web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

Welcome to the Power Platform Communities
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Apps / Row Level Security For...
Power Apps
Unanswered

Row Level Security For PowerApps Canvas App

(0) ShareShare
ReportReport
Posted on by lee92 2

Hi Community!

 

I have a requirement for creating a canvas PowerApps, where the data shown on the app, will need to respect the hierarchical relationship of an organisation. In this case, DataVerse will be used as the storage.

 

I would like to understand if it is possible to configure this 'hierarchical' relationship in DataVerse, so on the PowerApps canvas app, based on checking the user (e.g.: the group they belong to), the data displayed on say a gallery will automatically be those that he/she has permission to view, and not the rest. This is to explore if this can be done without actually having to put in conditions in the gallery (e.g.: Filter by certain group) and can be done on the data source layer.

 

To give a bit more detail,

 

Below diagram shows an example hierarchy, with Level 1 being the top. Each box in each level can be treated as a specific group. 

lee92_0-1622724527696.png

 

 

Scenario 1 - From Level 1's perspective

 

lee92_1-1622724527628.png

 

 

Users in Level 1 can CREATE/VIEW/EDIT records cascaded to level 2 and level 3

 

Scenario 2 - From Level 2's perspective

 

lee92_2-1622724527845.png

 

 

 

For a given level 2 group, say level 2-A, users in that group can only VIEW records cascaded to them by level 1 (they can't see records for Level 2-B), but they can CREATE/VIEW/EDIT records for groups under them (e.g.: Level 3-A, 3-B)

 

Scenario 3 - From Level 3's perspective

 

lee92_3-1622724527841.png

 

 

For a given level 3 group, say level 3-A, users in that group can only VIEW records cascaded to them by level 1 and 2-A (they can't see records for Level 2-B or 3-B), but they can CREATE/VIEW/EDIT records for groups under them (e.g.: Level 4-A, 4-B, assuming these groups sit under Level 3-A).

 

QUERY: 

 

1) The data entity/table for this to apply will be the same in DataVerse as they are showing the same type of info, just the visibility of the data will have to be on the row level, and depending on which 'group' they're in, they should see the info relevant to them. Can this be done purely in DataVerse without further conditional filtering in PowerApps canvas app?

 

2) If this is not possible to set-up in DataVerse, what's the best way to achieve this in PowerApps Canvas App itself? 

 

 

Appreciate the help. Thanks!

Categories:
Microsoft Dataverse with Power Apps
I have the same question (0)
  • ChrisPiasecki Profile Picture
    ChrisPiasecki 6,422 Most Valuable Professional on at

    Hi @lee92,

     

    Dataverse has a very flexible security model where you can set up granular row level security. If you set this up the correct way, the records in the canvas app are automatically filtered by security context and you don't have to use any formulas to do so.

     

    Your type of scenario is commonly achieved by Business Units, which is hierarchical. Your organization always has a root business unit, then you can add child business units, and children of those, etc. The one gap with regards to your requirement is that the hierarchy is top-down, such that you cannot setup the permission where a child business unit can view records in its ancestor business units. 

     

    When configuring a security role, you can set a permission scope of organization for read, but that gives read access to ALL records in that table, meaning Level 2-A would be able to see records in Level 2-B, etc. To accommodate your read scenario, you can leverage Owner teams in your parent business units that has read only access to records in that direct business unit, then add users from the child business units into these teams. This could become quite an administrative task, so if you do go down this path I would suggest building some Power Automate flows to automate this user access management.

     

    Before going further, you may want to consider if simplifying the security model is possible, such as applying broad (organization) level of read access or having a top-down hierarchy instead of bi-directional level of read.

     

     

    For your scenario, your security setup could look like this:

    • Business Unit: Level 1 (root)
    • Business Units: Level 2-A , Level 2-B - parent BU is Level 1
    • Business Units: Level 3-A, Level 3-B - parent BU is Level 2-A
    • Security Role 1: Read/write/update/delete with child-parent BU permission scope
    • Security Role 2: Read with business unit permission scope
    • Owner Team: Level 1 (readonly) 
      • Associated with BU Level 1
      • Assigned Security Role 2
      • Add all users not in Level 1 to this team (or all users for simplicity)
    • Owner Team: Level 2-A (readonly)
      • Associated with BU Level 2-A
      • Assigned Security Role 2
      • Add all users from BU Level 3-A and Level 3-B
    • etc...

     

    If you simplified your security model such that all users can read all records, then it becomes as simple as:

    • Business Unit: Level 1 (root)
    • Business Units: Level 2-A , Level 2-B - parent BU is Level 1
    • Business Units: Level 3-A, Level 3-B - parent BU is Level 2-A
    • Security Role 1: 
      • Read - organization level permission
      • Create/Write/Delete - parent-child business unit level permission
      • Assign all users this security role

     

    References:

    Create or edit business units - Power Platform | Microsoft Docs

    Security roles and privileges - Power Platform | Microsoft Docs

    Use access teams and owner teams to collaborate and share information (Microsoft Dataverse) - Power Apps | Microsoft Docs

     

    Hope this helps..

     

    ---
    Please click Accept as Solution if my post answered your question. This will help others find solutions to similar questions. If you like my post and/or find it helpful, please consider giving it a Thumbs Up.

  • lee92 Profile Picture
    lee92 2 on at

    Hi @ChrisPiasecki ,

     

     

    Thanks for sharing the above. 

    I tried what you suggested and taking level 2 as an example, when user from Level 2A creates a record, user from Level 2B can't see it which is great.

     

    But in the scenario where a user from Level 1 creates a record, and then assign some weighting against that record for users in level 2A (not for user in level 2B), at this stage, i believe users from level 2A and level 2B can see all the records from level 1

     

     

    Is there a way to set it up such that users from level 2B won't see the records since it wasn't 'assigned' to them?

     

     

    Thanks

     

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities

Quick Links

Introducing the 2026 Season 1 community Super Users

Congratulations to our 2026 Super Users!

Kudos to our 2025 Community Spotlight Honorees

Congratulations to our 2025 community superstars!

Congratulations to the March Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Apps

#1
11manish Profile Picture

11manish 530

#2
WarrenBelz Profile Picture

WarrenBelz 459 Most Valuable Professional

#3
Haque Profile Picture

Haque 314

Last 30 days Overall leaderboard

Featured topics

Auto-Populate field Power Pages
Gallery Tabs - Show or Hide Tabs based on Field Value
How to patch multiple records at once
Enable Copilot for end users in model-driven apps
Question for everyone : How are you using Create Text GPT in AI Builder?
Community content - sample components, blogs etc. - Link to this page (http://aka.ms/PCFdemos)
Welcome to the Power Apps forum!

Product updates

Microsoft Power Platform Community release plans