Implementing Role Based Security in Power Apps

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone this is rez of the rani today's video is chapter one in my role-based security series in powerapps i will show you how we can check the logged-in users role from a sharepoint list sharepoint group microsoft 365 group as well as a security group so let's get started with the video but first my introduction the scenario for the role-based power app here is a very simple travel request app this is the home screen of the app where the user sees only their requests they can filter their requests right here the user can modify an existing request or the user can go ahead and create a new travel request on the fly additionally i also have an admin screen which basically shows all the requests that are available as part of the system so in this case in my data source i only have three records i'm trying to keep this very simple for the demo three travel requests two of them were created by reza and one was created by a user called sarah so as an admin i can see all the requests whereas if i go to the home screen i will only see the current logged in user's request now the data source in question here is a sharepoint list of travel requests and it's a very simple sharepoint list and i literally just leveraged the microsoft list template to create this now in sharepoint whenever we create a site we have two options to create a site it could either be a team site or it could be a communication site now it's very important to understand how the security of both of these sites plays out when you create a team site you are basically creating a microsoft 365 group an identity in azure ad that gets generated when you create your team site in this example right here this is a team site template that i have leveraged and if i head over to the settings and go to site permissions you will observe right here that if i go and invite people i'm going to be adding the members or the users to groups and these are my security groups and what is the security group it's the microsoft 365 group or office 365 group in azure ad and for every user that i add i can make them a member or i can make them an owner now if i head over to azure ad and go to groups and search for the name of my sharepoint site in my case this site is called hr you will observe right here is that identity that's created in ad it says there's a group created of type microsoft 365. so the permissions or the security of a team based sharepoint site is actually driven from azure 80. on the other side if i was to create a communication site in that case the security is driven from sharepoint groups now in the same hr site i have gone ahead and created a couple of my own sharepoint groups now these are purely sharepoint groups they live within that sharepoint site these are not groups that are getting generated in azure id so when you create a communication site in that case the members the owners would actually be sharepoint groups in this site i also have members and owners and if i head over to that sharepoint group which in this case is hr members observe that it is connected to that security group in azure ad the next important thing to understand about power apps is once you build your app and you connect it to your data source in my case sharepoint how does the sharing and the security work now for this app if i head over to share i can go and share this app with my users so let's go ahead and share this app with another user right now i have another user called james so i'll go and share this app with james as well now very important thing to understand here and it's kind of highlighted right here for us when i am sharing this app with james there's something known as data permissions and this basically are the connectors that i am using in my app currently i'm leveraging all of these connectors of course i'm using sharepoint because i'm connecting to my sharepoint list now if you read the message here it says make sure your users have access to the data used in the app that means it's your responsibility to ensure that the logged in user has access to those sharepoint lists otherwise they're going to get an error so let's go ahead and try this out in this case i'm going to share this app with james i'm going to click share so james is going to get an email with a link where james can directly go and access this app at the same time if i head back to my sharepoint site if you look at my group membership here because it's a team site you see i have not shared anything with james yet james has no access on this sharepoint site so what happens if james logs in so right now i'm signed in as james and james is trying to access that app because i have shared the app with james but i have not shared the permissions so when james logs in he has to go ahead and allow permissions to those connectors now here's a key point again when james logs in if you notice the sharepoint connector is going under james's account so when you're connecting to sharepoint it is always going to connect to the sharepoint connector with the logged in users credentials only you cannot impersonate you cannot do that in powerapps and right here james is going to connect to sharepoint with his own account so now if i click allow what's going to happen right now is it's going to go ahead and lead me directly to the app getting some error messages right here because it failed to connect to the list if james tries to go ahead and tries to create a new travel request he does see the form here but let's say i go and try and submit this notice nothing happens and the reason is because james does not have the access in the backend sharepoint site so you have to ensure that you're not only sharing your app with your users but at the same time you're granting that user access to the sharepoint site as well so in this case i will go ahead and make james a member of my sharepoint site and this time now when i sign in as james if i go ahead and create a new travel request and i've just gone in and plugged in some sample data and i just submit my request there i go it's successful and now james can see his own travel requests on the home screen so it's very important to understand that power apps is going to respect the security in sharepoint so if you would like your users to not have access to specific records in a sharepoint list you would have to actually go ahead and break security there you have to handle true security in sharepoint but the goal of this video is to show you how you can create these role-based apps wherein based on the logged in users role we will show different options to the user so on the home screen my travel requests how am i just showing the current logged in users requests well right here where i'm filtering the data from my gallery i have a very simple condition which says show me all the data of course i have additional filters here but the main filter here is that the created by dot email that's the column in sharepoint that holds the created by user's information so get the email of the created by user and check to see if this matches a variable that i'm setting and i'll show you where i'm setting this where user.email and because of this condition it only shows me the