2016 – Can I set up a custom permission level that permits CRUD operations through the REST API only?

I have JavaScript applications that use group memberships to control access to items in lists. I only want users to be able to interact with the data using these JavaScript applications. I want to prevent users from interacting with the data using out-of-the-box SharePoint GUI, such as list views.

I tried setting up users with Records Web Center Service Submitters or Restricted Interfaces for Translation, but this is insufficient. The user cannot read the data in the lists or libraries.

My current solution does this:

  • Grant the user Contribute permissions on the list.
  • Edit each public view of the list, edit the web part displaying the contents of the list, and use Target Audiences to restrict visibility of the contents of the list to those groups which should have access.

I would prefer to be able to set up a Custom Permission Level with Add Items, Edit Items, Delete Items, View Items, Use Remote Interfaces, and Open, but without View Pages. However, SharePoint automatically enables View Pages when I select any of Add Items, Edit Items, Delete Items, or View Items. Similarly, SharePoint automatically disables Add Items, Edit Items, Delete Items, and View Items when I deselect View Pages.

Is there a way to set up a Custom Permission Level as described above so that a user can use my JavaScript application to interact with the list but not have access to interact with the list using SharePoint’s out-of-the-box UI?

Note: I am working in SP 2016 on-premises. If you identify a SharePoint Online solution, please provide documentation on how to adapt that solution for 2016.