web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Apps / How to make a specific...
Power Apps
Suggested Answer

How to make a specific editable subgrid read-only based on a security role in Dynamics 365?

(2) ShareShare
ReportReport
Posted on by

I have an editable subgrid (Subgrid_new_18) on a Model-Driven App form in Dynamics 365.

My requirement is:

  • If the currently logged-in user has the security role "APEditor", the subgrid should behave as completely read-only.

  • Users should be able to view records in the subgrid but should not be able to:

    • Edit records inline

    • Create new records

    • Delete records

    • Use any command bar/ribbon buttons associated with that subgrid

  • This restriction should apply only to this specific subgrid and not affect the user's permissions elsewhere in the application.

One complication is that some users may have multiple security roles assigned, for example:

  • System Administrator + APEditor

In this scenario, I still want the subgrid to be read-only if the user has the TSIS Editor role.

What is the recommended/supported approach to achieve this in Dynamics 365?

Any examples or best practices would be appreciated.

I have the same question (0)
  • Suggested answer
    11manish Profile Picture
    3,333 on at
    To make a specific subgrid read-only for users with the APEditor role in Dynamics 365 Model-Driven Apps:
    • Primary approach : Use Command Bar (Modern Ribbon) security role rules to hide/disable actions like New, Add Existing, Edit, Delete for APEditor users. This makes the subgrid effectively read-only.
    • Grid configuration: Set the subgrid or editable grid to read-only mode to prevent inline editing.
    • Optional fallback: Use JavaScript to detect the APEditor role and reinforce restrictions, but it’s not fully reliable for subgrid command control.
    If a user has multiple roles (e.g., System Administrator + APEditor), the restriction still applies because the rule is simply: if APEditor exists → make subgrid read-
     
    only.
     
  • Suggested answer
    Valantis Profile Picture
    6,735 on at
     
    The supported approach is JavaScript on the form's OnLoad event. Dataverse doesn't have a native declarative way to make a subgrid read-only based on security role, so you need code.
     
    Here's the pattern:
     
    1. Create a JavaScript web resource and add it to the form's OnLoad event
    2. Check if the user has the APEditor role using Xrm.Utility.getGlobalContext and a Dataverse API call:
    async function onFormLoad(executionContext) {
        const userId = Xrm.Utility.getGlobalContext().getUserId();
        const roles = await Xrm.WebApi.retrieveMultipleRecords(
            "systemuserroles",
            `?$filter=systemuserid eq ${userId}&$expand=roleid($select=name)`
        );
        const hasAPEditor = roles.entities.some(r => r["roleid.name"] === "APEditor");
        
        if (hasAPEditor) {
            makeSubgridReadOnly(executionContext);
        }
    }
    function makeSubgridReadOnly(executionContext) {
        const formContext = executionContext.getFormContext();
        const subgrid = formContext.getControl("Subgrid_new_18");
        if (subgrid) {
            subgrid.setVisible(true);
            // Disable the grid controls
            formContext.ui.controls.forEach(c => {
                if (c.getName() === "Subgrid_new_18") {
                    // Use ribbon rules or CSS to hide command bar
                }
            });
        }
    }
     
    3. To fully disable editing, delete, and create on the subgrid, after the subgrid loads use the subgrid's grid object:
     
    subgrid.getGrid()?.getRows() then lock the rows. Note: the cleanest approach for hiding Add/Delete buttons in the subgrid command bar is adding a JavaScript ribbon rule that checks the same role condition.
     
    This handles the multiple-role scenario naturally the check uses `.some()` so if any of the user's roles is APEditor, read-only applies regardless of other roles.
     

     

    Best regards,

    Valantis

     

    ✅ If this helped solve your issue, please Accept as Solution so others can find it quickly.

    ❤️ If it didn’t fully solve it but was still useful, please click “Yes” on “Was this reply helpful?” or leave a Like :).

    🏷️ For follow-ups  @Valantis.

    📝 https://valantisond365.com/

    💼 LinkedIn

    ▶️ YouTube

  • Suggested answer
    RaghavMishra Profile Picture
    261 on at

    Hi there,

    Good question - this is a two-part solution, because "read-only" for a subgrid actually means two different things (inline editing vs. the New/Delete command buttons), and each has its own supported mechanism.

    Step 1 - Detect the role reliably (handles multiple roles)

    Use the supported client API Xrm.Utility.getGlobalContext().userSettings.roles. This returns a collection of lookup objects (GUID and display name) for every security role assigned to the user, including roles inherited through teams. Because it's the full set of the user's roles, the multi-role case (System Administrator + APEditor) is handled automatically - you just check whether "APEditor" exists in the collection.

    A couple of notes worth knowing: the older userSettings.securityRoles property is deprecated, so use roles. Checking by role GUID rather than display name is more robust, since names can be renamed.

    Step 2 - Disable inline editing on that subgrid

    In a form OnLoad handler, get the grid control and disable it:

    formContext.getControl("Subgrid_new_18").setDisabled(true);

    setDisabled is a documented method on the GridControl and turns off inline editing for that specific control only - it doesn't affect the user's privileges anywhere else.

    Step 3 - Hide the command-bar buttons (New, Add Existing, Delete)

    setDisabled stops inline edits but doesn't remove the ribbon buttons, so handle those in the Command designer. For each command (New, Add Existing, Delete) on that subgrid, set Visibility to "Show on condition from formula" and supply a Power Fx condition so the button is hidden for APEditor users. This is the supported, declarative way to control command buttons and is more reliable than trying to hide them from JavaScript.

    Doing Steps 2 and 3 together gives you a subgrid that is viewable but fully locked down (no inline edit, no create, no delete) for APEditor users, while leaving their permissions elsewhere untouched.

    References:

    Found this helpful? Please mark ✅ "Does this answer your question?" so others searching for the same issue can find it quickly. A 👍 on "Was this reply helpful?" or a ♥ Like is also much appreciated!

    Raghav Mishra - LinkedIn | PowerAI Labs

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Season of Sharing Community Challenge Launch!

Jump in, show your community spirit, and win prizes!

Kudos to our 2025 Community Spotlight Honorees

Expanding mentorship, skilling, and AI innovation

Congratulations to the May Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Apps

#1
Valantis Profile Picture

Valantis 424

#2
WarrenBelz Profile Picture

WarrenBelz 355 Most Valuable Professional

#3
11manish Profile Picture

11manish 290

Last 30 days Overall leaderboard