Using Power Platform Security Role membership to provide RBAC in canvas apps.
On the Microsoft cloud there are many ways to achieve the same result, and it’s no different when securing your canvas apps.
Three ways spring to mind:
Office 365 Groups Connector
Shane Young has done a great video on using this connector.
Azure AD Connector
A standard connector Has a great function CheckGroupMembershipV2, however this connector requires administrative privilege’s that you probably don’t want to give the general population of users.
Power Platform Security Roles
In this post we will demonstrate how to use the third option, Power Platform Security Roles to provide role based access control (RBAC) to provide the ability to show/hide controls/screens based on a users Security Role membership.
This uses the Dataverse connector and is therefore Premium only.
Add the ‘Users’ table to your app.
When a database is added to a Power Platform environment the default solution contains the table ‘Security Roles’, this table holds the user membership for those roles in a many-to-many relationship with the Users table, we can use the Users table and read the data from the relationship using the . notation.
List a Users Security Roles
We can create a collection of all the roles the current user has we can use the following Power Fx, add the following code to the OnStart property of your app.
//Create a collection of current user security roles ClearCollect( UserRoles, (LookUp( Users, domainname = User().Email ).'Security Roles (systemuserroles_association)').Name );
Test if a User has a Security Role
In this example we are testing whether the User has the Workforce custom security role and then setting a global variable we can use to hide/show elements of our application, add the following code to the OnStart property of your app.
// Test if User has the security role Workforce If( "Workforce" in (LookUp( Users, domainname = User().Email ).'Security Roles (systemuserroles_association)').Name, Set( workForceMember, true ), Set( workForceMember, false ) );
So lets break it down, first up its an If statement, so we are going to test a condition and return true or false.
I love in, so the next line is our If condition, here we want to look for “Workforce” in a datasource… now comes in, we are going to check if Workforce is in the ‘Security Roles (systemuserroles_association)’ relationship.
Our first statement after in is a lookup to the Users table to return just the current user, we don’t want to traverse the relationship with all users on a many-to-many relationship, you will likely crash your app . Once we have found our user we use the . notation and the relationship we want to use, ‘Security Roles (systemuserroles_association)’ and as we want to test the text Workforce again we use the . notation and add our column Name we want to test against.
This will either return true, has the security role or false, they don’t.
Now we can use the workForceMember global variable as the Visible property of a control and it will only be visible to users with the Workforce security role.
I use this approach to provide customised app experiences for users.