Implementing Role Based Security in Power Apps
Вставка
- Опубліковано 7 лип 2024
- In this video on Power Apps Role Based Security (Access Control), we will explore how to show hide buttons, controls or screens based on the logged in user's roles / security permissions.
PowerApps Role Based Security video covers the following scenarios:
✅ Using SharePoint Groups
✅ Using Office 365 Groups or Microsoft 365 Groups
✅ Using SharePoint list
✅ Using Azure AD Security Group
Table of Contents:
00:00 - Intro
00:36 - Role Based Security in PowerApps Scenario
01:39 - Security / Permissions for SharePoint Team site vs Communication site
03:50 - How does Power Apps sharing and security work with SharePoint
07:30 - Show data based on logged in user in Power Apps
10:05 - Show or hide button if user is in SharePoint list
14:28 - Show or hide button if user is in Office 365 or Microsoft 365 Group
17:48 - Show or hide button if user is in SharePoint Group
22:07 - Show or hide button if user is in Azure Active Directory Security Group
23:45 - Subscribe to Reza Dorrani channel
#PowerApps #SharePoint #RoleBasedApps
Great video again, Reza! Can't wait for more in this series
More to come!
Another brilliant tutorial Reza. Thanks for producing these they're an invaluable resource for people like me trying to get to grips with some of the features of Power Apps. Please keep them coming.
You are most welcome and I will try my best to keep them coming.
Faced with the role-based issue for the first time and of course the first and best source is your UA-cam channel! And I have not been disappointed - as always! :-)
Awesome! Thank You.
Wow Thanks UA-cam for recommending this channel. This just what I was looking for. Not wasting time. Everything to the point.
Thank you & welcome to my channel.
20:13 , It took me so much time to understand,even though you have clearly explained - show or hide button if user is in sharepoint Group. Wonderful logic, it speaks your experience.
Thanks for watching and liking the video.
Some topics are a little complex.
Great video Reza!! This is exactly what I was looking for enabling security to my powerapps..Thanks for making such wonderful videos with precise explanation!!
You're welcome!
Love this video. Brings together some many things that can be complicated and simplifies them
Thank You
Brilliant method, have used this method for the Sharepoint form so if users browse to it the fields can not be modified unless in m365 Group. Thank you Reza.
Glad it helped
Just what I needed. Very clear explanation. Thank you!
Great to hear!
Woww...I really liked your approach to check sharepoint group permission.In my solution, I used to flow to check this..but your approach is very easy and useful. I will implement this in my solution. Thanks Reza 😊
Great 👍
This is why I love UA-cam, Such potential would be wasted , What would we do without you YT? Thanks for connecting us with good producers like Reza. I promise i am a good consumer lol. Thanks Reza , As usual great content and applicable to most business needs.
Wow, thank you
SharePoint group idea was awesome.Thank you!
Glad to hear that! Thanks for watching.
Oh man this was nice. No more having to run a Flow to check the SharePoint group.
Absolutely. Simple approach to a common problem.
Thanks so much, Reza! Awesome, thats what I needed!
Glad to hear!
Goodness, real good video. Thanks. Anything that helps allocating roles and security is a good argument for power apps.
Totally agree!
Great job Reza! Congratulations!
Thanks
Wao !!! Great, now am going to check all of your videos on this series, Thank you.......
Glad you like them!
Thank you. Very useful, complete and clear content.
You are most welcome!
Thank you Reza ! the best of the best and everything is easy with u !
Wow, thanks
Great video as always, thanks.
I personally prefer listing names in an SPO list, rather than the admin overhead be to manage access to both the app as well as an alternative source (Azure, SharePoint groups). A list naming admins can also then be consumed in the same app, in the admin area, so any access changes can be performed in the same place as they’re doing everything else. Seems to make for a more centralised approach which can help those less tech-savvy to keep on top of access
Thanks.
I covered 4 scenarios for role based. All choices are valid and have their own pros/cons.
Awesome video Reza. You made it work.
Thanks
Great video as always, thanks.
Thanks for watching!
Amazing video, everything related to PowerApp security in single video. Great explanation :)
Thanks Farhan
Great video - helps a lot ❤. Can't wait for the next one in this series..
