you would need to give them "Read" permission to the list. However, as you pointed out, that does give them the ability to read other user's items. The way to prevent this is to (before granting permission), use the "Stop sharing an item or file" action. This breaks the inherited permissions, so you then need to grant permissions to those who need it. The "permissions" part of the flow would be:

  1. Create item
  2. Stop sharing item
  3. Grant form creator view access to item
  4. (if needed) Grant other permissions as needed (for example, how is "approval" being done? Will another person - the manager, maybe, need edit permission to the item?)

Again, even without the complication of a Power App, I think you need to clearly lay out and define your process so that you can identify exactly who is going to be involved and determine what permissions people will need to to the Leave Request items. A lot of people think "oh, the manager is going to approve, so they need edit permission to the item" when in reality, they don't. If the "approval" process is running as you (or, again, a service account) that has site collection admin access, then the manager does not need any access to the item (assuming you include the relevant details about the request in the approval message). Also, you're saying that the user shouldn't be able to edit their item. What happens if they need to change or cancel a leave request? It will happen, so you need to know how to address that.

Maybe you have already defined all those specs and requirements, but based on the questions you're asking, I think you may have overlooked some details. I'm not trying to make things more difficult for you, but it sounds like you may need to more clearly define your process and requirements. It's not an easy process, but it is necessary.

Willy_
Frequent Visitor

You are helping me a lot!!!

My first idea is that the list was only available for all users with read permissions, a request record for HR (all items) and for users (yours), I had not thought of giving write permissions to the approver. The approvals (there are two, first manager and second HR) is done in the flow with start and wait for an approval and them the item is updated to another state (pending to approval....approved or reject)

 

 

Now I'm looking for Grant form creator view access to item and I can't find it, can you help me with this?


And you are right, I have to think about how to manage changes and cancellations... maybe other different microsoft forms form that works over first flow canceling the request and deteling the item or modifying the request an item... I don't, I will have to find out....

Now I'm looking for Grant form creator view access to item and I can't find it, can you help me with this?

You won't find that as a specific action, but - as long as it's not an anonymous form - you can get the email address of the user who submitted and use that in the "Grant access" action. It's a little easier to show than type it all out, so check this video: https://www.screencast.com/t/cxc0kXLCb3AZ

 

-Chad

Thanks so much, that I could solve it before

Helpful resources

Announcements

Community will be READ ONLY July 16th, 5p PDT -July 22nd

Dear Community Members,   We'd like to let you know of an upcoming change to the community platform: starting July 16th, the platform will transition to a READ ONLY mode until July 22nd.   During this period, members will not be able to Kudo, Comment, or Reply to any posts.   On July 22nd, please be on the lookout for a message sent to the email address registered on your community profile. This email is crucial as it will contain your unique code and link to register for the new platform encompassing all of the communities.   What to Expect in the New Community: A more unified experience where all products, including Power Apps, Power Automate, Copilot Studio, and Power Pages, will be accessible from one community.Community Blogs that you can syndicate and link to for automatic updates. We appreciate your understanding and cooperation during this transition. Stay tuned for the exciting new features and a seamless community experience ahead!

