Row-Level Security in Power Pages

In the digital world, where data is as precious as a cat’s affection, securing information at every level is crucial. Just like a watchful pet guarding the yard, row-level security in Power Pages ensures that only the right eyes land on your precious data.

In this blog post, you will “paw” over the details of implementing row-level security in lists, making sure your data stays as safe as a kitten in a yarn basket. And of course, you can make this a smart and easily configurable way for all your solutions!

So, what does row-level security mean?

There are many scenarios to consider, and the variety of solutions depend on the specifics. Here are some considerations to nail down the scenario needs:

• Do you want to control the WHOM (user access specific),

• The WHAT (record/ row specific) or

• The WHERE (area/ table specific)?

Depending on that, you can use various methods such as:

• Web roles and table permissions: Assign web roles to users and configure table permissions to control access to Dataverse records.

• Authenticated users and page permissions: Assign authenticated users web roles that provide specific access to information on the site and set page permissions associated with these web roles.

• Liquid as the ultimate coding ace up your sleeve: Liquid is an open-source template language which can dynamically show or hide content. Web templates are a good starting point, and from there sky is the limit.

Is there an easier way to control specific rows?

Yes, there is a smarter way. The answer is Lists with Grid Configuration. You can control Read, Create and Write privileges with FetchXML, the icons used for each, and the forms attached to them. Let’s unpack this.

Step 1: Purr-fecting your List

Let’s start by building a list in a few easy steps.

• Go to Power Pages Management for your website

• Click on Lists and + New to create one.

• Choose a Name for your list, choose from the dropdown the Table Name your data is in, and the Website you are building for from the lookup.
  

• Once you have selected your table, you can also select the View the list should be based on. Click on + View for that. Then, in the Name dropdown, choose that view.

• Click Save & Close.

• An example of how your new list record will look like. (For context I prepared a list of training facilities for cat agility competitions. Because, why not?)
  

• Add the List component in your website. You will see it in the Or choose an existing list option.
  

Step 2: Purr-paring Your Basic Forms

In this scenario, you want users to be able to do 3 things:

• Read all rows

• Create new rows

• Update (write) only specific rows that users are allowed to control

In the Power Apps maker portal, create a form for your table called Edit and a separate one called Create. They can be the same with all columns open, but it helps to have that segregation for hygiene and maybe OCD minds. Then, create the same form but with all columns being read only. That form should be the Read one.

Tip: Keep your necessary columns in one tab, as you can only show one tab when opening a form from a Power Pages list. 

You can move to the portal set up now to create your three Basic Forms. 

• Now, in Power Pages Management, go to Basic Forms and click + New.

• Add a Name for your form. E.g. Create Form, Edit Form or Read Form.

• Choose from the Table Name dropdown the same table you referenced earlier in the list.

• Choose from the Form Name dropdown the same table you referenced earlier in the list.

• Choose from the Tab Name dropdown which tab to show.

• Choose from the Mode dropdown. For the Edit form, you need to choose Edit. For the Read form, use ReadOnly, and for the Create form, use Insert Mode.

• A note for Edit and ReadOnly Basic Forms. You will also be asked to fill in the Record Source Type. Choose Query String from the dropdown, and in the Record ID Parameter Name add Id.

• Finally, choose the Website from the lookup.

• Click Save & Close.

Here is an example of the completed Basic Form for the Edit functionality.

Step 3: Purr-snickety Filters

The final step is associating the three Basic Forms with the original List you built.

• In Power Pages Management, open the List and go to the Options tab.

• Let’s start with the Create new records button. Click on + Create next to View Actions.

• Choose in the Basic Form dropdown the name of the form you created earlier in the maker portal.

• In the Success Message field, you can personalize with your own touch. Or you can leave the recommended one as is.

• In the Button Label, add name for your icon to create new records.  E.g., for this example, New training facility.

• If needed, you can add the Button Tooltip just like you would do in a Model-Driven App for a column. You can leave the Filter Criteria for now as we are not adding any permissions here. Please note both of these only appear if you click on Advanced settings at the top right of the Grid Configuration section.

• Now, onto the Read permission. Click on + Details next to Item Actions.

• Choose in the Basic Form dropdown the name of the form you created earlier in the maker portal.

• Leave the Record ID Query String Parameter Name as is.

• Update the Success Message if you want to.

• In the Button Label, add name for your icon to create new records.  E.g., for this example, Review.

• Update the Button Tooltip if you want to.

• Again, we are not limiting which records are read so no need to worry about Filter Criteria here.

• The fun part of the permissions starts with who we are allowing to edit records. In this case, and as an example, we only want to allow records with the word Alliance to be edited. Let’s start by clicking on + Edit in the Item Actions section.

• Choose your Basic Form, Success Message, Button Label and Button Tooltip as explained above.

• In the Filter Criteria section, we need the right FetchXML to allow the editing only of records which contain the word Alliance. Obviously, sky is the limit with what filtering you do here. It could be another column value, the record’s Status, or for authenticated users only etc.

But how do you just write this piece of FetchXML? No worries, I got a cool trick for you.

• Go to Advanced Find (we are going old-school here, it’s  purr-fect for this use case).

• Create your filter query. In this case, Look for the Training Facilities table.

• Add the filter: Name Contains Alliance.

• Click on Download FetchXML.

• Open up wherever is comfortable e.g. Visual Studio Code. Et Voila! Your FetchXML is here.

Just for reference, we got:

• Copy that and paste it back to the Filter Criteria.

• Hit Save & Close.

• Here is an example of the configuration.

Step 4: Testing your Purr-fect Setup

You are almost ready! How exciting. All you now have to do is:

• Go to your Design studio for your Power Pages website and click on Sync to ensure all config has rolled over.

• Click on Preview and launch your website.

• Here is something to what you will be able to see:

1. Your new record creation button at the top right (here called New training facility).

2. Any row record without the word Alliance e.g., Northwind Feline Support to only have the Review button. Thus, if you click on it, a read-only form opens up that you can only click away from.

• However, if you click on Birbeck Training Alliance, you will see that both Review and Edit buttons are there.

• The Review behavior is just like in the other record.

• Whereas, the Edit button will give you an editable form as promised. You just make any changes e.g., in the Contact Number and hit Submit.

Step 5: Time to Purr-lax

You did it! This is an easily configurable way to manage your lists.

Let’s summarize the steps:

• Create in the maker portal a Form for Read, Edit and Create.

• Ensure you also have your View sorted that the list should reflect.

• Create a List in Power Pages.

• Create a List component in your site.

• Create a Basic Form for each, and connect it back to the List.

• Use FetchXML in the Filter Criteria.

• Sync your work and Preview!