(Struggling with the SharePointlist holding the records where the users still ses all records when surfing to the site. Tried SP advanced settings "old way", power automate to break and set permissions on each record, custom permissions where some users can't create views with pre defined views on list. Breaking permissions on a record level could impact performance on large lists according to SP limitations.. )
Row level security in SharePoint has performance implications in case your lists grow beyond 5k records.
That is a SharePoint limitation not Power Apps. Power Apps respects the behavior and limitations of the data source.
I would recommend using Dataverse or SQL in those scenarios.
Bro, you are the man, Nuff respect. keep us going my G 👌👍✌🤛
Thanks so much
Brilliant video ... implementation of SharePoint group and Azure Security Group within Power Apps
Glad you liked it
Great to hear that through mutiple ways we can achieve security trimming in powerapps
Thanks for watching
@@RezaDorrani , Million likes that you read the comments and acknowledged it
Amazing video, thanks Reza!
My pleasure!
Amazing video on RLS. Thanks for making this :)
Thanks for watching
This series will help us a lot. Raza.. You are genius as always you are my super hero...🦸
Thank you so much 😀
Thank you Reza ....
For enhancing our knowledge....! ❤️
Your most welcome Farhan
Very useful Reza, thanks for sharing !!
Glad you liked it
Great Showcase...Very Informative. Thanks Reza.
My pleasure!
SharePoint group idea was awesome
Thanks
Too clear,, Thanks
You are welcome
great video (as usual ;) ) with very pleasant style ;)
Thank you! Cheers!
You sir are a well deserved member of Microsofts MVPs
Thank You.
No title is bigger than the love of the audience.
Best ever Video I saw explaining the different options to keep security in Power Apps. Thanks a lot, Reza!
You are most welcome
@@RezaDorrani Do you have a solution for showing an image hosted in SharePoint on a mobile phone (Powerapp App) ?
@@dieterleyendecker5685 I believe you would need to use flow for that.
@@RezaDorrani Hi Reza, I have a ready Powerapp that shows in Sharepoint the image perfectly, but if I use the app on my mobile the image is not shown. It seems to be a known issue according the posts in the internet and the solution to use URI link created by flow did not work. I hoped you have a better solution.
@@dieterleyendecker5685 I would have to try it out to look for a solution. I do not have a video or a ready solution for it.
Thank you sir. Nice explanation.
👍
Thanks, really useful sessions, I have downloaded this video, as reference.
Cool, thanks!
great explanations of the work around for these issues. The Azure AD connector is a real shame. We just need a connector for read only purposes as the current one has way to much power. Looking forward to the rest of the series.
Totally agree. But we do have the back way as shown in the video :)
Hi Reza, very very nice videos those are all use cases in projects. thank you so much!!!!!!!!!!!!!!!!!!
You are most welcome and glad to hear the content is relevant with project scenarios.
Great learning from you reza you are pro :) awesome video
Thank you!
Thank you very much for another very informative video Reza, I was looking to do this for a shared application between external vendors, now I have an idea how to segregate the content.
Happy to know that this video is useful and thanks for watching
Great class.
Keep up the good work.
Thank You,
Natasha Samuel
You are welcome!
You are a saviour!
Thanks
Great video mate
Thanks 👍
Great video Reza, keep it up. I would like to see CDS role based and row level security video in this series. thanks.
I am planning on a full Dataverse (CDS) video series. Keep an eye out for that one.
@@RezaDorrani thanks
Great video! Thank you very much!
You are welcome!
@@RezaDorrani Hi, Reza. Do you have a video regarding Power Apps requesting Power Automate to pass current user's data from a SP list?
Here is my scenario:
I have a SP list that consists of around 7000 employees' training details totalling around 120k. With this, we have to give read permission to all employees to the list and make a filtering in power apps. This will not stop a user from accessing all data. What strategy must I do in order for a user not to access all data in the list except theirs when creating an app in Power Apps?
@@SiMataR01 If Power Apps calls Power Automate the connections in the flow will run under the logged in users account. This is by design. So if you do not setup security correctly, a user will have more access than needed.
@@RezaDorrani hi Reza. Thank you for your reply. I actually have a separate account with an elevated permission that created the power automate flow and has only access to the SP list. The account will be responsible to submit the current account data. My problem is how to create the REST API to collect the specific user's data then maybe save to an array or text then submit to the requesting Power apps.
