I’m building a PowerApp that allows users to place orders. To prevent misuse, users must designate a co-owner (who will share responsibility for unauthorized actions).
My concern is that giving users direct write or update permissions in Dataverse could lead to issues. They could potentially input unauthorized values into the table - values that must be validated through the app. For instance, users need to select folders from their own SharePoint, and there’s nothing stopping them from directly setting the "Approved" field to true, bypassing the approval process.
To mitigate this, I’ve designed Flows for creating, approving, and canceling orders. These Flows use a service account with full access to the table. However, I’m realizing that I still need to share these Flows with users, which introduces a challenge: ensuring that only the designated co-owner, who is the only person able to see the button in the Canvas App, can trigger the approval Flow.
Given this situation, what is the best practice for scenarios where input into a Dataverse table must be strictly controlled through a Canvas App, and we need to prevent users from bypassing validation or accessing restricted functionality directly?
