web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

Welcome to the Power Platform Communities
🚀 Season of Sharing Community Challenge Launch!
Ask A Community Pro - Series II
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Apps / Ideas on how to hide c...
Power Apps
Unanswered

Ideas on how to hide confidential attachments?

(0) ShareShare
ReportReport
Posted on by JasonPan 4

I am looking for options to hide attachments (in the Customer Service module or any model driven application) from specific users on a "case by case" basis. Here is the scenario:

 

A case will have documents uploaded and some of these documents may contain sensitive information. If the document is flagged for sensitive information, it should only be visible to the person who uploaded, case owner, and an investigator. Other users should not be able to view that specific file. 

 

It would be preferable that the data can be reported on if possible. 

Categories:
Microsoft Dataverse with Power Apps
I have the same question (0)
  • cchannon Profile Picture
    cchannon 4,702 Moderator on at

    Hi @JasonPan - are we talking about a Federal 1811 use case here? I've cracked that nut several times in the past and there is a lot to consider. Feel free to DM me to talk about it.

  • Jonathan Manrique Profile Picture
    Jonathan Manrique 2,695 on at

     

    Hi @JasonPan 

     

    An option that you could use is field security profiles to be able to do what you ask for.

    The first thing is that the attribute must be declared in this way

     

    Jmanriquerios_0-1698390076347.png

     

    Then you create a new security profile and configure the behavior

     

    Jmanriquerios_1-1698390136439.png

     

     

    This way you can give permissions to users at the user or team level and it will be much easier to control

     

    If I have answered your question, please mark your post as Solved.

    If you like my response, please give it a Thumbs Up.

    You can accept more than one post as a solution

     

     

  • ivan_apps Profile Picture
    ivan_apps 2,189 Moderator on at

    First question is - in what manner are they uploading these documents?  Is it through a File column or via Note attachments or through the SharePoint Document library integration?

     

    Ideally I would imagine that you are storing these type of documents in SharePoint integration libraries because I don't think you want to use up your Dataverse capacity on only documents.  You would essentially manage sharepoint document libraries by a set of flows that limit access to documents to the creators by default (break inheritance), and share to the case owner and investigator who you would have to create a sharepoint group for.

     

    Likewise you would probably create Dataverse team for Investgators unless you are assigning an investigator per case. Then have your flows sync permissions between the selected Investigator, Case Owner, and anyone else that needs access.

     

    Reporting - Not sure what reporting you'd like, but anyone with the appropriate dataverse roles can create reports in Power BI or create views for getting data from the case. If you'd like to report on the attachments, you'd have to explain how that would look like but using metadata on document library items is a good way to categorize information for searching later on.

  • EricRegnier Profile Picture
    EricRegnier 8,720 Most Valuable Professional on at

    Hi @JasonPan,

    For attachments I assume you're referring to attachments from emails or notes? If so, unfortunately it cannot be achieved for CLS (column level security). You need to achieve it with Dataverse security modelling capabilities by setting the privileges to view/edit to user-level only Notes (annotation) for notes attachments and on Activity table for emails. This way only the owner of the record (ie note and/or email) can view the related attachments. If the attachments need to be accessible by >1 users, then the note/email can be assigned to a Team and all members of the team will have access. You'll need to manage teams and their membership though within your system.

    Important: you cannot specify privileges just on email, it's on activities so changes to activity privileges will also impact all other activity types like tasks and phone calls (if you're using them).

     

    You can also restrict access to attachments with business units (BU) and set the privileges to BU level (instead of user-level) so only the users within that BU can view these attachments. You'll need to update/setup your users to be part of the correct BU accordingly.

     

    There are also more security features to address exception scenarios like:

    1. Sharing - more for adhoc situations and not recommended in automated scenarios: https://learn.microsoft.com/power-apps/developer/data-platform/security-sharing-assigning
    2. Hierarchyhttps://learn.microsoft.com/power-platform/admin/hierarchy-security
    3. Modernize BUs: https://learn.microsoft.com/power-platform/admin/wp-security-cds#record-ownership-in-modernized-business-units

     

    Security in Dataverse and model-driven apps is mature, robust but complex.... It does require proper analysis and suggest getting familiar with it before taking a design decision. Remediating security afterwards is even more difficult.... More info on security modelling: https://learn.microsoft.com/power-platform/admin/wp-security-cds 

     

    Hope this helps a little...

  • JasonPan Profile Picture
    JasonPan 4 on at

    Hey @Jmanriquerios thanks for the response. If I'm understanding this correctly, in this format, we would not be able to have case-based granularity?

     

    Case 1 = User 1 and User 2 can view

    Case 2 = User 3 and User 4 can view

    Case 3 = User 1 and User 3 can view

    etc.etc.

     

    The given example is the type of granularity we would need. The users are determined by, case owner, portal contact, etc. 

  • JasonPan Profile Picture
    JasonPan 4 on at

    Hey @ivan_apps, yes indeed we are using SharePoint library integration. I think you are on the right track as your solution makes sense. Could you expand a bit on how we would "sync permissions"? An investigator can be assigned more than 1 case (same thing with case owner, etc.) 

     

    Reporting - if someone can report on the files, like number of files, etc. wouldn't that require them to have view of confidential documents (at least view of case title etc.)?

  • cchannon Profile Picture
    cchannon 4,702 Moderator on at

    The SharePoint connector for Power Automate has all the actions you would need. It would require "breaking inheritance" on those sensitive files (i.e. taking away all permissions to them other than admin), then adding permissions back in for those targeted individuals.

     

    Just be advised: breaking inheritance on a per document basis has a real impact on SharePoint query efficiency, so if your site is large or you are securing a large number of documents this way, you can start to slow down your site and SharePoint may even force you to spin up new sites.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities
🚀 Season of Sharing Community Challenge Launch!
Ask A Community Pro - Series II

Quick Links

Season of Sharing Community Challenge Launch!

Jump in, show your community spirit, and win prizes!

Kudos to our 2025 Community Spotlight Honorees

Expanding mentorship, skilling, and AI innovation

Congratulations to the May Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Apps

#1
Valantis Profile Picture

Valantis 463

#2
WarrenBelz Profile Picture

WarrenBelz 364 Most Valuable Professional

#3
11manish Profile Picture

11manish 275

Last 30 days Overall leaderboard

Featured topics

Auto-Populate field Power Pages
Gallery Tabs - Show or Hide Tabs based on Field Value
How to patch multiple records at once
Enable Copilot for end users in model-driven apps
Question for everyone : How are you using Create Text GPT in AI Builder?
Community content - sample components, blogs etc. - Link to this page (http://aka.ms/PCFdemos)
Welcome to the Power Apps forum!

Product updates

Microsoft Power Platform Community release plans