@@SiMataR01 You cannot do so without calling the flow from Power Apps.
👍👍👍
This is something I struggle with
No access to AD Azure etc...need to watch few more times to understand variables part
Thanks.
Hopefully this video has simplified that process.
PERFECTO!!!!👏
Thank You
Another great video
Thanks
Best video ever
Thanks
Thanks for this video! All that is missing is the security part that allows you to change access to elements of an SPO list automatically. Share an item to a group based on a condition with Power Automate ?. I will work on it and share it with you. Thanks again !
Sharing is caring. Looking forward to it.
great video
Thanks
Nice video. I realy like your way of designing your apps. I am a goofy when it comes to design 🤔
Thanks Frank
Great video again Raza!! Thank you! Will you publish this app in the community?
That's the plan once I complete the Role Based Security video series. I have at least 2 more videos planned.
brilliant
Thanks
Thank you very much Reza, a great help.
I already used a Sharepoint list for my security, but I was adding each person manually to that list, your idea on linking it to the SP group will make my life so much easier.
I assume not but is there any reason why the Admin couldn't be shared all the other permissions for the other groups?
Admin can have full access but being a part of all groups.
Good trick
Thanks
Hi Reza. I love this app's functionality and use cases. I was wondering if you can do an instructional video on how to make this specific app? Thank you very much!
I will add tour request to my backlog.
Check out myPower Apps playlist which has around 63 videos - ua-cam.com/play/PLTyFh-qDKAiEIVlidnhELx5BusnzlDzkR.html
Most of those concepts are covered in individual videos.
Great video, very helpful. Just a request, as I am a beginner, so can you help me out with a demo on how you created the whole app? It would be of great help😊
I do not have a step by step video on that.
I have a full playlist of Power Apps that may help - ua-cam.com/play/PLTyFh-qDKAiEIVlidnhELx5BusnzlDzkR.html
Since the user is able to navigate to sharepoint and view those information, i wouldnt call it security role based but visibility role based.. This is a risk to consider depending on the data stored
Good overview and tips, Thank you
Agreed. Thats why I explained how the security works with SharePoint and Power Apps first up. This is more like audience targeting.
How you do that @tt
@ please elaborate. This exact flaw is what prevents me from recommending power apps to our organization. For example in this travel request app shown, what stops a user from accessing the list directly to set their list item to approved, effectively bypassing the business logic in the power app.
Thanks Reza, great video! One question I had - all videos I've seen on this have had the permissions pulled from a separate SharePoint site to the site containing the content. Is there any issue from a security perspective with pulling straight from a list within the same SharePoint that uses these permissions?
There is no issue with security perspective
Great video, very helpful for us!
And I have one question on scenario of person in the sharepoint list.
How to make boolean result when multiple person in the Admin column.
You will need to use the IN function to check if user is in multi select people picker column.
Dear Reza, your video are just great… one question on sharing sites in SP and not only app - the problem I could see it’s that user would have full access to the backend/data source and could do some mess there, correct ? Is IT possible to prevent this somehow?
Power Apps respects SharePoint security. You would need to define appropriate user permissions. One cannot have users reading data from SharePoint in Power Apps but users not having access to read.
Great video as always! I do have one question again. What if there's another column on the Admin List where it dictates which group they belong. For example group A and B. How to implement this where if they belong to group A they can't see the request from group B and vice versa. Thanks!
Read column info from admin list, check if user belongs to those groups and accordingly show hide. I have done videos showing how to check if user is part of Office 365 group, SP Group etc.
@18:50 My SharePoint doesn't show 'Advance' when using the Share icon, but I was able to figure it out by using the Open the details pane icon on the top right.
Might be related to permissions.
First of all, thank you so much for sharing this valuable knowledge @Reza Dorrani. I have one question tho. For what I've seen it's seems that creating power apps on top of Sharepoint list can make us have lots and lots of new Sharepoint Sites, majority of those only to have one single list in there. Wouldn't this be a pain in future to maintain, let's say doing this on a big company, where the number of apps can quickly scale, so the number of Sharepoint sites and lists.
Depends on the scenario at hand. SharePoint has limits and Dataverse offers a lot more flexibility.
Awesome video, thanks for sharing. Can you share the link to the second video?
