I am testing Power Pages at the moment and I am going round in circles about how to implement row level security for users authenticated by Entra External ID.
I am creating a site to communicate with my suppliers and I am registering those users in Entra External ID. My aim was to use row level security for each table, based on a team that I would place each user in. When setting up each table, I would choose ‘record ownership’ = user or team. I must be missing a configuration link somewhere because I can’t place my external id’s in a team. I don’t want to use user credentials because each of my suppliers may have several ‘users’ and I want them all to access the same content.
The plan is to licence those external users by a PAYG licence, via Azure meters.
Entra External ID is setup and users are authenticating fine, and I see their records in PowerPages Management (dynamics.com website).
I can set up a table in Make.PowerPages.com and in the advanced properties of the table I can choose ‘row ownership’ = ‘users or teams’.
The problem comes when trying to define what a ‘team’ is. I can define a ‘team’ in https://admin.powerplatform.microsoft.com/ BUT the users in this admin are those that set up the site NOT those authenticated by Entra External ID, they are the users that are in Entra (Not external), and are the site admins
How do I put Entra External ID’s into a team (or other logical container) that would allow me to implement row level security based on an attribute mapping? I can create web roles that I could place each group of users into, but that sounds horrible because I would have to add each web role to each table and its going to break.
How do I add users authenticated by Entra External ID, in to a ‘team’ to enable row level security?
I understand why some of this may be confusing for a new user - everyone initially thinks a User is a system user and not actually a Contact record. But also be aware that the Admin side of it is also important, Power Pages is basically an add-on to the underlying Dataverse, for internal users to access the submitted data from Power Pages or the Power Pages Management App (out of the box Model Driven App, that you will use more the more you find the limitations in the Power Pages Designer) the platform security Users/Teams/BU etc is also important - at the moment you will be a System Administrator - but your day-to-day internal uses generally will not be so the security of the Dataverse instance is also important.
How do I add users authenticated by Entra External ID, in to a ‘team’ to enable row level security?
Fubar below, thanks for your answer, it has helped me look in the right direction.
If anyone from Microsoft is listening, then i think you need to clarify the admin for power pages.
From Make.PowerPages.com you can get to at least 2 admin sites.
from Make..
choose 3 dots in left bar and choose 'power pages management'. this seems the most approprite admin for power pages use, since the idea of power pages is to deal with users ourside of your organization. this follows the answer from Fubar.
choose Setup and at the bottom of that page there is a link to 'Open Admin Center' you are directed to 'admin.PowerPlatform.microsoft.com' and if you select the environment this is where you get to users, teams and business units, most of which aren't relivant to the core uses of Power Pages.
I am new to Power Pages and haven't used Power Apps before and i have spent more time trying to understand what's relivant to me and what's not, than actually building websites! (but once its all sorted its going to be a great platform.
How do I add users authenticated by Entra External ID, in to a ‘team’ to enable row level security?
Are you talking about External as users of a Model Driven App (or Canvas App), or Power Pages Portal site users?
The Power Pages Portal does not use Teams like the Model or Canvas App does. For the Portal the Security Model is built around Contacts and Accounts (with some extras like Parent and Global scoped). Each of your users (Entra or other Identity Providers) will have a Contact record created for them when they are registered (and this contact is the portal user account).
Record level is usually by adding a Contact (or Account or both) lookup to the Tables in question and then populating them with either the Portal User's Contact Record or their Parent Account (but could also be done by creating a Custom Table, adding that as a Lookup on the Tables in question and populating it, then using a Table Permission with scope = parent), and making use of Web Roles with the appropriate Table Permissions (i.e. not Dataverse Security Roles and provileges).
for the Portal for your scenario, you would probably use Account for the Supplier, and then add the Contact to the Account making use the out of the box parent account (Company Name) lookup. Then for the records they need to access add a Lookup to the Account and populate it, then have a Table Permission configured for that Lookup with Scope = Parent (and for child records, then most likely Table Permissions with Scope = Parent )
Under review
Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.