records for the logged in user now in powerapps on the app object we have the onstart function that runs once when the user logs into the app and right here in the app.onstart i have some configuration settings of my app and here is that variable that i'm creating set variable user to an object in powerapps called user that gives me details about the logged in user so if you look at this variable right now this has three pieces of information the full name of the logged in user the email and the image i'm grabbing the email address of the logged in user and that's how i'm filtering my data on my home page now my next requirement is i also have an admin screen that i have created and basically this admin screen shows me all the travel request information irrespective of the logged in user and as you can see right here i can even see the data that that the user james submitted firstly how is this gallery showcasing all the data well in this case i've just not applied that filter for created by dot email not filtering the data by the logged in user that's why i'm able to see all the data of course from a security standpoint from a permission standpoint the logged in user has to have access to all the data in the backend sharepoint list if the user does not have access to that backend sharepoint list the user will never see that information right here so in this case i've granted all the users contribute access to my sharepoint list but how do i ensure that the access to this screen is only available for users who are admins that is this button right here that says admin screen or in my case i also have a left hand navigation menu component this link right here for admin i would like to restrict this based on the logged in user's role so not every user sees that only special users who have a specific role can have that access so let's see how we can go about doing that option number one which is a very common use case in my app i've gone ahead and connected another sharepoint list called travel request admins and basically all i have done here is that i have a list created and in this list i have a column of type person and right here i'm defining who are my admins of the system okay so it's just a plain simple sharepoint list i can just go in here and say yep i want to add another user maybe i want to add sarah so let me go ahead and add sarah right here and click save and just like that sara has been added to this list and now i would like to leverage all the usernames who are available in this list and if they are then they should be able to see that admin button on the app.onstart right here i will go ahead and i will set a variable and i'm going to call this variable is user admin okay sp list technique so i'm just going to say is user admin sharepoint list that's just the name of my variable first thing to query my sharepoint list i'll use a function called lookup so go ahead and look up that sharepoint list where which list the travel request admins list which i have connected in my app where i have that admin person type column so admin dot email is equal to where user what is where user it's the current logged in user's information and a variable that i've stored right here in the onstart itself so where user dot email and lookup is going to basically go query that list check to see if there's one record available matching this criteria now if there is data available it's going to return me that record but i want to set this variable and i want to set it to a boolean value so what i will do is this i will check to see if this is not blank that means i'm getting a response from this query that i'm firing right here and that's it i will go ahead and format the formula so we can see it in a well-formatted manner here is my function again i'm just checking to see if the logged in user belongs to that sharepoint list or not now because i'm in the edit mode of the app i'll just go and right click here and run onstart so this function runs and if i just look at this variable now it's returning true and that is correct because if i look at my list my name which is reza is a part of that list now i can leverage this variable and show and hide things in my app so for example the admin screen button i'll head over to the visible property of this button and change this to this variable so if the variable is true the user has access the user is an admin they will see this in my case i also have a left navigation component which i am setting right here on the fly when the screen loads so for the admin screen what i will do is i will remove my link and i will only add it based upon the user being an admin or not so if user part of the list in that case go ahead and collect in my menu this record and once i'm done with this just format this text and once again i'll go and run app dot on start now if i preview the app reza is a part of that sharepoint list or as an admin so reza is going to see these links now let's go ahead and remove reza from this list so i'm going ahead and remove and revoking my access from this list now if i go back right here and if i just run the app dot on start once again this time if i preview the app notice i don't see that button i don't see the menu icon so i cannot even navigate to that page so that's role based i'm not a part of the admins list so i cannot access the admin screen and let me go ahead and save and publish this app and now only sara is a part of the list so let's try and log in as sarah so sarah is logging into the app because sarah is an admin sarah sees the links to access the admin screen right here and if sarah goes here sarah is going to see all the data of all the users now my next use case is how do i check to see if the user is a part of that azure ad security group because in my case it's a sharepoint team site so the security goes in the m365 group and that information is stored in azure ad so right here as part of the group i have two pieces of information whether you are a member of the group or whether you are an owner of the group so for that first thing what we need is we need to connect to a connector called office 365 groups so i've already gone ahead and connected that in my app i'm going to set a variable once again on the app on start is user member of the m365 group once again i need the current logged in user's email so i'll use my variable that i created where user.email is in i'm going to use the office groups connector there's a function called list group members so i'm going to just use this and here i need to enter the group id okay so i need to enter the group id now where do i get that group id from well if you go to azure ad and if you look at your group the group has something called as the object id so i'm just going to copy this head back to my app and just paste that object id right here which is nothing but my group id now once i get the group members i'm going to do dot value dot mail because i'm comparing it with the mail once i'm done with this go ahead and format my text and this time we'll run the app.onstart and once app.onstart runs we should see the response right here and in this case i'm getting true purely because my user which is reza is a member of the group so that's how easy it is to check to see if the user is a member