web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Apps / Secure the dataverse t...
Power Apps
Unanswered

Secure the dataverse tables as the workflow progress

(0) ShareShare
ReportReport
Posted on by johnjohn123 3,506

We have this high level business process specifications:-

 

1) Any users inside our organization can create a new request.

2) The system will send an email to the user's direct manager to approve or reject. this can be done using a "Manager Approval" drop-down list which have 2 options "Approve" & "Reject"

 

3) If the request type is "Financial"

 

4) The Financial manager need to approve this request as well, after the manager approval. this can be done using a "Financial Manager Approval" drop-down list which have 2 options "Approve" & "Reject"

 

5) Once approved by the Financial manager or the manager (incase it is not financial request) the request will be closed.

 

6) Closed requests can not be modified by any user or manager.

 

 

now we want to implement these restrictions as well:-

 

1) when the process is assigned to the manager or the financial manger then only the related manager can edit the item. for example when it is assigned to the user's manager, then neither the user nor the financial manager can modify the item.

2) the user's manager and the financial manager can only modify their approval lists ("Manager Approval"  & "Financial Manager Approval" ), and they can not modify the user's submitted data. also the users should not be able to modify the managers drop-downs.. either on the client side or on the back end site.

 

So is this business process something that can be achieved using Dataverse and Power apps ?? or dataverse is not designed to cover such a process?

 

Thanks in advance for any help.

 

Categories:
Microsoft Dataverse with Power Apps
I have the same question (0)
  • Parvez Ghumra Profile Picture
    Parvez Ghumra 1,579 Moderator on at

    @johnjohn123 If you assign Security Roles to the Manager and Financial Manager users (either directly or via Team membership) such that they are granted user/team level Write/Update permissions on the Request table, and ensure the records are automatically assigned to the user/team from whom approval is requested, this should achieve your first requirement.

     

    You need to enable Column Level Security on the 'Manager Approval' and 'Financial Manager Approval columns on the Request table, and create corresponding Column Security Profiles to grant Read and Update permissions on each of these columns and assign these profiles to the relevant users. You'll also need additional Column Security Profiles to grant only read permissions on these columns for non approving users.

  • Drew Poggemann Profile Picture
    Drew Poggemann 9,287 Most Valuable Professional on at

    Hi @johnjohn123 ,

     

    #1 - If you only want the manager to have access to the record at the time they are "assigned" to view the record then I would utilize Access Teams to assign the manager to an access team on the record.  You can assign the manager to the record this way with them having the ability to do whatever you assign the access team capabilities.  Old article but aligns well still (https://www.quantacrm.com/2016/12/19/setup-access-teams-dynamics-365-crm/

     

    If you want to allow the employee's manager to be able to update the record at anytime then you can implement hierarchical security (https://learn.microsoft.com/en-us/power-platform/admin/hierarchy-security

     

    #2 This is a more complicated requirement as field level security could be an option here but this is not row level enabled but only field level so it applies to all rows within the table.  Field level security could lock specific fields to only be updated by users assigned to the field security profile...

     

    If it were me, I would actually have the approvals be a related table with a 1:N from the request.  This would provide the flexibility to manage a multi-level hierarchy of approvals with tracking specific approval information (dates / times, comments, etc.).  You could have fields on this related table that would support what could be overridden back to the main request table and use Power Automate to do this update if approved (either automatically or by the requestor based on business need).

     

  • johnjohn123 Profile Picture
    johnjohn123 3,506 on at

    @dpoggemann ok thanks for the reply, so if i understand your points , then you are saying that if i apply a field level profile it will be applied to all the rows? so i can not define different profile for a field inside a row?

     

    second point, so i should not create a single table to store the users info, and the managers' approvals? i will need to create a separate table for the approval? what is the reason? i do this when using SharePoint, as SharePoint does not support field level permission, but i thought in datavserse things are different and we can use one table and define who can edit which fields?  can you please advice?

  • Drew Poggemann Profile Picture
    Drew Poggemann 9,287 Most Valuable Professional on at

    Hi @johnjohn123 

    Field level security is applied to all rows.  Example, if you create a field security profile that hides a Social Security Number except for your HR department then this applies to all rows in that table and when you assign the HR to the security profile they will be able to see the number where everyone else will see "*"s in the field hiding the value.

     

    The challenge is you want the Manager and Finance to only update limited columns on the table.  Any time you give a person access to the record with write privileges (either by sharing, access teams, role, etc.) they would be able to update any of the fields that are not secured by a field level security profile.  So if you wanted to use one table you would need to do something like this:

    1. Create Field Security Profile that would basically allow all users to read, create, update the information on the Requests (except for the manager and the finance fields which you would give read access, may need create as well...).  This would allow anyone with this profile to create and update requests.
    2. Create another Field Security Profile that would be for the Managers (or two if you want one for the Finance as well with different fields).  You would need to give them read access to each of the fields they can view on the request and update capability on the fields they could maintain.

    You can assign field security profiles to teams vs. just individuals.

  • johnjohn123 Profile Picture
    johnjohn123 3,506 on at

    @dpoggemann ok thanks for the clarification, but for the financial manager this is fine as the manager os one person. but the user's manager is different for each user.. so how i can manage the case where users' manager can only update the records for their users i think in this case these records will be assigned to the user's manager ,, am i correct?

    so one table will not work in my case, and i will need seperate tables as follow:-

     

    1) table for the users' data

    2) table for the financial approval

    3) table for the manager approval

     

    so i can control who can edit which row based on the assignment of the records.. field level will not be beneficiary for me.. am i correct?

  • Drew Poggemann Profile Picture
    Drew Poggemann 9,287 Most Valuable Professional on at

    Hi @johnjohn123 

     

    Have you reviewed the Access Teams and the Hierarchical Security capabilities?

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!

Quick Links

Forum hierarchy changes are complete!

In our never-ending quest to improve we are simplifying the forum hierarchy…

Ajay Kumar Gannamaneni – Community Spotlight

We are honored to recognize Ajay Kumar Gannamaneni as our Community Spotlight for December…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Apps

#1
WarrenBelz Profile Picture

WarrenBelz 721 Most Valuable Professional

#2
Michael E. Gernaey Profile Picture

Michael E. Gernaey 320 Super User 2025 Season 2

#3
Power Platform 1919 Profile Picture

Power Platform 1919 268

Last 30 days Overall leaderboard

Featured topics

Auto-Populate field Power Pages
Gallery Tabs - Show or Hide Tabs based on Field Value
How to patch multiple records at once
Enable Copilot for end users in model-driven apps
Question for everyone : How are you using Create Text GPT in AI Builder?
Community content - sample components, blogs etc. - Link to this page (http://aka.ms/PCFdemos)
Welcome to the Power Apps forum!

Product updates

Microsoft Power Platform Community release plans