Answered

Help implement permission scenario for different locations

(0) Share

Report

Posted on by mrstian89

315

My app keeps control of Equipment in a big company. We have several locations, and wants to give permissions based on location.

I need help setting up the following permissions for Power App / Dataverse:

Security levels

Each location has been split in to four permission levels (security groups).

Read access
Loan / return access (must be able to write the loan status to the table)
Data maintainer (can add/edit equipment, have access to send items to service)
Administrator (admin panel for adding locations, categories, departments, etc).

Table content

I have one table which separates datatype with the following columns:

Location
Datatype
ItemNo

An example:

DIFFERENT ITEMS:
Location 1 - Equipment - 1 - Headset...
Location 1 - Equipment - 2 - Laptop....
Location 2 - Equipment - 1 - TV.....
Sandbox - Equipment - 1 - TestTest...

LOGS FOR THESE ITEMS:
Location 1 - Log - 1 - Headset - Loaned....
Location 1 - Log - 1 - Headset - Returned..
Location 1 - Log - 1 - Headset - Repaired...
Location 2 - Log - 1 - TV - Loaned ...

ISSUE 1

When starting the app, you get a choice of different locations from a dropdown menu (possible to change in app afterwards).

Dropdown will cotain the following data:

ClearCollect(collectLocation,(Distinct(Filter('Equipment List',DataType = "Location"),Location)));

How can I make sure that only that the user can only see the location he/she has access to through the security group?

ISSUE 2

When you have chosen the location, the app will only show data from that location inside the app. It is not possible to transfer items from one location to another by design.

How do I make sure that only people with the correct security group can write to the table?

The security role will be set to team/user i suppose. But how do we make sure that all the items from Location 1 is owned by the Location 1 team, with the right permissions?

ISSUE 3

When loaning equipment you write a new row to the table (log entry) and you update the equipment information row.

These are the same write permissions in the security role as is required for a data maintainer.

Is it possible to use security groups to hide/show buttons inside Power Apps? If you have data maintainer access, you will see the edit / add new item buttons?

Thankful for any help regarding these problems!
I have looked around, but couldn't not easily find a solution for my needs.

Categories:

Microsoft Dataverse with Power Apps

I have the same question (0)

All responses (8)

Answers (1)

Drew Poggemann 9,287 Most Valuable Professional on at

Like (1)

Report

Hi @mrstian89 ,

First thing, you mentioned the users will only have access to the records across 4 "Security Groups". Security Group is an Azure Active Directory concept and I assume you have built roles in Dataverse and assigned these roles to the Teams that are related to the Security Group right (https://docs.microsoft.com/en-us/power-platform/admin/manage-group-teams)?

Issue #1

If you have the security roles setup appropriately and assigned to the user then it will only return the records that are visible for the user automatically. Dataverse will utilize the roles and not return any records the user does not have ability to view. If this is returning records outside of this then the security is not being applied as you expect.

Issue #2

You will need to have logic somewhere like a real-time workflow setup in Dataverse (which is what I have done in the past) or another approach that will set the owner of the record based on the Location value on the record. The owner would be set to the Team that is responsible for that location so I assume you will have "multiple security groups in Azure AD" that map to multiple teams in Dataverse. Example, "Security Group Location 1" in Azure AD would map to "Team Location 1" in Dataverse.

Issues 3

On this one, you are maintaining the log entries in the same table as your equipment with really different logic and roles responsible. Overall I would keep these separate as they have different business rules / logic and use a relationship to relate the Equipment table to the Log table.

Hope this helps. Please accept if answers your question or Like if helps in any way.

Thanks,

Drew

Was this reply helpful? Yes No
mrstian89 315 on at

Like (0)

Report

Thanks for responding!
I am now able to set record owner based on an Azure Team from the Dataverse team table.

Any suggestion on how to solve the problem that I am planning 4 different security groups (teams) per location, which will use 4 different security roles.

Loaner team from location 1 will then not be able to see records owned my maintainer team from location 1?
I feel I am missing the last piece of the puzzle to be able to pull this off. 🙂

Was this reply helpful? Yes No
Verified answer

Drew Poggemann 9,287 Most Valuable Professional on at

Like (1)

Report

Hi @mrstian89 ,

I updated this in your other post as well. You really might want to consider business units here if you are trying to lock down by location and have the roles all have access to records within that location. This is what Business Units are setup to do from a security perspective. I created the following diagram to represent this and hopefully help you understand what I mean. Maybe it won't make sense for your situation but it appears it could. You can. not assign multiple teams to the same record and I think you are going to have a tough time managing the security like you are trying to do without looking at this type of approach below.

Hope this helps. Please accept if answers your question or Like if helps in any way.

Thanks,

Drew

Was this reply helpful? Yes No
mrstian89 315 on at

Like (0)

Report

Thank you again! 🙂
I am just a citizen developer. When I talked to IT last week, they said that it wouldn't be possible for a use case like this with business units in our company. I believe it was due to many different developers in the same enviroment, and that users only can belong to one business unit.
IT said it was possible to pull this of using Teams, but of course I didn't get the full "how to". 🙂

Was this reply helpful? Yes No
Drew Poggemann 9,287 Most Valuable Professional on at

Like (0)

Report

Hi @mrstian89 ,

Well the primary challenge is you can only assign a single team. You would need to "Share" with all other teams that you want to have access and when you share you would need to identify the permission you want to share the record. This is "doable" but it could be challenging to maintain. Maybe walk through with IT your challenges here and see if they have a different idea :).

Thanks!

Drew

Was this reply helpful? Yes No
jaredbidlow 256 on at

Like (0)

Report

I'm curious of the progress on that is being made off-line. I have a similar "Equipment list" powerapp and multiple locations.

Was this reply helpful? Yes No
mrstian89 315 on at

Like (0)

Report

Ended up using Azure Groups.
3 per locations: Read, Loan, Maintain.
Maintain and Loan is a member of read.
Flow changing the record owner to "Location X Read" based on the location column when a record is created.

Was this reply helpful? Yes No
jaredbidlow 256 on at

Like (0)

Report

The equipment inventory or tools database is still eluding me, but it sounds like it works for you. Are you using a model-driven app?

Was this reply helpful? Yes No