of an office 365 or a microsoft 365 group or not you can even check to see if the user is the owner of the group there's something known as list owned groups so you can see if the user is a part of the owner of that microsoft 365 group as well but for that you will need to use the office 365 groups connect how do i check to see if the user is a part of a sharepoint group or not let's also add another case here if i head over to groups in office 365 if i head over to groups in azure ad i search for a group that i created called travel request approvers this is just a simple security group that i created in azure ad pretty common use case now in powerapps there is a connector for azure ad and if you connect to this there is an option where you can provide the id of your group in azure ad in this case my security group and i can check to see the members of that group but if i do that when a user logs into powerapps they would have to authenticate to this connector and for that the admin has to grant additional privileges in azure ad and trust me very few admins are going to do that so i don't want to use the azure ad connector but i would like to check to see if the user is part of a security group or the user is part of a plain simple sharepoint group in my case here i created a very simple sharepoint group called travel request admins and as part of this sharepoint group i only have reza added to this sharepoint group so how do i check a sharepoint group membership there's no function to do that in powerapps but there is a trick way of achieving that and for that what you will need is an extra list in my case here i just created a very simple sharepoint list called security list and as part of this list i've just gone and added a couple of items called admins and managers okay i've just added two records here i have two sharepoint groups that i am interested in checking the security of so for every sharepoint group for which you want to check the security of ensure that you have an item created right here in this sharepoint list now here's the trick for my admins list item and right here there's an option called share so i'll go to share go to the three ellipses on top and go to manage access right here at the bottom there's a very small link called advanced if i select that so this will take me to the advanced settings now this is the default security that gets applied to the list that was created because these are all the sharepoint groups at the site level now what i want to do in this case is only grant the admins group access to this list item so for that i will go ahead and stop inheriting the permissions revoke all the permissions except for my admins group so i'll remove permissions for all the other groups and that's it the only group that has access to this record is if the user is a part of the travel request admins group and now i'll do the same thing for the managers sharepoint group as well i have this list item right here i will go ahead and go to manage access go to advanced stop inheriting the permissions select all the items i only want the manager's permission to apply that's my sharepoint group i will remove all the other permissions and just like that now i have just granted the travel request managers sharepoint group access to this record so this is true security in sharepoint that i have implemented and remember powerapps will respect the security of your sharepoint list now if i head over to powerapps so here's the formula when you use a variable called set is user in sharepoint group and in my case i'm checking to see the admin sharepoint group so is user in sharepoint group admin that's just the name of my variable for this i'll go ahead and look up that sharepoint list which i have already connected right here my security list so i'm going to query my security list where the title is equal to admins and this title is what i've specified right here when i perform a lookup query against this i can again check to see if i do receive a response or not so i'm going to check to see if this is not blank and if it is not blank that means the user is a part of the group otherwise the user is not but there is a record so how is it going to return a blank in case the user does not have access well if the user does not have access they won't even see that record and sharepoint because we changed the security of that item and that's how you can check to see if the user is a part of a sharepoint group or not now if i go ahead and just run the onstart function again it should return a true because reza is a member of that sharepoint group and now i will go ahead and add this logic to the left-hand navigation menu and i will use that same variable to set the visibility of the admin screen button right here now let me go ahead and save and publish this app so here i am logged in as sarah who is not a part of that sharepoint group so sarah does not see those options and if i go back to that travel request admins list and add sarah to the sharepoint group now if sarah logs in this time sarah will get the option for accessing the admin screen now what about security groups well the beauty about sharepoint groups is you can add a security group and a sharepoint group so guess what i have a security group right here called travel request approvers and as part of this group i have a couple of members right there sarah and james if james logs into the app james is not going to see that admin link purely because james is not a part of that sharepoint group now if i go back to my sharepoint group i can even add that security group right here which is my travel request approvers that's the name of my security group in azure ad now if i go ahead and share this as part of this group i have sarah and james now guess what's going to happen when james logs in because james is a member of that security group if i just refresh my screen now check this out it is providing james the option now to access the admin screen so right here james can see all the data and this is now being driven from the security group in azure ad extremely powerful and of course if i need to check more sharepoint groups well i just keep adding more items here and breaking permissions so if i want to check for managers all i have to do now is go back to my app and right here instead of getting the value for admins i can just change this to managers and just like that i can check to see if the user is a part of my travel request manager sharepoint group or not if you enjoyed this video then do like comment and subscribe to my youtube channel and thank you so much for watching

Info

Channel: Reza Dorrani

Views: 24,212

Rating: 4.9647889 out of 5

Keywords: powerapps role based security, powerapps role based access control, powerapps user roles, powerapps user access control, powerapps role based security using sharepoint group, role based security in powerapps, implementing role based security in your powerapps app, powerapps show button if user, office 365 groups powerapps, security groups powerapps, canvas app user access, powerapps hide button based on user group, powerapps hide fields based on permission, power apps, powerapps

Id: J-hMMXrKMVE

Channel Id: undefined

Length: 23min 53sec (1433 seconds)

Published: Thu Feb 25 2021