I have 2 videos more on this. Here are the links:
ua-cam.com/video/fbDQH0vIsN8/v-deo.html
ua-cam.com/video/QoNQjvHk6qc/v-deo.html
This is exactly what I was looking for. Great video!! The SharePoint Group option doesn't work if the logged in user is a site collection admin because they can access the item even if they are not in that group. Any workaround for that? I appreciate it! Thanks Again
Site collection admins are special users. An admin can do anything in SharePoint. Workaround would probably be to call flow and query site collection admins (assuming there is some api) and then return the results back. Not something I have tried, hence guessing.
Thank you for this video, @Reza! It is very powerful and important to know all the options we have in terms of security. I really liked the possibility to add to a Sharepoint Group a Security Group. It makes me think of how we can manage the people entering those AZ AD security groups (like for example using approvals). My question is regarding the communication part . What if we have a scenario where we need to write emails to these managed AZ AD security groups? I initially thought that I can use Mail enabled Security groups inside the workflow and automate the process. Previously one could add members to mail-enabled security groups via Graph API. But turns out that was a bug and Microsoft changed that behavior in nov 2021... Have you encountered a similar use case? Do you know a workaround for this? It would be awesome to make a video around this topic!
Best regards,
Alex
I have not come across this scenario. I will recommend checking on the forums at powerusers.microsoft.com/ in case someone has done something similar.
Nice Video on RBS. Can you post a video on how to create "Left Nav" used in this demo. I have seen your other version of Left Nav, however, I need to use this style.
Here is the link - ua-cam.com/video/3S0h2nODcxM/v-deo.html
hey Reza, do you have a video on how you used the collect function to show/hide a screen from the menu?
Yes, it was part 2 of this video. You will need to search for that one or look for it in my playlists
Hi Reza, great vid! I would like to ask if there is anyway to mimic the “move to” function in the SharePoint site using flow?
I tried using the API approach - it worked but I can’t retain the original ID. I assume that it is doing a copy and delete instead of a move.
Application: I had a lookup list querying the list, and would like to move the items into different folder (within the list) with different permissions but retaining the ID which other list is performing a lookup on.
Do you have any insight on this?
I have not tried the move item with API approach.
I will recommend you check on the forums at powerusers.microsoft.com
Thanks Reza, great video, learnt a lot from you. I am quite new to Powerapp, a few questions to ask.
I have a request from link to a SP list, which will create item to the list. I have another list which connect to the combo box items of my request form. I am sharing the form to everyone in organization.
Does it mean I need to grant access right of everyone to the sharepoint list, for them to see the combo box dropdown items and to submit the form? Which I don't expect them to gain access to the sharepoint site/list.
Any idea? Thanks.
Users will need access to the SP lists in order to interact with the data. Power Apps respects SharePoint security. There is no impersonation for permissions in SharePoint with Power Apps.
If a user needs to add data to a list, then user will need access on the SP list to add data.
Amazing! Kindly Show Us the way to restrict user giving a powerapps survey second time ie. powerapps should show a msg like "You already have given the Survey"
I do not have a video reference on this scenario and would have to try it out to provide guidance. Idea would be to check if an item already exists for that user. If Yes, then do not allow another submission. I will recommend checking on the forums at powerusers.microsoft.com/ in case someone has done something similar.
very informative video, just what everyone is looking out for. Where can I see other videos related to security
All videos are on my channel :)
I have done 200+ total videos
Hi, Reza. Thank you so much for the video, let us see If there are more than 100 projects in the organization, and each project has different users and roles, how to manage these people?
Depends on how the information is structured in SharePoint. Connecting to 100 data sources could slow down the App.
@@RezaDorrani Yes, I agree with it, whether The best way is to establish a unified user permission list? but I don't know how to design this list
@@user-lo9eg9tc2r may be a unified one.
Best as always.
But @reza I want to use AZ AD security group role based access for my powerapp with Dataverse. In which way i can achieve this?
Read documentation on dataverse security
I love your videos. Question gallery is showing empty though I see the User info once I set my variable. Is there something I am missing?
Thanks!
Not sure as I have not come across that in my power app.
Brilliant what a great explanation with detailed background explanations to security, Thanks so much for sharing! can I ask one question: can all Members of the group access all the data by visiting the sharepoint site?
Thank You.
Yes, members can access all the data since they have Contribute Access on the list.
