Total Pageviews

19 Jul 2018

Can PowerApps and MS Flow run with elevated privileges?

No, MS Flow and PowerApps are using current user's account.

Setup #1:
- User "Admin" creates a PowerApp that uses SharePoint List as a datasource
- User "Reader" gets Edit access to this app via Sharing, but this user has no permissions to the SharePoint list whatsoever.

What will happen?

Results:
- The "Reader" can open the PowerApp, but as soon as they try to create a new list item - they get an error:
There was a problem saving your change. The data source may be invalid.



Conclusion:
PowerApps use current user's permissions and don't have "run with elevated privileges" functionality.


Setup #2
- User "Admin" creates a PowerApp that uses SharePoint List as a data source
- User "Admin" creates a PowerApp button that runs an MS Flow that creates a list item in the SharePoint List
- User "Reader" gets Edit access to this app via Sharing, but this user has no permissions to the

Results:
- The "Reader" can open the PowerApp, but when they click on the button to run the flow that attempts to create a list item - nothing happens. In the MS flow history we see the 403 (Access denied) error:

System.UnauthorizedAccessException



Conclusion:
MS Flow that are run manually via a button in PowerApps use current user's permissions and don't have "run with elevated privileges" functionality.

P.S. MS Flows that are triggered on List Item Created / Updated are run using the credentials provided by the Flow author. So, depending on how the Flow was started - different credentials are used.




No comments:

Post a Comment