Managing Security Roles in Power Apps: Part 1

PowerApps is one of the constituents of the Microsoft Power platform and is used for multiple functionalities and most of the time while working with the sensitive data stored in the company’s SharePoint site, which is not meant for all the users in the organization and a strong approach is to be needed to hide this data from those users.

One should plan the role-based security to maintain and check which data needs to be available and which role, making PowerApps app development easier.

Let's assume we have an organization where an employee wants to apply for a leave, he submits a request in a PowerApps app which creates an entry in the SharePoint list after which the manager then approves or rejects the request.

The key requirement is that we don't want users to access the approvals page. Only approvers can access the records and make a decision on them.

To achieve this, we can add a condition that says if the current user is a member, then don’t show the ‘Approvals’ button. If the user is an Approver, then show the button.

Let’s define the users’ roles:

• We have users that can only submit a request. Let’s call them
• We have users that are managers that can submit a request and Approves requests of Members. Let’s call them
• Let’s make some users Admins and give full access.

1. Navigate to ‘https://make.powerapps.com/’.
2. Select the ‘Blank app’ tile.

3. Click on the ‘Create’ button under the ‘Blank canvas app’.

4. Assign an ‘App name’ and select the ‘Format’, either Tablet or Phone, and select the ‘Create’ button on the bottom of the popup.

5. Here you go, your new app is created and opened in Edit Mode.

To manage the security, the first thing required is when a user uses this app, we need to know what security role has been assigned to him.

Once we have this information, we can add the conditions stating: if the user is a manager, then show the approval button.

To achieve this, we need a way to store the roles of users (defined in the above section) and retrieve that information in the PowerApps App.

Look at the below screens:

• First Image shows a login from an Admin user
• The second one shows a login screen from a member user.
• Once we know the current user is Admin, we will

Not only do we need to save the role definitions somewhere, but we also need to map these roles to individual users. To provide this functionality in canvas PowerApps, we can introduce an additional screen and add a gear icon (settings icon) on the top right of the home screen to navigate to this screen.

In our current scenario, the following are the business rules we are applying.

• Members cannot change the roles of any user.
• Managers can change the roles of members and fellow managers.
• Admins can change the roles of members, managers, and fellow admins.

As we see in the below screens, Admins have an extra tab to access, and Managers don’t. We will hide the Gear Icon for the members on the home screen as they will not be having access to this screen.

We have outlined the best three ways that we think are beneficial for different use cases and keep the operations and maintenance relatively low in the long run.

We will be discussing the following three ways as listed below:

1. Using multiple SharePoint lists
2. Using SharePoint Groups
3. Using Item level permission

Before taking our next step, you should know how to create a basic SharePoint list and add custom columns to it. If you already understand how to do this step, you can skip the next section and move on to Using multiple SharePoint Lists (anchor tag).

1. Browse to your SharePoint site, click “+ New,” and select “List” from the dropdown list.

2. In the opened pop-up select the Blank list option from the options.

3. A pop-up will appear, assign a name and description, and click the Create

1. Browse to SharePoint List and select the ‘+ Add column’ tab alongside the ‘Title’ column.

2. Select desired column type from the dropdown.

3. In the Create a column panel, in the Name field, enter a title or column heading.

4. Enter any other required information. The number of fields will vary with the column type you choose. The above example is for a ‘Single line of text’ field.
5. Select Save

The primary concept behind this approach involves utilizing a SharePoint List to store user information associated with specific roles. When the app is loaded, the data from this list will be retrieved, and a search will be conducted to identify whether the current user's details are found within it. The presence of such details signifies that the current user holds the corresponding role. We will create a Role management screen to add or remove members from the Groups.

• We will add a ‘Combo box’ to see members of our organization.
• We will add a ‘Button’ to add the selected member of the ‘Combo box’ to a group.
• We will add a gallery to show the current members of a role and give an icon to remove the selected member from the SharePoint List.

For our scenario, we will create three lists for Member, Manager, and Admin.

To begin with, we will create a list for each role. You can follow the above-mentioned steps for list creation (How to Create SharePoint Lists).

As shown in the above image, we need to create four columns (How to add Columns to SharePoint List) with the following titles and details:

• Title - (Default column) Single line of text column to store Display Name of User.
• Email – Column to store users’ email.
  • Type: Single line of text
• Member User – Column to store the user as a person.
  • Type: Person or Group
• UPN – Column to store UPN of users.
  • Type: Single line of text

1. Navigate to ‘https://make.powerapps.com/’.
2. Select ‘Apps’ on the left navigation to access the apps you created.

3. Select your app and click on ‘Edit’ on the top toolbar.

4. After the app opens in Edit mode, select the first screen from the list of screens. It is recommended to use the below code on the ‘OnVisible’ of the first screen (You will have the security role immediately when a user opens the app).

5. Click on the property dropdown and change it to ‘OnVisible’.

6. Add the following code in the formula bar which will be used to identify the currently logged-in user role.

1. Section a in the above image will help us Filter the Role List by comparing UPN or Email column in the list to the current user’s Email.
   