@@RezaDorrani thanks for your quick reply! can that be changed so that they members only have access thru the powerapp and dont have access thru sharepoint?
@@seamusobric No. When working with SharePoint, the logged in user will need access to SharePoint to perform the data operations.
@@RezaDorrani thanks very much for your help. I'll continue searching for a way around this to limit access to restricted data on a User basis on Power apps and SharePoint. Excel works well with login requirements and page visibility based on users but Powerapps is such a nicer user experience!! Thanks for all your effort.
hello riza, how can we add or remove members for the security groups within powerapps screen (inside the power apps) like member policy screen?
I have never tried that and do not have any references for it. I will recommend checking on forums at powerusers.microsoft.com in case someone has done something similar
Hi Reza, Great video. Do you have a video where you create this travel request app from scratch, so that I can follow through before assigning the role based security? Thanks.
Thanks!
I don't have a step-by-step video
Hi Rezza, Great content.
I have a question, I do have a Power App with me, which has 10 to 12 SharePoint lists as a data source. Each list has some business logics for security. App also has around 8 to 10 flows. And I want to share that app, how should I approach, for app sharing, dataset access sharing, flow sharing, etc.
App, data and flow are all separate objects. You would have to share them independently.
As always it is a nicely created video targeting the real life scenarios. One question how to restrict the end users who have submitted the request (who don't have the admin access) from accessing the SharePoint list directly . is it possible to hide the travel request inside the SharePoint so that the end-users cant see it.
Users will need access in order to perform actions in Power Apps and hence cannot be restricted.
Power Apps will follow same security protocol as SharePoint.
You can hide the list from SharePoint but a user can always get to it via flow or powershell etc.
michelcarlo.com/2022/01/30/hiding-a-sharepoint-list-from-the-site-contents-using-power-automate
@@RezaDorrani thankyou for sharing the link for some reason I am getting the error. I also tried on o365 developer account and still getting the error. Any suggestions please.
@@excel-k-sir I would recommend posting your issue with screenshots on the forums at powerusers.microsoft.com
Hi Reza, do any of these solutions work for SP forms customized with Power Apps? Thought perhaps instead of placing variables within OnStart they made need to be setup in a different manner. I have several approve/reject buttons that im trying to hide or disable for all but a specific group of users.
Possible but not something I have tried. You may have to add the logic onVisible of the screen or something.
You create an AZ AD list and set access in the App.Onstart... do you still have to make people a user in the environment admin section?
Are users going to do anything with Dataverse in App? If no, then you do not need to set "env admin". Env Admin is a highly privileged role.
Great video! I'm new to Power Apps, and nearly everything I've been working on, I'm finding you have a video that helps me out with what I'm doing. Quick question for this one, though. If I wanted multiple roles instead of just an admin role, so a column titled Roles of which Admin is one of the options, how would the syntax be for that if it was a multiple-choice column? I tried && Roles.Value = "Admin" but I'm getting an error of incompatible types for comparison. Might be a good video option in the future also!
Probably "Admin" in Roles.SelectedItems.Value
assuming Roles is a combo box control
@@RezaDorrani I'll give that a try. Inside SharePoint, Roles is a choice column using multi-select. My app will have several roles from view, approval to admin with the need to assign more than one role to an individual. I've noticed multi-select choice columns have issues in various areas of power apps (gallery most recently).
@@trstrean I recommend posting your issue with screenshots on the forums at powerusers.microsoft.com
@@RezaDorrani I'll give that a try. I tried the approach you recommended and it didn't work. For now, I just used a standard choice column as a workaround until I figure out how to get a multi-choice select column to work.
Thank you for such a great content! If my data source is an 'Azure sql db' and app created by using this source is embedded on SharePoint. Can I still able to assign permissions through sharepoint as shown in video? How to achieve the same in my case?
I am not sure about how the permissions would play out in your use case.
I would recommend you post your query on the forums at powerusers.microsoft.com in case someone has done something similar.
@@RezaDorrani Thank You Sir :) ! Now my data source is 'SQL SERVER On Premises" not 'Azure sql db'. So what about this Case? Sharepoint rules will work here?
@@madhurishirsat491 Security of SQL and SharePoint are different.
