cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
jvdlbom
Frequent Visitor

Security based on custom entity

Hi,

I am working on my first model driven app and have created a data model. Now I have some issues creating the right security levels. I hope you could help me out.

What am I trying to achieve:

I want to give users acces to only the records of their own organisation. These are external users (from outside my organisation) and I am planning on doing this using Business Units. Each organisation is related to a Theme. I created a custom entity to define those theme's. Also I have different custom table where information is stored that my users should be able to access. This information is also related to a theme. Now I am struggling with creating the security level where my users will only see the records that have the same theme as their organisation (business unit).

 

Does anybody know how to achieve this? Thank you in advantage!

1 ACCEPTED SOLUTION

Accepted Solutions
EricRegnier
Super User
Super User

Hi @jvdlbom, sorry for my late reply. 
I think I understand what you are trying to do and it is achievable OOB, you might need to re-create some tables unfortunately. First you shouldn't create a custom User table use the OOB one, same thing with Business Units. (see tips #5 and #7 https://powerusers.microsoft.com/t5/Power-Apps-Community-Blog/Top-15-best-practices-when-configuring...). Ensure your Transaction and Base tables are created as user-owned (see tip #6 in the link above), this will ensure you can get the security level to only users within the BU.
Then to ensure the users only see the records related to their BUs, follow these steps:

  1. Set the privileges of the security roles assigned to the user to business unit level
  2. Make sure the Transaction, Theme and Base table records are assigned to the right user (or team) in the correct BU). Note: if the same Theme can be use across different BUs, then you'll need to create one per BU.

 Hope this helps a little more!

View solution in original post

7 REPLIES 7
joe_hannes_col
Super User
Super User

Hello @jvdlbom

 

As you probably know, you can define the ownership of a record as either user/team or organization.

Then, when you create or modify a security role, you can define to what records a user with this role has access to: https://docs.microsoft.com/en-us/power-platform/admin/wp-security-cds

If you align the privileges for your tables and the ownership of related records, users with the same role should only see related records.

So setting the owner of your records would be key.

 

If you want to automate this process, you could use:

Hello @joe_hannes_col ,

 

Thanks a lot for your response. I am quite new to model driven apps, so I thank that is why I am a bit stuggling. Your answere does help me but I have a followup question:

 

The theme's I mentioned are predefined, you can see it as a Branche an organisation operates in. Multiple organisations can be related to a theme. Is it possible to give multiple owning business units to a record? If not, is there any other way to filter the views based on one custom entity that is related to the business unit.

 

I hope this clarifies my question and thanks again for you help. It is much appreciated.

joe_hannes_col
Super User
Super User

Hello @jvdlbom,

 

You can define a hierarchy of business units. You can then specify if parent business units can access child business units' records. Here's some more information: https://docs.microsoft.com/en-us/dynamics365/customerengagement/on-premises/developer/security-dev/h...

Adding multiple business units as owners is not supported as far as I know. As an alternative to business units, you could consider using access teams: https://docs.microsoft.com/en-us/dynamics365/customerengagement/on-premises/developer/use-access-tea...

 

To view related records, you could insert a subgrid of related records into your form in the model driven app. For example, you could add a subgrid pointing to the custom table into your Theme form. This would display only related records. However, your users would only see related records that they are allowed to see based on their security role.

To define the columns displayed in the subgrid, you can modify the view of the custom table: https://docs.microsoft.com/en-us/powerapps/developer/model-driven-apps/customize-entity-views#types-...

 

EricRegnier
Super User
Super User

Hi @jvdlbom,

As @joe_hannes_col alluded to, granular and segregated is supported with the out-of-the-box (OOB) security model.  You might not need to define a cutom entity for theme/business unit as there is a business unit security entity/table that comes OOB. You mentioned that your users are external, are they in your O365 user with a proper license? If not, these users won't be able to use/interact with your model-driiven app without a proper license. Would you be able to ellaborate on you these users and how they would authenticate and use the app?

Thanks

jvdlbom
Frequent Visitor

Hi @joe_hannes_col and @EricRegnier ,

Thanks a lot for your responses. I am looking at your information and I am still trying to figure out what is the way to go. I tried to clarify the situation below:

jvdlbom_0-1628058354502.png

I have a few tables. In the Business unit table I store the different organisation that are using the system. A user is stored in the user table and should only be able to access data from his own BU. Also a Business Unit is related to a theme. In the Base data I store information that the organisation uses to create the transactions. For example: In the base data table I store to do's that every BU related to a specific theme should finish. I use the transaction table to store the information regarding the to do for a specific business unit. (is it started, in progress of finished).

 

The thing I am trying to develop is a security model that allows a user related to a business unit to only see his own transaction records and is able to only see the base data that is related to the same theme as his business unit.

 

Regarding the sharing: I am planning on creating the users as guest user in Azure AD. In office 365 I will assign them a license. This should allow them to interact with the app: https://powerusers.microsoft.com/t5/Building-Power-Apps/Share-model-driven-app-with-guest/td-p/44235...

 

Thank you again for you help!

EricRegnier
Super User
Super User

Hi @jvdlbom, sorry for my late reply. 
I think I understand what you are trying to do and it is achievable OOB, you might need to re-create some tables unfortunately. First you shouldn't create a custom User table use the OOB one, same thing with Business Units. (see tips #5 and #7 https://powerusers.microsoft.com/t5/Power-Apps-Community-Blog/Top-15-best-practices-when-configuring...). Ensure your Transaction and Base tables are created as user-owned (see tip #6 in the link above), this will ensure you can get the security level to only users within the BU.
Then to ensure the users only see the records related to their BUs, follow these steps:

  1. Set the privileges of the security roles assigned to the user to business unit level
  2. Make sure the Transaction, Theme and Base table records are assigned to the right user (or team) in the correct BU). Note: if the same Theme can be use across different BUs, then you'll need to create one per BU.

 Hope this helps a little more!

Thanks a lot @EricRegnier , your response and article clarifies a lot!

Helpful resources

Announcements
Power Platform Conf 2022 768x460.jpg

Join us for Microsoft Power Platform Conference

The first Microsoft-sponsored Power Platform Conference is coming in September. 100+ speakers, 150+ sessions, and what's new and next for Power Platform.

Power Platform Call June 2022 768x460.png

Power Platform Community Call

Join us for the next call on June 15, 2022 at 8am PDT.

PA Virtual Workshop Carousel 768x460.png

Register for a Free Workshop

This training provides practical hands-on experience in creating Power Apps solutions in a full-day of instructor-led App creation workshop.

PA.JPG

New Release Planning Portal (Preview)

Check out our new release planning portal, an interactive way to plan and prepare for upcoming features in Power Platform.

Users online (3,452)