cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
aec2018
Microsoft
Microsoft

Conditional rendering based on the user?

Hey all! I'm starting to build a canvas app that will have users in various roles. Most users will be reading data but some users will also need to create/update/delete data. So ideally, some users will see edit/delete buttons on a table row while others will not based on their roles/access levels. What's the best way to go about this? 

1 ACCEPTED SOLUTION

Accepted Solutions
Carlosr
Microsoft
Microsoft

Yes, you can store the results however you'd like.  Typically, a user can be a member of more than one group which is why I did it that way, but if you can't to identify a particular application role by a distinct membership, you can create one variable and store the result.    You can also check multiple groups in one shot, which is why the groupid is in an array.  

Set(IsAdmin, !IsEmpty(AzureAD.CheckMemberGroupsV2(User().Email, [group1, group2, group3]).value));

 

You could also do this:

Set(MembershipTable, AzureAD.CheckMemberGroupsV2(User().Email, [Group1, Group2]).value);

The result is a table with a list of groupids that the current user is a member of, or Empty if they are not a member of any.

 

View solution in original post

7 REPLIES 7
coyote_ptm
Frequent Visitor

We use it a lot for the few applications we have.

 

Setup a sharepoint list with email addresses and roles to make it easier to change the users on the fly.

 

For example - if you only had a normal and superuser you could create a list with just superusers emails - or if you wanted more roles you could use the list like so:

 

jdough@yoururl.com   SUPERUSER

dsample@yoururl.com  EDITUSER

 

In powerapps on start

coyote_ptm_0-1627686816388.png

 

we lookup the superuser and set a variable:

 

 

Set(
    // Global Variable
    varIsSuperUser,
    If(
        // do the lookup - IsBlankOrError to side on False
        IsBlankOrError(
            LookUp(
                admin_user,
                Lower(email_addr) = Lower(User().Email)
            ).email_addr
        ),
        false,
        true
    )
);

 

 

 

 

In one example there is an edit button, changing the "Visible" attribute to varIsSuperUser will make it visible for superusers and not for others.  Wherever we need differing content or actions, we use that variable.

 

bkk
Helper I
Helper I

I have done very similar application. We use SharePoint list where we use item level security to determine which roles/area the user belongs. A simple example that can be tested, consider a SharePoint list with just title column and add two rows one "Admin users" and "Non-Admin Users". Set up item level security by creating SP groups. ON App Start of your Canvas app, when you get data from this list, it will only get those rows that user has access to. This way you can determine which group/role they belong to.

 

rahulswimmer
Helper II
Helper II

@aec2018  I have implemented what you are looking for in the following manner (this was done for an enterprise solution):

The solution revolves around two roles

1. Approver - can approve records sent by reviewer, but can't edit or delete them. So basically just approve.

2. Reviewer - Edit and delete records but can't approve

 

So I had many screens shared by these two roles where I had to include RBAC.

 

  1. Create two azure active directory (security groups) groups. One for Reviewer and one for Approver. Include members in each group accordingly.
  2. Create a power automate flow and use azure active directory task to fetch the group and members details. This can also be done using microsoft graph API (i chose graph way).
  3. Now I have 2 JSONs (one has members info in Reviewer group and other has Approver details).
  4. Get the email of the logged in user from powerapp in to flow and check if this email is present in either group. If Reviewer returns an object (user is Reviewer) else if Approver returns an object then user is Approver. If user is not present in either groups then he/she has no role.
  5. Return this role of logged in user back to powerapp.
  6. Based on this value use conditional rendering on either DisplayMode or Visible property.

I ll just upload a snapshot of the flow I created. Its a gem 😛 

 

rahulswimmer_0-1627745158438.pngrahulswimmer_1-1627745214080.png

 

You can also user Azure active directory task directly. But since I am not allowed to add any connections, I chose the API way.

 

Now instead of these azure groups, sharepoint list works well too. It just so happens, we have azure subscription, so why not leverage the azure power.

 

If anyone wants to understand in more depth, do share your queries here.

Happy to help!

Cheers!

Hmm. This looks doable. We currently have 9 SGs so we'd have to create 9 lists. Is there a perf issue with this? Also, in your function, how are the Sharepoint lists being pulled in to do the lookup on? Also, do these Sharepoint lists have to be manually updated as users come and go or can they be dynamically set based on our AAD Security Groups?

Carlosr
Microsoft
Microsoft

Here is an alternate approach.  If you are able to use the AzureAD connector:
Set(IsAdmin, !IsEmpty(AzureAD.CheckMemberGroupsV2(User().Email, [groupid]).value));

 

You can run this in appstart for each of your security groups, and you will have a variable set to true if the current user is a member of the group.  This will improve overall performance since the application performs the security check once at application start.

We have 9 SGs for this app. Would I run this potentially 9 times on appstart? I'm guessing instead of setting IsAdmin to a boolean, I can just extract what SG the user is in and set that to a variable. This seems like the simplest solution so far and would help with not having to manually update separate lists.

Carlosr
Microsoft
Microsoft

Yes, you can store the results however you'd like.  Typically, a user can be a member of more than one group which is why I did it that way, but if you can't to identify a particular application role by a distinct membership, you can create one variable and store the result.    You can also check multiple groups in one shot, which is why the groupid is in an array.  

Set(IsAdmin, !IsEmpty(AzureAD.CheckMemberGroupsV2(User().Email, [group1, group2, group3]).value));

 

You could also do this:

Set(MembershipTable, AzureAD.CheckMemberGroupsV2(User().Email, [Group1, Group2]).value);

The result is a table with a list of groupids that the current user is a member of, or Empty if they are not a member of any.

 

View solution in original post

Helpful resources

Announcements
PA_User Group Leader_768x460.jpg

Manage your user group events

Check out the News & Announcements to learn more.

Power Query PA Forum 768x460.png

Check it out!

Did you know that you can visit the Power Query Forum in Power BI and now Power Apps

Carousel 2021 Release Wave 2 Plan 768x460.jpg

2021 Release Wave 2 Plan

Power Platform release plan for the 2021 release wave 2 describes all new features releasing from October 2021 through March 2022.

R2 (Green) 768 x 460px.png

Microsoft Dynamics 365 & Power Platform User Professionals

DynamicsCon is a FREE, 4 half-day virtual learning experience for 11,000+ Microsoft Business Application users and professionals.

Users online (1,912)