Read documentation for SQL - docs.microsoft.com/en-us/powerapps/maker/canvas-apps/connections/sql-server-security
Hi Reza, on 13:17 the colMenu setting is not clear for me, do you have another video where you explain further about hoy you put in collections the accesses, please.
ua-cam.com/video/dP74npyyvGc/v-deo.html & ua-cam.com/video/3S0h2nODcxM/v-deo.html
As usual a complete good tutorial. Your tutorials Really helped me. Sharing it with friends. Just one question can you suggest how from the sign in screen by clicking the login button i can also check a choice column from sharepoint that if this is the choice then do this else this. It will be very helpful if you suggest a solution. Thank you!
Thanks for sharing with others.
Choice column from SharePoint would be in a list that has records. How would you know which record in SP list to check the choice against and how would user enter the choice value. Not sure if I understood your requirement.
Thanks for replying Reza! My question is- When the admin is adding that perticular user for the app , the choices for that user is given by admin. It is happening using the patch formula in power apps. Lets say in sharepoint there are having a choice colum with 3 values in it (A B C). Now when the user logging its the job of the app to check if user having the choices (A or B or C or AB or ABC)which is given by the admin and redirecting accordingly. I just want to understand how to check with choice column from poweapp in sharepoint list. Thank you so much again!
@@olivaadak You cannot do that with a choice column unless you hardcode some logic in App. Better approach would be to use a lookup column to a secondary list where you can add some logic for security.
Okay! Thanks for clearing that. It will be helpful if you suggest any example for how an another list can be user as a security for the app.
@@olivaadak I do not have a video on this use case. I will recommend to check or ask in the forums at powerusers.microsoft.com/
One issue I can seem to get my head around, if they have access to the underlying data, they could just go and find the SharePoint list and view the info there no?
User will always need access to underlying data (SharePoint), in order to perform the necessary actions in power apps. There is no impersonation behavior.
Idea of video was to only showcase specific info to user based on their role in Power Apps.
Can I base security only on AzureAD groups? My application does not use Sharepoint but I want to profile some options and elements with AzureAD groups
Absolutely. You can directly leverage the Groups connector in Power Apps and check if user is a part of the group.
Do you have a video where it explains the Azure connection, I’m getting real confused on that part.
Do not have a video on azure connection in detail. Try posting the issue you are facing on the forums at powerusers.microsoft.com
Reza quick question. I have a SQL database that has a filter predicate limiting number of rows seen based upon the logged in user. However, when I connect it to PowerApps, I can see all the rows or none of them (based upon the tinkering I do with the filter predicate). Any sense why this happens? To be clear, both SQL and PowerApps have a Azure AD login - the Azure AD security groups (in which each user is) has already been created in Azure AD and the users have been added to the SQL database and given access permission in PowerApps. But nevertheless, I run into this issue. Thanks
I have not run into this issue.
I will recommend checking on the forums at powerusers.microsoft.com/ in case someone has run into this issue.
Hi Reza...I learned Power Apps by watching your video. You are an excellent teacher. I am having some issue in filtering the gallery. When the form load, I have this filter: Sort(Filter('Project / Task Tracker', 'Requested By'.DisplayName = User().FullName, Status.Value "Completed") , 'Requested Date', Ascending), which shows only the list by logged in user and show the status not equl to "Completed. This works fine but I have added a button to only the status is equal to "Completed" by adding this: Sort(Filter('Project / Task Tracker', 'Requested By'.DisplayName = User().FullName, Status.Value = "Completed") , 'Requested Date', Ascending) but it not working. Any button to do filter is not working. Am I missing something? Thanks
Thank You!
I would have to look at your App to provide guidance. I will recommend posting your issue with screenshots on the forums at powerusers.microsoft.com
Hi Reza, just a little bit out of contex here...just because i need help. What will be the best approach to referencing data from sharepointList data on PowerApps
All you need to do is just connect to SharePoint and bring in the data. Not sure if I understood your question clearly.
Thanks Reza... Great Video, If it's possible can you share the code tips
I assume you mean the code bits :)
I plan to share the entire App once I complete the video series.
@@RezaDorrani that's great Pls share the entire video if it's possible
@@sureshp7204 I will share the whole App once the series is complete
This is a great app that I wish to replicate. Please can I get a video where you design this app itself before adding the security role. I like the one screen design
This video was done years ago and I no longer have this app. I have done many videos on app designs. You can search for those on my channel.