Managing Security Roles in Power Apps: Part 2

This blog explores three methods to manage security roles in PowerApps: using multiple SharePoint lists, SharePoint Groups, and item-level permissions. Each method offers unique advantages for role-based access control, ensuring sensitive data is accessible only to authorized users. Step-by-step guidance is provided for setting up these methods and integrating them within PowerApps to enhance data security and streamline app development.
CATEGORIES:
SHARE THIS BLOG:
Table of contents
1. Using SharePoint Groups
• How to create SharePoint Groups
• Steps to follow in PowerApps
• Manage members for a role
• Steps to create Role Management Screen
2. Using Item-level permission
• Initial Steps to follow in SharePoint
• Steps to follow in the app
3. Conclusion

In this section, we will discuss how to utilize SharePoint Groups to manage security roles in PowerApps. This method provides a different approach to achieve role-based access control, offering flexibility and ease of management.

For an introduction to this topic, check out Part 1 of this blog by clicking here.

Using SharePoint Groups

In this method, we will create SharePoint Groups to store the members of a role and retrieve the contents of the group in the PowerApps app and save them in a collection. Then we will check for the currently logged-in user’s UPN in the collection to get the user’s role.

We will create a Role management screen to add or remove members from the Groups.

  • We will add a ‘Combo box’ to see members of our organization.
  • We will add a ‘Button’ to add the selected member of the ‘Combo box’ to a group.
  • We will add a gallery to show the current members of a role and give an icon to remove the selected member from the group.

How to create SharePoint Groups

  1. Go to https://admin.microsoft.com/, click on the “Teams & groups” tab on the left navigation, and click “Active teams & groups”.
  1. Select the “Add a group” button.
  1. Keep the default option ‘Microsoft 365 at “Choose a group type” and press next.
  1. Fill in the Name and Description on the “Set up the basics” page.
  1. Assign the owner to the group, click “Assign owners” and select from the right pane.
  1. Add the initial members like the previous step and go next. This is an optional step. You can add members later.
  1. Assign a group email address and uncheck the “Create a team for this group” and press next.
  1. The Last step is to review the information you entered and click on “Create group”.
  1. Browse to “https://admin.microsoft.com/#/groups” to check the group you created.
  2. Click on the group to see its details.
  1. Check the address bar and copy the ID at the end of the URL for later use “https://admin.microsoft.com/#/groups/:/TeamDetails/28b43a6b-3518-4d19-b4ba-8dd62d6ebbcb”.

For our scenario, we need three groups Admin, Manager, and Member respectively.

Steps to follow in PowerApps

  1. Navigate to ‘https://make.powerapps.com/’.
  2. Select ‘Apps’ on the left navigation to access the apps you created.
  1. Select your app and click on ‘Edit’ on the top toolbar.
  1. After the app opens in Edit mode, select the Data tab on the left panel. Click on ‘+ Add data’.
  1. Expand the Connectors dropdown and select ‘Office 365 Groups’.
  1. Select a Connector from the list.
  1. Select ‘Tree view’ on the left navigation panel to go back to the list of screens.
  1. Select the first screen from the list of screens. It is recommended to use the below code on the ‘OnVisible’ of the first screen (You will have the security role immediately when a user opens the app).
  1. Click on the property dropdown and change it to ‘OnVisible’.
  1. Add the following code in the formula bar which will be used to identify the currently logged-in user role.

ClearCollect(GroupAdminUsers,Office365Groups.ListGroupMembers("Group ID").value);   ClearCollect(GroupManagerUsers,Office365Groups.ListGroupMembers("Group ID ").value);   ClearCollect(GroupMemberUsers,Office365Groups.ListGroupMembers("Group ID ").value);   Concurrent( ClearCollect(colAdminUsers, Filter(GroupAdminUsers, userPrincipalName = User().Email)), ClearCollect(colTeamManagers, Filter(GroupManagerUsers, userPrincipalName = User().Email)), ClearCollect(colTeamMembers, Filter(GroupMemberUsers, userPrincipalName = User().Email)),   Set(IsAdmin, false), Set(IsTeamManager, false), Set(IsTeamMember, false) );   If(CountRows(colAdminUsers)>0, Set(IsAdmin,true));   If(CountRows(colTeamManagers)>0, Set(IsTeamManager,true));   If(CountRows(colTeamMembers)>0, Set(IsTeamMember,true));  