Summer of Solutions | Week 4 Results | Winners will be posted on July 24th

We are excited to announce the Summer of Solutions Challenge!    This challenge is kicking off on Monday, June 17th and will run for (4) weeks.  The challenge is open to all Power Platform (Power Apps, Power Automate, Copilot Studio & Power Pages) community members. We invite you to participate in a quest to provide solutions to as many questions as you can. Answers can be provided in all the communities.    Entry Period: This Challenge will consist of four weekly Entry Periods as follows (each an “Entry Period”)   - 12:00 a.m. PT on June 17, 2024 – 11:59 p.m. PT on June 23, 2024 - 12:00 a.m. PT on June 24, 2024 – 11:59 p.m. PT on June 30, 2024 - 12:00 a.m. PT on July 1, 2024 – 11:59 p.m. PT on July 7, 2024 - 12:00 a.m. PT on July 8, 2024 – 11:59 p.m. PT on July 14, 2024   Entries will be eligible for the Entry Period in which they are received and will not carryover to subsequent weekly entry periods.  You must enter into each weekly Entry Period separately.   How to Enter: We invite you to participate in a quest to provide "Accepted Solutions" to as many questions as you can. Answers can be provided in all the communities. Users must provide a solution which can be an “Accepted Solution” in the Forums in all of the communities and there are no limits to the number of “Accepted Solutions” that a member can provide for entries in this challenge, but each entry must be substantially unique and different.    Winner Selection and Prizes: At the end of each week, we will list the top ten (10) Community users which will consist of: 5 Community Members & 5 Super Users and they will advance to the final drawing. We will post each week in the News & Announcements the top 10 Solution providers.  At the end of the challenge, we will add all of the top 10 weekly names and enter them into a random drawing.  Then we will randomly select ten (10) winners (5 Community Members & 5 Super Users) from among all eligible entrants received across all weekly Entry Periods to receive the prize listed below. If a winner declines, we will draw again at random for the next winner.  A user will only be able to win once overall. If they are drawn multiple times, another user will be drawn at random.  Individuals will be contacted before the announcement with the opportunity to claim or deny the prize.  Once all of the winners have been notified, we will post in the News & Announcements of each community with the list of winners.   Each winner will receive one (1) Pass to the Power Platform Conference in Las Vegas, Sep. 18-20, 2024 ($1800 value). NOTE: Prize is for conference attendance only and any other costs such as airfare, lodging, transportation, and food are the sole responsibility of the winner. Tickets are not transferable to any other party or to next year’s event.   ** PLEASE SEE THE ATTACHED RULES for this CHALLENGE**   Week 1 Results: Congratulations to the Week 1 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge.   Community MembersNumber SolutionsSuper UsersNumber Solutions Deenuji 9 @NathanAlvares24  17 @Anil_g  7 @ManishSolanki  13 @eetuRobo  5 @David_MA  10 @VishnuReddy1997  5 @SpongYe  9JhonatanOB19932 (tie) @Nived_Nambiar  8 @maltie  2 (tie)   @PA-Noob  2 (tie)   @LukeMcG  2 (tie)   @tgut03  2 (tie)       Week 2 Results: Congratulations to the Week 2 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge. Week 2: Community MembersSolutionsSuper UsersSolutionsPower Automate  @Deenuji  12@ManishSolanki 19 @Anil_g  10 @NathanAlvares24  17 @VishnuReddy1997  6 @Expiscornovus  10 @Tjan  5 @Nived_Nambiar  10 @eetuRobo  3 @SudeepGhatakNZ 8     Week 3 Results: Congratulations to the Week 3 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge. Week 3:Community MembersSolutionsSuper UsersSolutionsPower Automate Deenuji32ManishSolanki55VishnuReddy199724NathanAlvares2444Anil_g22SudeepGhatakNZ40eetuRobo18Nived_Nambiar28Tjan8David_MA22   Week 4 Results: Congratulations to the Week 4 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge. Week 4:Community MembersSolutionsSuper UsersSolutionsPower Automate Deenuji11FLMike31Sayan11ManishSolanki16VishnuReddy199710creativeopinion14Akshansh-Sharma3SudeepGhatakNZ7claudiovc2CFernandes5 misc2Nived_Nambiar5 Usernametwice232rzaneti5 eetuRobo2   Anil_g2   SharonS2  

Check Out | 2024 Release Wave 2 Plans for Microsoft Dynamics 365 and Microsoft Power Platform

On July 16, 2024, we published the 2024 release wave 2 plans for Microsoft Dynamics 365 and Microsoft Power Platform. These plans are a compilation of the new capabilities planned to be released between October 2024 to March 2025. This release introduces a wealth of new features designed to enhance customer understanding and improve overall user experience, showcasing our dedication to driving digital transformation for our customers and partners.    The upcoming wave is centered around utilizing advanced AI and Microsoft Copilot technologies to enhance user productivity and streamline operations across diverse business applications. These enhancements include intelligent automation, AI-powered insights, and immersive user experiences that are designed to break down barriers between data, insights, and individuals. Watch a summary of the release highlights.    Discover the latest features that empower organizations to operate more efficiently and adaptively. From AI-driven sales insights and customer service enhancements to predictive analytics in supply chain management and autonomous financial processes, the new capabilities enable businesses to proactively address challenges and capitalize on opportunities.    

Updates to Transitions in the Power Platform Communities

We're embarking on a journey to enhance your experience by transitioning to a new community platform. Our team has been diligently working to create a fresh community site, leveraging the very Dynamics 365 and Power Platform tools our community advocates for.  We started this journey with transitioning Copilot Studio forums and blogs in June. The move marks the beginning of a new chapter, and we're eager for you to be a part of it. The rest of the Power Platform product sites will be moving over this summer.   Stay tuned for more updates as we get closer to the launch. We can't wait to welcome you to our new community space, designed with you in mind. Let's connect, learn, and grow together.   Here's to new beginnings and endless possibilities!   If you have any questions, observations or concerns throughout this process please go to https://aka.ms/PPCommSupport.   To stay up to date on the latest details of this migration and other important Community updates subscribe to our News and Announcements forums: Copilot Studio, Power Apps, Power Automate, Power Pages

Users online (525)