cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
arjunmusuvathy
Helper IV
Helper IV

Portal - Entity Permissions - Show only Parent company data

Hello

 

In my web form I have a lookup field for Accounts.

 

My entity structure looks like below. Under a Parent Account we have many accounts.  I am logged into portal as a Contact (marked in red) of Company A, in the web form account lookup I should be able to see only Company A, Company B and Company C (immediate company and the child companies under the grand parent) and not any other companies under a different grand parent companies)

 

Introducer rel.PNG

 

Can I know if it is possible to control this with entity permission  please?

 

Thanks

Vik

1 ACCEPTED SOLUTION

Accepted Solutions
justinburch
Employee
Employee

Hi @arjunmusuvathy,

I'm sorry about that, I was creating my Account records from the children up, and this caused an auto-fill of the Managing Partner field incorrectly that I wasn't seeing since it wasn't on my form. That's on me 😶. This meant that, technically, it was saying Company A's Parent Account was Grandparent Company, and Grandparent Company's Managing Partner was Company A - which is why my permissions worked, since my Contact was associated to Company A.

After trying several things, I think I've remembered something I've seemed to have forgotten as I don't implement Portals anymore (and can't find any documentation to support): you can't apply permissions from the many to the one, only the reverse, when working in self-referential (Account:Account) relationships.

This means that you will need to associate your Contact at the "Parent Company" level in your diagram. If you need to keep your same model as well, you could consider creating a new lookup from Contact to Account (perhaps "Permissions Account/Company") creating a workflow/plugin/power automate/etc. that sets this value to the parent of the Intro Account each time Intro Account is changed. Then EP#1 would point to this new relationship, and EP#2 would utilize the account_parent_account relationship to apply permissions to all child companies (A, B, C).

Even better, if you're not using the field now, you could use the process method to set the "Account Name" (parentcustomerid) field on the Contact to be the Parent Account of the Intro Account, and now you can use the Account Scope.

View solution in original post

13 REPLIES 13
Fubar
Multi Super User
Multi Super User

Yes.  It depends on exactly what you need to do but, the scopes that are most relevant for what you describe are Account and Parental see the scope definitions https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/assign-entity-permissions#global-...

(what you can't do with permissions is say 'only for account type = xxxx' if you needed that you would have to build your own web template)

arjunmusuvathy
Helper IV
Helper IV

Hi @OliverRodrigues 

 

I have progressed through using the filter code mentioned in your blog https://oliverrodrigues365.com/2021/01/24/power-apps-portals-custom-lookup-filter/. So when I do the account lookup, I am checking 'new_parentaccountid' (custom field that I have stored in account record which has the parentaccountid of the account) with the contact's company's parent account.

 

Only issue I am facing is, after tr.remove() happens it filter the accounts I need (currently only account will show up) but it still shows the page numbers and when a page is clicked blank screen appears. Can I know how did it not happen when you did in your blog please?

 

test2.PNG

 

test1.PNG

 

My code is as below.


$(document).ready(function () {
 
//get user's company
var userCompany = '{{user.parentcustomerid.id}}';
 
//get user's company's parent account
var userCompanysParentAccount = '{{user.contact_customer_accounts.parentaccountid.id}}';
 
var list = $("#new_introaccountid_lookupmodal").find(".entity-lookup").find(".entity-grid").eq(0);
list.on("loaded", function () {
 
list.find("table tbody > tr").each(function () {
var tr = $(this);
var parentAccount = $(tr).find('td[data-attribute="new_parentaccountid"]').attr("data-value");
            
if (parentAccount != userCompanysParentAccount)
{
tr.remove();
}
});
});
});

 

Thanks
Vik

 

justinburch
Employee
Employee

@arjunmusuvathy, that's going to be a limitation of the method that @OliverRodrigues utilizes - it's deleting HTML elements from the grid, but it doesn't block them from the return. If your results come in pages of 10, one page might show 3 total, and the next 9, and the next 0, and the next 1, etc.

In order to filter the actual result set, you'd have to have a fully custom lookup implementation.

 

Based on your initial post, it doesn't sound like you even need that. I know you say the circled contact should only see results for Company A, but if you're only filtering the results, then they could still technically access Company B and C's data just by opening up their dev console. If that's a risk, and your actual requirement is to restrict all data for the Contact to only their immediate Parent and Parent's Parent, then you should be utilizing Entity Permissions. Note that it would work much better if you used the built-in account field, in order to reduce the number of link-entities being injected into your queries - see my blog post for a little more information on that.

Note I'm making some assumptions on the schemas you used based on the code snippet:

  1. Scope: Contact, Entity: Account, Relationship: new_introaccountid, Permissions: (At least Read, Append, Append To - this allows users to 'see' their immediate parent, e.g. "Company A")
  2. Scope: Parent, Entity: Account, Parent Permission: (one created in step 1), Relationship: contact_customer_accounts, Permissions: (At least Read, Append, Append To - this allows users to 'see' any Company that is a Parent of the Accounts you have permission to in Step 1)

I hope this helps,

Justin

@justinburch 

 

Thanks for your reply. 

