In my web form I have a lookup field for Accounts.
My entity structure looks like below. Under a Parent Account we have many accounts. I am logged into portal as a Contact (marked in red) of Company A, in the web form account lookup I should be able to see only Company A, Company B and Company C (immediate company and the child companies under the grand parent) and not any other companies under a different grand parent companies)
Can I know if it is possible to control this with entity permission please?
Solved! Go to Solution.
I'm sorry about that, I was creating my Account records from the children up, and this caused an auto-fill of the Managing Partner field incorrectly that I wasn't seeing since it wasn't on my form. That's on me 😶. This meant that, technically, it was saying Company A's Parent Account was Grandparent Company, and Grandparent Company's Managing Partner was Company A - which is why my permissions worked, since my Contact was associated to Company A.
After trying several things, I think I've remembered something I've seemed to have forgotten as I don't implement Portals anymore (and can't find any documentation to support): you can't apply permissions from the many to the one, only the reverse, when working in self-referential (Account:Account) relationships.
This means that you will need to associate your Contact at the "Parent Company" level in your diagram. If you need to keep your same model as well, you could consider creating a new lookup from Contact to Account (perhaps "Permissions Account/Company") creating a workflow/plugin/power automate/etc. that sets this value to the parent of the Intro Account each time Intro Account is changed. Then EP#1 would point to this new relationship, and EP#2 would utilize the account_parent_account relationship to apply permissions to all child companies (A, B, C).
Even better, if you're not using the field now, you could use the process method to set the "Account Name" (parentcustomerid) field on the Contact to be the Parent Account of the Intro Account, and now you can use the Account Scope.
Yes. It depends on exactly what you need to do but, the scopes that are most relevant for what you describe are Account and Parental see the scope definitions https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/assign-entity-permissions#global-...
(what you can't do with permissions is say 'only for account type = xxxx' if you needed that you would have to build your own web template)
I have progressed through using the filter code mentioned in your blog https://oliverrodrigues365.com/2021/01/24/power-apps-portals-custom-lookup-filter/. So when I do the account lookup, I am checking 'new_parentaccountid' (custom field that I have stored in account record which has the parentaccountid of the account) with the contact's company's parent account.
Only issue I am facing is, after tr.remove() happens it filter the accounts I need (currently only account will show up) but it still shows the page numbers and when a page is clicked blank screen appears. Can I know how did it not happen when you did in your blog please?
My code is as below.
@arjunmusuvathy, that's going to be a limitation of the method that @OliverRodrigues utilizes - it's deleting HTML elements from the grid, but it doesn't block them from the return. If your results come in pages of 10, one page might show 3 total, and the next 9, and the next 0, and the next 1, etc.
In order to filter the actual result set, you'd have to have a fully custom lookup implementation.
Based on your initial post, it doesn't sound like you even need that. I know you say the circled contact should only see results for Company A, but if you're only filtering the results, then they could still technically access Company B and C's data just by opening up their dev console. If that's a risk, and your actual requirement is to restrict all data for the Contact to only their immediate Parent and Parent's Parent, then you should be utilizing Entity Permissions. Note that it would work much better if you used the built-in account field, in order to reduce the number of link-entities being injected into your queries - see my blog post for a little more information on that.
Note I'm making some assumptions on the schemas you used based on the code snippet:
I hope this helps,
Thanks for your reply.
Just to highlight here: When the logged in contact (circled in the screenshot in above diagram) tries to lookup the Account lookup field in web form, contact should be able to see Company A (its immediate parent), Company B, Company C and Company D (child accounts of it's grand parent).
I am trying out your suggestions for the entity permissions, I have marked my comments.
Please advise me.
Because you need to see all of the sibling accounts, you'll need a total of 3 Entity Permissions, but you're going to have a lot of link-entities in the background. This is also going to complicate if you need to give any further permissions - for example, if you're going to to need to say "For any Account a user can access, the user should also be able to view that Account's Notes", you'll have to also have 2 or 3 Entity Permissions just for Notes from Account - one for each Account Permission.
We might be able to simplify this a little, though - try the following:
With this setup, you will have (from the first screenshot's perspective) an Entity Permission (#1) that links to Company A via the Account field, which links to Parent Company (#2) via the "Parent Account" relationship, which links to all child Companies (#3) via the "Parent Account" relationship, which includes the user's parent company. This way your injected permissions don't have to say "Company A OR Company A, Company B, Company C", it'll just say "Company A, Company B, Company C".
Let me know if this doesn't work, I'll spin up a trial this weekend.
Many thanks for the detailed suggestion.
I have setup my entity permissions below as per your advise.
Entity Permission 1:
Entity Permission 2:
Entity Permission 3:
Parent EP: EP #2
Unfortunately when I do the lookup it only shows only one company which is the direct company and not other child companies of the grand parent.
Could you advise if I am missing anything please?
Your second entity permission should be of scope "Parent", pointing to your first (Scope: Contact) entity permission. The way you've set it up, your permissions are saying:
Going back to my earlier post, the Account scope only uses the "Parent Customer" field and not any custom Contact-Account relationships. If your entity model was using this field, then you could use this scope and eliminate some hassle. It should be:
The only thing I'm unsure of is whether #3 wouldn't need a different relationship (can't remember a time when choosing a relationship meant it worked both parent->child and child->parent), but since you don't have any other options it seems like it should unless the MSA_account_ManagingPartner is the reverse relationship.
@justinburch Thanks that's awesome that it is working for you. I have still not got it working!
I have setup as below.
Accounts that I should be seeing in portal lookup:
Lookup in portal:
Still shows only the direct company A.
Can I know did you do any other customisation/setup please? And with Managing partner relationship, did you update the field in dataverse?
Join us in Las Vegas to experience community, incredible learning opportunities, and connections that will help grow skills, know-how, and more.
Register today for two amazing days of learning, featuring intensive learning sessions across multiple tracks, led by engaging and dynamic experts.
The European SharePoint Conference returns live and in-person November 28-December 1 with 4 Microsoft Keynotes, 9 Tutorials, and 120 Sessions.