web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

Welcome to the Power Platform Communities
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Pages / Power Pages column per...
Power Pages
Suggested Answer

Power Pages column permissions for Web API seem ignored for Read in Enhanced Data Model

(0) ShareShare
ReportReport
Posted on by CU11031005-0 2

Hi,

I’m trying to understand whether this is expected behavior, a documentation issue, or a product bug.

Environment

  • Enhanced Data Model
  • Using Power Pages Web API
  • Table: invoice

Goal
I want:

  • Admin users to be able to read totalamount
  • Regular authenticated users not to be able to read totalamount

My configuration

  • Webapi/invoice/enabled = true
  • Webapi/invoice/fields = *
  • Table permissions are configured and working
  • Column Permission Profile is configured for the same website and web role
  • For regular authenticated users:
    • All Column Permissions = none
    • explicit column permissions only for selected columns
    • totalamount is not included

Observed behavior

  • If Webapi/invoice/fields = *, the authenticated user still gets all columns, including totalamount (!!!)

Why I think this may be inconsistent with the docs
The documentation says:

  • columns not explicitly defined should follow All Column Permissions
  • All Column Permissions can be used to limit access

But one example row in the documentation table seems contradictory (https://learn.microsoft.com/en-us/power-pages/security/column-permissions#examples-of-table-and-column-permissions):

  • Table permission: Create, Read, Update
  • Webapi/Contact/Enabled = TRUE
  • Webapi/Contact/Fields = *
  • All Column Permissions = none
  • JobTitle = Read

The table says:

“The user can read JobTitle and create, read, and update all other columns.”

This seems opposite to the rule above. I would expect:

  • JobTitle = Read
  • all other columns = no access

Questions

  1. Is column-level restriction for Read actually supported in Power Pages Web API?
  2. Can All Column Permissions = none + explicit Column: Read be used to hide all other columns?
  3. Is the example row in the documentation incorrect?
  4. Is there any known issue for this behavior in Enhanced Data Model?

Thanks.

Categories:
Design & build
I have the same question (0)
  • Sunil Kumar Pashikanti Profile Picture
    Sunil Kumar Pashikanti 1,336 Moderator on at
     
    This is a known Power Pages limitation.

    Column‑level Read permissions are not reliably enforced by the Power Pages Web API when using Webapi/<table>/fields = *, especially on Enhanced Data Model sites. Although the docs say “columns not explicitly defined follow All Column Permissions,” the actual behavior matches the documentation example, not the rule text.

    Workaround: explicitly list allowed fields in Webapi/<table>/fields instead of *.
    This behavior has been reported previously and appears to be a product gap rather than a configuration issue.
     
    1) Is column-level restriction for Read actually supported in Power Pages Web API?
          Documented as supported
          Not consistently enforced, especially with fields = * and Enhanced Data Model

    2) Can All Column Permissions = none + explicit Column: Read be used to hide all other columns?
          No, not in practice when using fields = *
          Works more reliably if:
    You explicitly list allowed columns in Webapi/<table>/fields
    You avoid *

    3) Is the example row in the documentation incorrect?
          Yes, it contradicts the written rules
     
    4)Is there any known issue for this behavior in Enhanced Data Model?
          Yes
    Reported by multiple users
    Especially common when Enhanced Data Model was (or still is treated as) preview‑adjacent for certain security features
     
     
    ✅ If this answer helped resolve your issue, please mark it as Accepted so it can help others with the same problem.
    👍 Feel free to Like the post if you found it useful.
  • Suggested answer
    DP_Prabh Profile Picture
    DP_Prabh 331 on at
    This is a known limitation, but workaround is that we can specifically fields and restrict users from viewing all fields of a table in site settings for the Web API configured for an entity:
    I hope this works for you!
     
     

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities

Quick Links

Introducing the 2026 Season 1 community Super Users

Congratulations to our 2026 Super Users!

Kudos to our 2025 Community Spotlight Honorees

Congratulations to our 2025 community superstars!

Congratulations to the February Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Pages

#1
DP_Prabh Profile Picture

DP_Prabh 41

#2
oliver.rodrigues Profile Picture

oliver.rodrigues 31 Most Valuable Professional

#3
Hammed Profile Picture

Hammed 22

Last 30 days Overall leaderboard

Featured topics

Solution to LinkedIn Authentication in Power Apps Portals
Welcome to the Power Pages forum!

Product updates

Microsoft Power Platform Community release plans