   1. ClearCollect(‘Collection Name’, Filter(‘List Name’, ‘email column’ = User().Email))
2. Section b will help Initializing Global variables to store the user’s current role and set them to false.
   
   1. Set(‘Variable Name’, ‘value’);
3. Section c will help in Checking the entries inside the collection we filtered in the ‘a’ step. If the filtered collection contains data, then it means the user belongs to that Security Role.

Now from the previous steps, we have identified the role of the currently logged-in user. We should be able to manage the roles from the app itself. We will create a Navigation screen with three buttons that will navigate us to the Role Management Screen of the selected role.

1. Select ‘+ New screen’ on the left panel to create a screen.

2. Select Blank from the opened Layout Popup.

3. On the top toolbar, click on the ‘Insert’ tab and select the ‘Button’, which adds a button on your screen. Create a total of 3 buttons.

4. Design the buttons as per your requirements.
5. Select a button and change the text that appears on the button using the right property pane.

6. Click on ‘Advanced’ on the right panel and click on ‘OnSelect’ to edit the formula.

7. Edit the formula and add a Navigate function – Navigate(‘Name of the screen’).

8. This is what the Role Management screen for Admins will look like.

9. As we created a total of three buttons, follow the 7^th step to add the navigation function for the other two buttons.

Once you are on the role management Screen, 

1. Navigate to the ‘Insert’ tab, click on ‘Input’, and select the ‘Combo box’ control on the dropdown.

1. Select the 'Data' tab in the left pane and click on '+Add data'

2. Expand the ‘Connectors’ tab on the overlay screen and select ‘Office 365 Users’.

3. Select a connection from the list.

4. Select the ‘Combo box’ you created and click on the ‘Data source’ property in the right pane.

5. Your Text Cursor is now on the formula bar of the ‘Items’ property, Add SearchUser({searchTerm: Self.SearchText}) to the formula bar.

6. As the ‘Combo box’ is still selected, toggle ‘Allow multiple selections’ ‘off’ and ‘Allow Searching’ ‘on’ on the right property pane.

7. Click on the ‘Edit’ button which opens the ‘Fields’ layout overlay. Change the ‘Primary text’ to ‘DisplayName’ and ‘SearchField’ to ‘DisplayName’.

2. From the insert tab, click on ‘Input’ and Select ‘Button’ control on the dropdown.

1. Select ‘OnSelect’ property for the button and add the following formula

Patch(

    'Admin Users',

    Defaults(‘Role SharePoint List'),

    {Title: First(‘Your Combo box’. SelectedItems).DisplayName},

    {

        'Member User': {

            '@odata.type': "#Microsoft.Azure.Connectors .SharePoint.SPListExpandedUser",

            Claims: "i:0#.f|membership|" & Lower(First(ComboBox1. SelectedItems).Mail),

            Department: "",

            DisplayName: First(‘Your Combo box’. SelectedItems).DisplayName,

            Email: First(‘Your Combo box’. SelectedItems).Mail,

            JobTitle: "",

            Picture: ""

        }

    },

    {Email: First(‘Your Combo box’. SelectedItems).Mail},

    {UPN: First(‘Your Combo box’. SelectedItems).UserPrincipalName}

)

The above code contains a patch function that creates a new record by taking the data from the Combo box that we created.

1. Select ‘OnSelect’ property for the button and add the following formula

Patch(

    'Admin Users',

    Defaults(‘Role SharePoint List'),

    {Title: First(‘Your Combo box’.SelectedItems).DisplayName},

    {

        'Member User': {

            '@odata.type': "#Microsoft.Azure.Connectors.SharePoint.SPListExpandedUser",

            Claims: "i:0#.f|membership|" & Lower(First(ComboBox1.SelectedItems).Mail),

            Department: "",

            DisplayName: First(‘Your Combo box’.SelectedItems).DisplayName,

            Email: First(‘Your Combo box’.SelectedItems).Mail,

            JobTitle: "",

            Picture: ""

        }

    },

    {Email: First(‘Your Combo box’.SelectedItems).Mail},

    {UPN: First(‘Your Combo box’.SelectedItems).UserPrincipalName}

)

The above code contains a patch function that creates a new record by taking the data from the Combo box that we created.

3. Click on ‘Gallery’ on the toolbar and select ‘Blank vertical’.

1. Click on the dropdown beside ‘Data source’ in the property pane and select a SharePoint list that stores the current role.

2. Click on ‘Add an item from the Insert pane’ text on the gallery and add two ‘Text label’ controls and a ‘Trash’ icon from the Left ‘Insert’ pane.

3. The created labels are to display ‘DisplayName’ and ‘Email Address’, The ‘Trash’ Icon is to delete the selected record from the SharePoint List. Insert the below code into ‘OnSelect’ property of the icon.

By using multiple SharePoint lists, we can effectively manage user roles and permissions. However, there are other methods that can also be beneficial depending on the specific requirements of your organization. Continue to Part 2 to explore how to use SharePoint Groups to manage security roles in PowerApps.