 

Just to highlight here: When the logged in contact (circled in the screenshot in above diagram) tries to lookup the Account lookup field in web form, contact should be able to see Company A (its immediate parent), Company B, Company C and Company D (child accounts of it's grand parent).

 

I am trying out your suggestions for the entity permissions, I have marked my comments.

 

  1. Scope: Contact, Entity: Account, Relationship: new_introaccountid, Permissions: (At least Read, Append, Append To - this allows users to 'see' their immediate parent, e.g. "Company A") - Entity permissions setup DONE
  2. Scope: Parent, Entity: Account, Parent Permission: (one created in step 1), Relationship: contact_customer_accounts, Permissions: (At least Read, Append, Append To - this allows users to 'see' any Company that is a Parent of the Accounts you have permission to in Step 1) - I cannot find contact_customer_accounts if Entity permission's entity = Account (shown in pic below), are you meaning to say Entity = Contact? 

forum1.PNG

 

Please advise me.

 

 

Thanks

Vik

justinburch
Employee
Employee

Hi @arjunmusuvathy,

Because you need to see all of the sibling accounts, you'll need a total of 3 Entity Permissions, but you're going to have a lot of link-entities in the background. This is also going to complicate if you need to give any further permissions - for example, if you're going to to need to say "For any Account a user can access, the user should also be able to view that Account's Notes", you'll have to also have 2 or 3 Entity Permissions just for Notes from Account - one for each Account Permission.

We might be able to simplify this a little, though - try the following:

  1. Remove the Read permission from your first Entity Permission, the one for your direct Company (Company A)
  2. You'll need to find find out which of those relationships you're using in your Parent Company -> Grandparent Company hierarchy. If it's the OOTB "Parent Account", then it's account_parent_account.
    • Once you have this: you said the contact needs Company A, B, etc.. do they also need to see their grandparent account? If not, then do not add a Read permission to this second Entity Permission
  3. Now create a third Entity Permission for the same relationship - that is, all Accounts that are a child of an Account. You'll set this up as a child of the second entity permission with Read, Append, Append To access. Entity: Account, Scope: Parent, Parent EP: #2, Parent Relationship: Child version of relationship

With this setup, you will have (from the first screenshot's perspective) an Entity Permission (#1) that links to Company A via the Account field, which links to Parent Company (#2) via the "Parent Account" relationship, which links to all child Companies (#3) via the "Parent Account" relationship, which includes the user's parent company. This way your injected permissions don't have to say "Company A OR Company A, Company B, Company C", it'll just say "Company A, Company B, Company C".

 

Let me know if this doesn't work, I'll spin up a trial this weekend.

@justinburch 

 

Many thanks for the detailed suggestion.

 

I have setup my entity permissions below as per your advise.

 

Entity Permission 1:

Entity: Account

Scope: Contact

Relationship: new_account_contact_introaccountID

EP 1.PNG

 

 

Entity Permission 2:

Entity: Account

Scope: Account

Relationship: account_parent_account

 

EP 2.PNG

 

 

Entity Permission 3:

Entity: Account

Scope: Parent

Parent EP: EP #2

Relationship: account_parent_account

 

EP 3.PNG

 

 

Unfortunately when I do the lookup it only shows only one company which is the direct company and not other child companies of the grand parent.

 

Could you advise if I am missing anything please?

 

 

Thanks

Vik

Hi @arjunmusuvathy,

Your second entity permission should be of scope "Parent", pointing to your first (Scope: Contact) entity permission. The way you've set it up, your permissions are saying:

  1. "Give me Write & Append Access, but do not give me Read Access, to Accounts in my introaccountID field"
  2. "Give me Read & Append Access, but do not give me Write Access, to any Account that is a Parent or Child of the Account in my CustomerID (OOTB Contact or Account field) field"
  3. "Give me Read & Append Access, but do not give me Write Access, to any Account that is a Parent or Child of any Account I received access to in Permission #2"

Going back to my earlier post, the Account scope only uses the "Parent Customer" field and not any custom Contact-Account relationships. If your entity model was using this field, then you could use this scope and eliminate some hassle. It should be:

  1. Contact Relationship to Account (Parent Company)
  2. Parent Relationship to Account from #1 (Grandparent Company)
  3. Parent Relationship to Account from #2 (Any of the Grandparent Company's child companies)

The only thing I'm unsure of is whether #3 wouldn't need a different relationship (can't remember a time when choosing a relationship meant it worked both parent->child and child->parent), but since you don't have any other options it seems like it should unless the MSA_account_ManagingPartner is the reverse relationship.

Edit: Removing the content here as it was incorrect and could lead to confusion.

@justinburch  Thanks that's awesome that it is working for you. I have still not got it working!

 

I have setup as below.

