标签:Canvas Power ## list Apps SPO Identity
现在越来越多的项目前端使用canvas, 后端使用SPO(SharePoint Online) 来做配合开发。
SPO做数据源大大减少了项目成本还减少了开发周期
如果我们使用SPO list做数据源, 那就要把当前list分享给所有的canvas 用户。并且如果list使用OOB的功能,这样的话用户可以轻易的通过URL来访问SPO list中的数据,并且做CRUD的动作。
所以我们需要一些技术来block掉用户访问SPO list的UI
配置:
1. 创建2个自定义的权限。并且移除(View Application Pages permission)。这样的话用户还是可以通过API来访问SPO。
- Read from Power Apps (Copied from Read)
- Collaborate from Power Apps (Copied from Collaborate)
2. 创建2个新user group用来访问SPO list
- Power Apps Readers
- Power Apps Contributors
3. 给两个user group赋值新的条件
- Power Apps Readers: Read from Power Apps
- Power Apps Contributors: Collaborate from Power Apps
4. 把list 从搜索结果中移除
使用Powershell来激活功能
我们也可以用power shell脚本来做以上的功能配置。
$currSiteCollectionUrl = “<your site URL>“ #Array with the names for the lists you want to apply the permissions, add more list names if needed $listNames = @(“Test List”, “Second Test List”) #Group names: Change to existing group names if you want to update existing group permissions instead of creating new groups #For existing groups, they are not removed from root site. Permissions updated at list level only $readersName = “Power Apps Readers” $membersName = “Power Apps Contributors” ##keeps current permissions for other groups in the list $keepOtherGroupsPemissions = $true $readersName = “Site Visitors” # “Power Apps Readers” $membersName = “Site Members”# “Power Apps Contributors” #Connect to your site Connect-PnPOnline -Url $currSiteCollectionUrl -UseWebLogin #Permission level names $paContribute = “Contribute from Power Apps” $paRead = “Read from Power Apps” $existingRoleDefinitions = Get-PnPRoleDefinition ##Custom permission levels (Assign the next calls to variables to avoid the dummy format-output errors): $roleDefContribute = Add-PnPRoleDefinition -RoleName $paContribute -Clone “Contribute” ` -Exclude ViewFormPages $roleDefRead = Add-PnPRoleDefinition -RoleName $paRead -Clone “Read” ` -Exclude ViewFormPages ##Creates the two new groups: $readers = Get-PnPGroup -Identity $readersName -ErrorAction Ignore $members = Get-PnPGroup -Identity $membersName -ErrorAction Ignore $readersExisted = ($readers -ne $null) $membersExisted = ($members -ne $null) if(!$readersExisted){ $readers = New-PnPGroup -Title $readersName } if(!$membersExisted){ $members = New-PnPGroup -Title $membersName } ##Iterates through the specified lists and do the configuration in each $listNames | ForEach-Object { $listName = $_ $list = Get-PnPList -Identity $listName -Includes HasUniqueRoleAssignments,Title if($list.HasUniqueRoleAssignments -and !$keepOtherGroupsPemissions){ ##Resets role inheritance to break it later clearing it $list.ResetRoleInheritance() $list.Context.Load($list) Invoke-PnPQuery } ##Excludes from search results $list.NoCrawl = $True $list.Update() ##Breaks role inheritance if it was not done before if(!$list.HasUniqueRoleAssignments){ $list.BreakRoleInheritance($keepOtherGroupsPemissions,$false) } $list.Context.Load($list) Invoke-PnPQuery if($keepOtherGroupsPemissions -and ($membersExisted -or $readersExisted)){ ##If not clearing current permissions, remove any for current groups to add them later $existingRoleDefinitions | ForEach-Object { if($readersExisted){ Set-PnPListPermission -Identity $listName -Group $membersName ` -RemoveRole $_.Name -ErrorAction Ignore } if($membersExisted){ Set-PnPListPermission -Identity $listName -Group $readersName ` -RemoveRole $_.Name -ErrorAction Ignore } } } ##Grants right permisisons to groups Set-PnPListPermission -Identity $listName -Group $membersName ` -AddRole $paContribute Set-PnPListPermission -Identity $listName -Group $readersName ` -AddRole $paRead } Disconnect-PnPOnline
标签:Canvas,Power,##,list,Apps,SPO,Identity 来源: https://www.cnblogs.com/TheMiao/p/15027266.html
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。