  1. Section (a) in the above image will help us collect the list of members from a SharePoint group into a collection. We must use the Group ID we collected earlier
    1. ClearCollect(‘Collection Name’,Office365Groups.ListGroupMembers("Group ID").value)
    2. Group ID comes from the slug when we view the details of the group (Refer to the steps from “How to create SharePoint Group”(Anchor link)).
  1. Section (b) with help us filter the Role List we collected in (a) step by comparing the User Principal Name column in the collection to the currently logged-in user’s Email.
    1. ClearCollect(‘New Collection Name’, Filter(‘Collection Name from above step’,userPrincipalName = User().Email))
  2. Section (c) will help Initializing Global variables to store the user’s current role and set them to false.
    1. Set(‘Variable Name’, ‘value’);
  3. Section (d) will help in Checking the entries inside the collection we filtered in the (b) step. If the filtered collection contains data, then it means the user belongs to that Security Role.

Manage members for a role

Refer to Steps to create Navigation Screen to create a Navigation Screen that helps you to navigate to Role Management Screen

Steps to create Role Management Screen

Once you are on the role management Screen, 

  1. Navigate to the ‘Insert’ tab, click on ‘Input’, and select the ‘Combo box’ control on the dropdown.
  1. Select the ‘Data’ tab in the left pane and click on ‘+ Add data’.
  1. Expand the ‘Connectors’ tab on the overlay screen and select ‘Office 365 Users’.
  1. Select a connection from the list.
  1. Select the ‘Combo box’ you created and click on the ‘Data source’ property in the right pane.
  1. Your Text Cursor is now on the formula bar of the ‘Items’ property, Add SearchUser({searchTerm:Self.SearchText}) to the formula bar.
  1. As the ‘Combo box’ is still selected, toggle ‘Allow multiple selections’ ‘off’ and ‘Allow Searching’ ‘on’ on the right property pane.
  1. Click on the ‘Edit’ button which opens the ‘Fields’ layout overlay. Change the ‘Primary text’ to ‘DisplayName’ and ‘SearchField’ to ‘DisplayName’.
  1. Click on ‘Input’ and Select ‘Button’ control on the dropdown.
  1.  Select ‘OnSelect’ property for the button and add the following formula

Office365Groups.AddMemberToGroup(“Group ID”,First(‘Combobox’.SelectedItems).UserPrincipalName);

ClearCollect(GroupAdminUsers,Office365Groups.ListGroupMembers("Group ID").value);

The above code helps us add a member to the group and refresh the current collection that we have.

  1. Click on ‘Gallery’ on the toolbar and select ‘Blank vertical’.
  1. Click on the dropdown beside ‘Data source’ in the property pane and select a collection that we used to collect the members of the Current role.
  1. Click on ‘Add an item from the Insert pane’ text on the gallery and add two ‘Text label’ controls and a ‘Trash’ icon from the Left ‘Insert’ pane.
    1. The created labels are to display ‘DisplayName’ and ‘userPrincipalName’.
    2. The ‘Trash’ Icon is to delete the selected record from the SharePoint List. Insert the below code into the ‘OnSelect’ property of the Trash icon.

Office365Groups.RemoveMemberFromGroup("Group ID",ThisItem.userPrincipalName);

ClearCollect(GroupAdminUsers,Office365Groups.ListGroupMembers("Group ID").value);

Using Item-level permission

This method needs a SharePoint list and its items with unique permissions and access to no one. After that, we use the app to get the list of items from the created list. If the currently logged-in user has access, he gets the item, or it shows null/blank.

Note: Before we follow the below steps make sure you are using the admin account which has access to all the roles.

