web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Apps / Security based on cust...
Power Apps
Unanswered

Security based on custom entity

(0) ShareShare
ReportReport
Posted on by jvdlbom 13

Hi,

I am working on my first model driven app and have created a data model. Now I have some issues creating the right security levels. I hope you could help me out.

What am I trying to achieve:

I want to give users acces to only the records of their own organisation. These are external users (from outside my organisation) and I am planning on doing this using Business Units. Each organisation is related to a Theme. I created a custom entity to define those theme's. Also I have different custom table where information is stored that my users should be able to access. This information is also related to a theme. Now I am struggling with creating the security level where my users will only see the records that have the same theme as their organisation (business unit).

 

Does anybody know how to achieve this? Thank you in advantage!

Categories:
Governance & administering
I have the same question (0)
  • joe_hannes_col Profile Picture
    joe_hannes_col 1,843 Super User 2024 Season 1 on at

    Hello @jvdlbom

     

    As you probably know, you can define the ownership of a record as either user/team or organization.

    Then, when you create or modify a security role, you can define to what records a user with this role has access to: https://docs.microsoft.com/en-us/power-platform/admin/wp-security-cds

    If you align the privileges for your tables and the ownership of related records, users with the same role should only see related records.

    So setting the owner of your records would be key.

     

    If you want to automate this process, you could use:

  • jvdlbom Profile Picture
    jvdlbom 13 on at

    Hello @joe_hannes_col ,

     

    Thanks a lot for your response. I am quite new to model driven apps, so I thank that is why I am a bit stuggling. Your answere does help me but I have a followup question:

     

    The theme's I mentioned are predefined, you can see it as a Branche an organisation operates in. Multiple organisations can be related to a theme. Is it possible to give multiple owning business units to a record? If not, is there any other way to filter the views based on one custom entity that is related to the business unit.

     

    I hope this clarifies my question and thanks again for you help. It is much appreciated.

  • joe_hannes_col Profile Picture
    joe_hannes_col 1,843 Super User 2024 Season 1 on at

    Hello @jvdlbom,

     

    You can define a hierarchy of business units. You can then specify if parent business units can access child business units' records. Here's some more information: https://docs.microsoft.com/en-us/dynamics365/customerengagement/on-premises/developer/security-dev/hierarchical-security-control-access-entities?view=op-9-1

    Adding multiple business units as owners is not supported as far as I know. As an alternative to business units, you could consider using access teams: https://docs.microsoft.com/en-us/dynamics365/customerengagement/on-premises/developer/use-access-teams-owner-teams-collaborate-share-information?view=op-9-1#when-to-use-access-teams

     

    To view related records, you could insert a subgrid of related records into your form in the model driven app. For example, you could add a subgrid pointing to the custom table into your Theme form. This would display only related records. However, your users would only see related records that they are allowed to see based on their security role.

    To define the columns displayed in the subgrid, you can modify the view of the custom table: https://docs.microsoft.com/en-us/powerapps/developer/model-driven-apps/customize-entity-views#types-of-views

     

  • EricRegnier Profile Picture
    EricRegnier 8,720 Most Valuable Professional on at

    Hi @jvdlbom,

    As @joe_hannes_col alluded to, granular and segregated is supported with the out-of-the-box (OOB) security model.  You might not need to define a cutom entity for theme/business unit as there is a business unit security entity/table that comes OOB. You mentioned that your users are external, are they in your O365 user with a proper license? If not, these users won't be able to use/interact with your model-driiven app without a proper license. Would you be able to ellaborate on you these users and how they would authenticate and use the app?

    Thanks

  • jvdlbom Profile Picture
    jvdlbom 13 on at

    Hi @joe_hannes_col and @EricRegnier ,

    Thanks a lot for your responses. I am looking at your information and I am still trying to figure out what is the way to go. I tried to clarify the situation below:

    jvdlbom_0-1628058354502.png

    I have a few tables. In the Business unit table I store the different organisation that are using the system. A user is stored in the user table and should only be able to access data from his own BU. Also a Business Unit is related to a theme. In the Base data I store information that the organisation uses to create the transactions. For example: In the base data table I store to do's that every BU related to a specific theme should finish. I use the transaction table to store the information regarding the to do for a specific business unit. (is it started, in progress of finished).

     

    The thing I am trying to develop is a security model that allows a user related to a business unit to only see his own transaction records and is able to only see the base data that is related to the same theme as his business unit.

     

    Regarding the sharing: I am planning on creating the users as guest user in Azure AD. In office 365 I will assign them a license. This should allow them to interact with the app: https://powerusers.microsoft.com/t5/Building-Power-Apps/Share-model-driven-app-with-guest/td-p/442352

     

    Thank you again for you help!

  • Verified answer
    EricRegnier Profile Picture
    EricRegnier 8,720 Most Valuable Professional on at

    Hi @jvdlbom, sorry for my late reply. 
    I think I understand what you are trying to do and it is achievable OOB, you might need to re-create some tables unfortunately. First you shouldn't create a custom User table use the OOB one, same thing with Business Units. (see tips #5 and #7 https://powerusers.microsoft.com/t5/Power-Apps-Community-Blog/Top-15-best-practices-when-configuring-Power-Platform-and/ba-p/850804). Ensure your Transaction and Base tables are created as user-owned (see tip #6 in the link above), this will ensure you can get the security level to only users within the BU.
    Then to ensure the users only see the records related to their BUs, follow these steps:

    1. Set the privileges of the security roles assigned to the user to business unit level
    2. Make sure the Transaction, Theme and Base table records are assigned to the right user (or team) in the correct BU). Note: if the same Theme can be use across different BUs, then you'll need to create one per BU.

     Hope this helps a little more!

  • jvdlbom Profile Picture
    jvdlbom 13 on at

    Thanks a lot @EricRegnier , your response and article clarifies a lot!

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!

Quick Links

Forum hierarchy changes are complete!

In our never-ending quest to improve we are simplifying the forum hierarchy…

Ajay Kumar Gannamaneni – Community Spotlight

We are honored to recognize Ajay Kumar Gannamaneni as our Community Spotlight for December…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Apps

#1
WarrenBelz Profile Picture

WarrenBelz 717 Most Valuable Professional

#2
Michael E. Gernaey Profile Picture

Michael E. Gernaey 329 Super User 2025 Season 2

#3
Power Platform 1919 Profile Picture

Power Platform 1919 268

Last 30 days Overall leaderboard

Featured topics

Auto-Populate field Power Pages
Gallery Tabs - Show or Hide Tabs based on Field Value
How to patch multiple records at once
Enable Copilot for end users in model-driven apps
Question for everyone : How are you using Create Text GPT in AI Builder?
Community content - sample components, blogs etc. - Link to this page (http://aka.ms/PCFdemos)
Welcome to the Power Apps forum!

Product updates

Microsoft Power Platform Community release plans