Forum Discussion

Inkey_Solutions's avatar
Inkey_Solutions
Copper Contributor
Jan 04, 2022

Restrict users to access list using REST API

Hello,

 

I have made a list in SharePoint, and I want to restrict the Users to access the list via REST API.

So how can I turn off the ability for the users to access the list via REST API, so that they cannot make any changes to the list using this feature.

 

Can someone help me, regarding the same?

Thank you.

  • Unfortunately, it it not possible within SharePoint Online (not sure for on-prem though).

    If a user has the right to access / read / modify a list with SharePoint permissions. It will be possible too with REST / CSOM / Graph (if he has the right to use these APIs).
    • Inkey_Solutions's avatar
      Inkey_Solutions
      Copper Contributor
      Hello Thijoubert,

      Thanks for the quick reply.

      Users have access to SharePoint list but I want to restrict them to call APIs. Is there any way to achieve this?
      • thijoubertold's avatar
        thijoubertold
        Iron Contributor
        If the user has access to the SharePoint list, he is theorically able to access it through the APIs (if he is skilled enough + has the rights to use / consent APIs)...
        To my knowledge, you cannot block it.
  • Might I ask the scenario / use case you have here? To be able to use the API REST you need to be quite skilled and also to have required permissions not only to interact with the SharePoint Content but also to deploy artifacts that make use of SPO APIs and even PowerShell. Of course, there are "some tools" that potentially could enable anyone to use SPO APIs such as the Graph Explorer, Postman, etc
    • Inkey_Solutions's avatar
      Inkey_Solutions
      Copper Contributor

      Hello jcgonzalezmartin ,

      Thank you for your reply. I am trying to make an app which performs CRUD operations in Power apps, where in the data source passed is SharePoint List. And I want the users to access those SharePoint Columns only via the Power Apps, and not directly by the SharePoint Site. So that, even if they get the source to the SharePoint site, they might be restricted to the View Mode. 

       

      Please reply, if you can help me in any way.

      Thank you.

      • jcgonzalezmartin's avatar
        jcgonzalezmartin
        MVP
        That's a different scenario...unfortunately, if the users discover the site and they have collaboration rights there, they are going to be able to modify data directly in the site. There are tow possible workarounds for you here:
        (1) Hide the Lists and Document Librararies used in the PowerApp: https://www.c-sharpcorner.com/article/how-to-hide-sharepoint-list-using-pnp-powershell/
        (2) Force a redirect to the SPO home page to any user trying to access the site: Develop a SPFx extension that prevent any user except especific ones to access the site.

Resources