Initial Steps to follow in SharePoint:

  1. We will create a SharePoint List (How to Create SharePoint Lists).
  2. Open the list we created and select ‘+ New’.
  1. Assign a ‘Title’ that represents a security role and click on the ‘save’ button.
  1. Follow the above steps to create multiple items for multiple roles.
  2. Click on the ‘Show actions’ icon on an item.
  1. Select ‘Manage access’ from the dropdown of actions.
  1. Click on ‘Advanced’ which lies at the bottom of the dialog box.
  1. Click on “Stop Inheriting Permissions” to make this item independent from the List.
  1. Select ‘OK’ on the website’s dialog box.
  1. Click on ‘Grant Permissions’ on the top toolbar.
  1. Search for the name of the currently used admin account and select from the dropdown. Search for all the accounts that belong to this role and add them.
  1. Click on ‘SHOW OPTIONS’ to open extra options.
  1. Just under ‘Select a permission level’, change the dropdown value from ‘Edit’ to ‘Full Control’.
  1. Click on the ‘Share’ button to grant permissions.
  1. Refresh the Permission page to get the latest information. Then select all the below SharePoint groups or members except the member that we granted permissions in the above step and click on ‘Remove User Permissions’.

Note: If we delete all the members from having permission to this item, we cannot access it anymore.

  1. Select ‘OK’ on the website’s dialog box.
  1. Do the same for the remaining items in the list. Remove Unique permissions and Remove or give permissions to people or groups to that item (Follow above steps).

Steps to follow in the app:

  1. Navigate to ‘https://make.powerapps.com/’.
  2. Select ‘Apps’ on the left navigation to access the apps you created.
  1. Select your app and click on ‘Edit’ on the top toolbar.
  1. Select the ‘Data’ tab on the left navigation and click on ‘+ Add data’.
  1. Click on the ‘Connectors’ dropdown to expand the list of connectors and select ‘SharePoint’.
  1. Select a connection.
  1. Select the SharePoint site, where we created SharePoint List.
  1. Select the list we created and click on ‘Connect’.
    1. Select the first screen from the list of screens.
Note: It is recommended to use the below code on the ‘OnVisible’ of the first screen (You will have the security role immediately when a user opens the app).
  1. Click on the property dropdown and change it to ‘OnVisible’.
    1. Add the following code in the formula bar which will be used to identify the currently logged-in user role.
      1. Using ‘ClearCollect’ to get the values from the SharePoint list.
                               ClearCollect( ‘Collection Name’ , ’SharePoint List’);
      1. Using the ‘If’ condition to check the existence of a role in the list. If it returns true which means the current user belongs to that role. Then we toggle a variable to true and use the variable where you want to check the permission in the app.
                          If("Role Name" in ’Collection Name’.Title, Set(‘Variable Name’, true));

You can follow the same formulas or the architecture I showed earlier to use the roles to restrict access.

Note: You cannot manage the roles of users from the Power Apps App. You should go to the item's permissions page to manage each user's roles.

Conclusion

This blog demonstrates three ways to get to know a user’s roles. Once you get role-based security in PowerApps, you can manage the user’s access to the screens and information from within the app. Before using these methods, plan on how many roles you need and what type of access you provide. Then decide on what way to use it. All these methods have advantages and disadvantages, and depending on the use case, make a choice.

  1. In the first method, the person who has access to the SharePoint lists can change the data. If you are building a solution that doesn’t give access to SharePoint Lists to users, then this method is good.
  2. The Second method is slightly different from 1st and has no problem if the users have access to SharePoint lists, but if it contains SharePoint Groups, you have the functionality to manage them from the app, but if someone wants to manage it from the backend, they must have some knowledge on SharePoint Groups.
  3. The Third method deals with item-level permissions, and it doesn’t provide the functionality to manage the roles, but it decreases the hustle from multiple SharePoint lists and groups.
Written & Reviewed by
Jasjit
Jasjit Chopra
Chief Executive Officer 
Recommended Content

Email Insights

Get the latest updates from Penthara right in your mail box.
Sign Up

LinkedIn Newsletter

Monthly updates, news & events from Microsoft to help  your business grow.
Subscribe To Newsletter
chevron-down