Restrict users to access list using REST API

Inkey_Solutions · ‎Jan 03 2022

Hello,

I have made a list in SharePoint, and I want to restrict the Users to access the list via REST API.

So how can I turn off the ability for the users to access the list via REST API, so that they cannot make any changes to the list using this feature.

Can someone help me, regarding the same?

Thank you.

thijoubertold · ‎Jan 03 2022

Unfortunately, it it not possible within SharePoint Online (not sure for on-prem though).

If a user has the right to access / read / modify a list with SharePoint permissions. It will be possible too with REST / CSOM / Graph (if he has the right to use these APIs).

Juan Carlos González Martín · ‎Jan 04 2022

Might I ask the scenario / use case you have here? To be able to use the API REST you need to be quite skilled and also to have required permissions not only to interact with the SharePoint Content but also to deploy artifacts that make use of SPO APIs and even PowerShell. Of course, there are "some tools" that potentially could enable anyone to use SPO APIs such as the Graph Explorer, Postman, etc

Inkey_Solutions · ‎Jan 04 2022

Hello Thijoubert,

Thanks for the quick reply.

Users have access to SharePoint list but I want to restrict them to call APIs. Is there any way to achieve this?

thijoubertold · ‎Jan 04 2022

If the user has access to the SharePoint list, he is theorically able to access it through the APIs (if he is skilled enough + has the rights to use / consent APIs)...
To my knowledge, you cannot block it.

Inkey_Solutions · ‎Jan 04 2022

Hello @Juan Carlos González Martín ,

Thank you for your reply. I am trying to make an app which performs CRUD operations in Power apps, where in the data source passed is SharePoint List. And I want the users to access those SharePoint Columns only via the Power Apps, and not directly by the SharePoint Site. So that, even if they get the source to the SharePoint site, they might be restricted to the View Mode.

Please reply, if you can help me in any way.

Thank you.

Inkey_Solutions · ‎Jan 04 2022

Hey @thijoubertold,

I know about the Graph API and stuffs, but can you please tell me which rights you are talking about? Thank you for your help.

Juan Carlos González Martín · ‎Jan 04 2022

That's a different scenario...unfortunately, if the users discover the site and they have collaboration rights there, they are going to be able to modify data directly in the site. There are tow possible workarounds for you here:
(1) Hide the Lists and Document Librararies used in the PowerApp: https://www.c-sharpcorner.com/article/how-to-hide-sharepoint-list-using-pnp-powershell/
(2) Force a redirect to the SPO home page to any user trying to access the site: Develop a SPFx extension that prevent any user except especific ones to access the site.

Inkey_Solutions · ‎Jan 05 2022

Thank you Juan, I will try these options out. And I will let you know if it works or not.

Inkey_Solutions · ‎Jan 05 2022

Thank you, for the reply. @Juan Carlos González Martín

I referred the link which you sent me. And after referring this link, I had some questions on which I need some help from you.

I had some questions @Juan Carlos González Martín ,

1. Does "after hiding" the SharePoint List, will the user be still able to access the List from the Power Apps, and make necessary changes via Power Apps only, if he has the required permissions to do so.

2. Plus, after hiding SharePoint List, would any user be able to make API calls to the List, if by any way he gets the URL of the List?

3. And does he require the URL to make API calls to the SharePoint list, at all?

I hope for a reply from you.

Thank you so much, @Juan Carlos González Martín

Inkey_Solutions · ‎Jan 05 2022

Thank you, for your help @thijoubertold.

As @Juan Carlos González Martín sent me the link, can you please help me out on the same? That whether or not the user would be able to access the SharePoint list via the API, if I am able to hide the SharePoint List using the PNP PowerShell.

And would the user still be able to access the SharePoint List using the Power Apps, if he has the permission and rights, keeping in mind, the list is still hidden in SharePoint.

And whilst, the list is hidden, can any technically smart person, be able to access to that List by making API calls to that list?

And do we need the URL to the SharePoint List, at all, in order to make the API CALL to the SP LIST?

Thank you so much for replying, @thijoubertold .

We hope a reply from you, @thijoubertold.

Juan Carlos González Martín · ‎Jan 06 2022

Hi,
My two cents here:
1. Yes, you are just hiding the list so users "apparently" only have the option to work with the data through the Power App
2. Yes, hiding does not prevent this,
3. Yes.

Inkey_Solutions · ‎Jan 06 2022

Thank you so much, @Juan Carlos González Martín , for your quick reply.

We need helpful people like you in this community. :)

Restrict users to access list using REST API

Restrict users to access list using REST API

Re: Restrict users to access list using REST API

Re: Restrict users to access list using REST API

Re: Restrict users to access list using REST API

Re: Restrict users to access list using REST API

Re: Restrict users to access list using REST API

Re: Restrict users to access list using REST API

Re: Restrict users to access list using REST API

Re: Restrict users to access list using REST API

Re: Restrict users to access list using REST API

Re: Restrict users to access list using REST API

Re: Restrict users to access list using REST API

Re: Restrict users to access list using REST API

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Restrict users to access list using REST API