The native Power Pages table permission access types (Contact, Account, Parent, Global) don't support your selective multi-child requirement out of the box. None of them allow "contact X can see records related to accounts F1 and F2 but not F3." You need a custom approach.
Recommended architecture: junction table + Contact access permission
1. Create a new Dataverse table: Manager_Account_Access (or similar) with two lookup columns: one to Contact (the manager) and one to T1 Account (the child account they can access). Each row represents one manager-to-child assignment. M1 gets two rows (M1→F1, M1→F2), M2 gets two rows (M2→F2, M2→F3).
2. Add a lookup from T2 to the junction table (or add a lookup from T2 to T1 Account, which you already have via L2).
3. Configure Power Pages table permissions using Parent access chained through the junction table:
- Table permission on Manager_Account_Access with Contact access (so the manager can only see their own rows)
- Child table permission on T2 with Parent access, where the parent relationship goes through Manager_Account_Access → T1 Account → T2
Alternatively, expose T2 records via a Liquid/Fetchxml query on the portal page that explicitly filters by the accounts in the manager's junction table rows, rendering only authorized records.
4. The web role assignment stays simple: one Manager web role assigned to all manager contacts. The data-level filtering is handled by the junction table permissions, not by separate web roles per manager.
This pattern scales: adding or removing a manager's access to a child account is just adding or deleting a row in the junction table, no code or permission changes needed.
Best regards,
Valantis
✅ If this helped solve your issue, please Accept as Solution so others can find it quickly.
❤️ If it didn’t fully solve it but was still useful, please click “Yes” on “Was this reply helpful?” or leave a Like :).
🏷️ For follow-ups @Valantis.
📝 https://valantisond365.com/