Skip to main content

Notifications

Announcements

Welcome to the Power Platform Communities - Lets Get Started!
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Pages - Design & Build / Group based, role base...
Power Pages - Design & Build
Answered

Group based, role based permission in power pages

(2) ShareShare
ReportReport
Posted on by JB-10040341-0 23
Hi there. I have the folloiwing reqiurement in a project.
 
I have an incident, and i have an account (which represents a group), and contacts (for users)
 
At the moment i ahve successfully set up a system whereby users who are related to an account, have X permission on incidents related to that account.
 
Now this also works well with the built in web roles. Which is where the trouble starts.
 
There is no easy way to easilyt allow people to have specific roles within a group. (for an instance an admin, who can add and remove users from the account).
 
There is also no easy way to change a users web roles from the portal.
 
Has anyone succesfully built a system in power pages where users can belong to groups, and have specific permission relative only to that group? And also allow users in that group with higher permissions (admins, etc), to manage the permission of other users in the group? (IE. a typical conventional group permission system)
 
Hope you're all having a good week.
Categories:
General
  • Suggested answer
    Fubar Profile Picture
    Fubar 7,930 Super User 2025 Season 1 on at
    Group based, role based permission in power pages
    Table Permission with scope = Account means you have a Lookup on the table in question to the Account table. When that lookup is populated with an Account, the Contact records for that Account (using the out of the box parent account relationship a.k.a. Company Name field on the Contact) will have the permissions set on the Table Permission (where they have the Web Role with that Table Permission).
     
    It is a way to give access to the users that belong to the same account access to records tagged with that account. So user A from Account X can work with Account X records and user B can also work with the same records because of the account scope (without the users having to be explicitly associated directly with the record in question).
     
  • JB-10040341-0 Profile Picture
    JB-10040341-0 23 on at
    Group based, role based permission in power pages
    Thanks for the recommendations guys! I will try to implement this.
     
    Something else im curious about, the 'account' type table permission.
     
    So if i select the access type 'account', and then some random table, and then select a particular column on that table, is that the equivalent of saying
     
    "This permission applies to <table>. The 'access type' is account. If there is a link between my account and this table, via the specified column, these permissions apply to me". 
     
    Is it assumed that the column linking the logged in user and and 'account' is always accountid? I cannot find this documented anywhere and it's super confusing.
  • Suggested answer
    Fubar Profile Picture
    Fubar 7,930 Super User 2025 Season 1 on at
    Group based, role based permission in power pages
    Create a new Web Role with the appropriate Table Permissions to perform the actions required, and another one (s) for the general users. Do not check the inheritance checkboxes for Authenticated or Anonymous on the Web Roles (and you probably want to uncheck the existing one on the out of the box Authenticated Users web role). For security reasons do not give Global scope to Contact or Account tables in your Table Permissions for the Web Roles.
     
    There are different ways to achieve it, generally I do not expose the Web Roles directly, but provide a form with a drop down or checkboxes etc to allow the admin user to select a choice that represents the desired role (and have a realtime dataverse Workflow or Plugin assign/remove the actual required Web Roles).
     
    If you allowing the Admin user to create their own users, then consider creating a new table to process requests. Then allow the admin user to create a record in the new requests table with the details of the user and the type of user (e.g. admin, general user). When submitted you can perform any validation required, and then using a workflow or plugin, create a new Contact record for that user (from the information in the request), then create & send an Invitation to that new Contact record (the reason to use an Invitation for the new contact, is that you can add the Web Roles required to the Invitation prior to sending it, and when the new user redeems the Invitation those Web Roles will take affect immediately) - in the past have set this up so the creation of the contact through to sending the Invitation is fully automated.
     
  • Verified answer
    RK2021 Profile Picture
    RK2021 87 on at
    Group based, role based permission in power pages
    I believe this is possible but it does require creating a custom table, let's say it's called 'Portal Security Group' and stores all your group records.
     
    Then create a relationship between Incident and Security Group and then the same for Contact and Group - note the relationship names for later. You can then create a table permission which is of type Contact and points to the Group table - so effectively giving the User access to the group record when they have a relationship to it. 
     
    For general users, this is read only permission and doesn't really impact them - we're not expecting users to interact with the group record. Admins you may wish to use a similar custom relationship but with edit/append so they can relate users to it. For general users though, the key is then to create a another child relationship to Incident which uses the other new relationship you created earlier. This effectively means users access Incidents when both they and the Incident are linked to the same user group records.
     
    When a user isn't in a group which has a link to the Incident, they can't access it. Likewise, Admins would be able to relate users to groups, and groups to Incidents. 
     
    I have done something similar as proof of concept and it worked as expected.
     
     

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities - Lets Get Started!

Quick Links

Michael Gernaey – Community Spotlight

We are honored to recognize Michael Gernaey as our June 2025 Community…

Congratulations to the May Top 10 Community Leaders!

These are the community rock stars!

Announcing the Engage with the Community forum!

This forum is your space to connect, share, and grow!

Leaderboard >

Last month Overall leaderboard

Featured topics

Product updates

Microsoft Power Platform Community release plans