Unanswered

Any ideas on how to make references to Dataverse security roles dynamic?

(0) Share

Report

Posted on by arpost

455

Greetings, community. I am trying to plan for a multi-application development architecture with canvas apps and the Power Platform on top of the Dataverse (with standard ALM Dev, Test, Prod environments) and need some help regarding security role usage for role-based security. I know it is possible to look up the security roles assigned to Dataverse users, but all of the documentation I see regarding implementing a role-based UI is text-driven, (e.g., "Role ABC" in AssignedUserRoles).

Given that I could have 1, 3, 5, etc. apps, referencing roles via role name is a terrible idea as it would require re-deploying if ever role names change (e.g., "Role ABC" is renamed "Role DEF"). I am hoping there is a way to reference a role similar to a Dataverse Choice or canvas app variable so that the role names align with the role regardless of the environment the app is in.

Does anyone have ideas? Is anything like this possible in the Dataverse already (e.g., a Choice list that automatically includes security roles in an environment)?

Categories:

Building Power Apps

I have the same question (0)

All responses (3)

Answers (0)

Michael E. Gernaey 53,335 Super User 2025 Season 2 on at

Like (0)

Report

@arpost

not really because you aren't changing the Name. You may change the label, but changing the name would require you deleting and recreating it.

So I am not sure the issue.

Normally people would create a Roles mapping List (Sp) for Canvas Apps, even if you query them which is fine, you aren't changing them often and if you are, then thats a bad security model you have.

Truly...

If you add more you would have to redeploy anyway because the app won't know.

So yes I have stuff in my head and used, but its not for the reasons you put.

If I have helped you, I would really appreciate if you please Mark my answer as Resolved/Answered, and give it a thumbs up, so it can help others

Cheers

Thank You
Michael Gernaey MCT | MCSE | MCP | Self-Contractor| Ex-Microsoft
https://gernaeysoftware.com
LinkedIn: https://www.linkedin.com/in/michaelgernaey

Was this reply helpful? Yes No
arpost 455 on at

Like (0)

Report

The issue is each app has to be configured to (1) pull the list of security roles and (2) wire them up to screens/components. The typical process recommended online is to use the role names (e.g., if user's security roles contains "ABC Admin"), which isn't a great idea given that names could change (i.e., "ABC Admin" becomes "DEF Admin"). If used, this would require you open EVERY app using the role and update EVERY reference to EVERY role name if the name changed.

There doesn't seem to be any sort of Microsoft-managed variable like with Choices that are automatically wired up to roles and move from environment to environment with a solution:

This means I'll need to create my own approach to (1) make it easy to reference roles in app code, (2) ensure roles don't break if a name changes, and (3) simplify this so it works with numerous apps.

Before I go creating my own solution, I want to be sure there isn't a more dynamic way out-of-the-box and that I am not trying to reinvent the wheel.

Was this reply helpful? Yes No
Michael E. Gernaey 53,335 Super User 2025 Season 2 on at

Like (0)

Report

Hi @arpost

Again, you cannot change the name so I am not sure why you repeated it. A role has a label and a name.

You can change the label, you cannot change the name. Changing the Name requires you to delete it and recreate it.

And this is the same model that exists because no matter what you do you would have to change it.

I have some code

Do I want the person to be able to run the code. To do that I have to check if they have the role. If you don't want to compare by "Label" which you keep calling name, then don't, compare by the schema logical name which won't change.

If you are adding more roles then you still have to put logic for them in the App.

If User has Role A

Run code

End if

But now I want Role B to also run it, so If User has Role A or Role B

But instead You could do this

If User Has a Role that can run this code

Run code

End if

Then have a list of roles that can run this code (or a security group)

Have your code validate that ANY of the roles exist in your "group/list"

SharePoint List

RoleA

RoleB

RoleC

Features A

RoleA

RoleC

Code

For Feature A who can run it

Then Check if any of their roles are in that list. Now you aren't comparing Role Names or Security Group Names, you are looking at a mapped list of Roles that can do that code.

Now you can change "labels" names add more whatever and it will instantly work without redeploying UNLESS of course you add more code.

I like to use Custom Components to compartmentalize my code so that the approach up there is easy.

If user has ANY of these Roles (Fitler/Lookup) CountRows() > 0

then every function is valid for them to run..

If not set a custom property to NoPermission or something.

This way you aren't constantly guessing 🙂

One approach or the other is what you have for options.

If I have helped you, I would really appreciate if you please Mark my answer as Resolved/Answered, and give it a thumbs up, so it can help others

Cheers

Thank You
Michael Gernaey MCT | MCSE | MCP | Self-Contractor| Ex-Microsoft
https://gernaeysoftware.com
LinkedIn: https://www.linkedin.com/in/michaelgernaey

Was this reply helpful? Yes No