Functionality,  Security

Locking down SharePoint so only Integrated App can be used

This is an issue that has been the subject of many questions and below is the series of processes which I believe adequately addresses the structure needed.

Firstly, the three initial things to do (which I will not go into any depth with) are: –

  • Configuring any SharePoint Views to display only the columns the users need to see.
  • Filtering the View data so that it displays only the records required to be available for choosing. I am assuming here that the users need to see records other than those they created.
  • Configuring the Integrated App to restrict the users (or the particular user) to only be able to do and see what they need.

However, there are a number of inbuilt SharePoint functions that allow a reasonably knowledgeable user to circumvent these controls and do/see things they should not be able to do.

The first thing to do is stop users from creating a Personal View to their liking. Firstly, go to Site Permissions > Permission Levels

Personal Views

Select Contribute and then at the bottom select Copy Permission Level

A name is then required (I call mine “No Personal Views”) and this new item can then be edited. There are some other permissions that may need excluding such as deleting items, but the main ones necessary here are the bottom category

This permission level should then be applied to all relevant users on the Lists/Libraries/Site connected to the function.

Grid View Editing

Next problem is Edit in Grid View, which allows again circumventing of field level restrictions. One way is to group any views by a field (or two), however a more robust alternative is to turn it off at List/Library level. To do this, go into all the List/Library Settings and in Advanced Settings, turn off the Quick Editing Property

Multiple Selection Bulk Editing

Next, users will notice that if they select several items, a different bulk editing form will appear (actually the SharePoint default form). One way to stop this is to disable bulk editing by not allowing users to select multiple records. This is done at View Level, so select Edit Current View

Then scroll down to Tabular View and de-select Allow individual item checkboxes

New Items

This may not be quite done yet – what if the user should not create new records or upload new files (Library) – the options are still there. Again at View level, except this time choose Format View and paste this code into the JSON box

{
   "$schema": "https://developer.microsoft.com/json-schemas/sp/v2/row-formatting.schema.json",
   "commandBarProps": 
   {
      "commands": 
      [
         {
            "key": "new",
            "hide": true
         },
         {
            "key": "upload",
            "hide": true
         }
      ]
   }
}

Library Menus

One last item if dealing with a Library is that the default SharePoint appears in the right pane initially (selecting Edit All opens the Integrated form) – firstly select Edit Columns

And then de-select any fields that should not be edited on this form

This should put plugs in most of the “plugholes” of concern and allow proper controlled management of the data.

Leave a Reply

Your email address will not be published. Required fields are marked *