 

Entity Permissions:

 

Forum - Entity Permissions.PNG

 

Accounts that I should be seeing in portal lookup:

 

Child companies of Grand Parent2.PNG

Lookup in portal: 

Still shows only the direct company A.

 

Forum - Lookup.PNG

 

Can I know did you do any other customisation/setup please? And with Managing partner relationship, did you update the field in dataverse?

 

 

 

Thanks

Vik

 

 

 

 

 

 

 

 

Helpful resources

Announcements

Win free tickets to the Power Platform Conference | Summer of Solutions

We are excited to announce the Summer of Solutions Challenge!    This challenge is kicking off on Monday, June 17th and will run for (4) weeks.  The challenge is open to all Power Platform (Power Apps, Power Automate, Copilot Studio & Power Pages) community members. We invite you to participate in a quest to provide solutions to as many questions as you can. Answers can be provided in all the communities.    Entry Period: This Challenge will consist of four weekly Entry Periods as follows (each an “Entry Period”)   - 12:00 a.m. PT on June 17, 2024 – 11:59 p.m. PT on June 23, 2024 - 12:00 a.m. PT on June 24, 2024 – 11:59 p.m. PT on June 30, 2024 - 12:00 a.m. PT on July 1, 2024 – 11:59 p.m. PT on July 7, 2024 - 12:00 a.m. PT on July 8, 2024 – 11:59 p.m. PT on July 14, 2024   Entries will be eligible for the Entry Period in which they are received and will not carryover to subsequent weekly entry periods.  You must enter into each weekly Entry Period separately.   How to Enter: We invite you to participate in a quest to provide "Accepted Solutions" to as many questions as you can. Answers can be provided in all the communities. Users must provide a solution which can be an “Accepted Solution” in the Forums in all of the communities and there are no limits to the number of “Accepted Solutions” that a member can provide for entries in this challenge, but each entry must be substantially unique and different.    Winner Selection and Prizes: At the end of each week, we will list the top ten (10) Community users which will consist of: 5 Community Members & 5 Super Users and they will advance to the final drawing. We will post each week in the News & Announcements the top 10 Solution providers.  At the end of the challenge, we will add all of the top 10 weekly names and enter them into a random drawing.  Then we will randomly select ten (10) winners (5 Community Members & 5 Super Users) from among all eligible entrants received across all weekly Entry Periods to receive the prize listed below. If a winner declines, we will draw again at random for the next winner.  A user will only be able to win once overall. If they are drawn multiple times, another user will be drawn at random.  Individuals will be contacted before the announcement with the opportunity to claim or deny the prize.  Once all of the winners have been notified, we will post in the News & Announcements of each community with the list of winners.   Each winner will receive one (1) Pass to the Power Platform Conference in Las Vegas, Sep. 18-20, 2024 ($1800 value). NOTE: Prize is for conference attendance only and any other costs such as airfare, lodging, transportation, and food are the sole responsibility of the winner. Tickets are not transferable to any other party or to next year’s event.   ** PLEASE SEE THE ATTACHED RULES for this CHALLENGE**

Celebrating the June Super User of the Month: Markus Franz

Markus Franz is a phenomenal contributor to the Power Apps Community. Super Users like Markus inspire others through their example, encouragement, and active participation.    The Why: "I do this to help others achieve what they are trying to do. As a total beginner back then without IT background I know how overwhelming things can be, so I decided to jump in and help others. I also do this to keep progressing and learning myself." Thank you, Markus Franz, for your outstanding work! Keep inspiring others and making a difference in the community! 🎉  Keep up the fantastic work! 👏👏 Markus Franz | LinkedIn  Power Apps: mmbr1606  

Copilot Cookbook Challenge | Win Tickets to the Power Platform Conference

We are excited to announce the "The Copilot Cookbook Community Challenge is a great way to showcase your creativity and connect with others. Plus, you could win tickets to the Power Platform Community Conference in Las Vegas in September 2024 as an amazing bonus.   Two ways to enter: 1. Copilot Studio Cookbook Gallery:  https://aka.ms/CS_Copilot_Cookbook_Challenge 2. Power Apps Copilot Cookbook Gallery: https://aka.ms/PA_Copilot_Cookbook_Challenge   There will be 5 chances to qualify for the final drawing: Early Bird Entries: March 1 - June 2Week 1: June 3 - June 9Week 2: June 10 - June 16Week 3: June 17 - June 23Week 4: June 24 - June 30     At the end of each week, we will draw 5 random names from every user who has posted a qualifying Copilot Studio template, sample or demo in the Copilot Studio Cookbook or a qualifying Power Apps Copilot sample or demo in the Power Apps Copilot Cookbook. Users who are not drawn in a given week will be added to the pool for the next week. Users can qualify more than once, but no more than once per week. Four winners will be drawn at random from the total qualifying entrants. If a winner declines, we will draw again at random for the next winner.  A user will only be able to win once. If they are drawn multiple times, another user will be drawn at random. Prizes:  One Pass to the Power Platform Conference in Las Vegas, Sep. 18-20, 2024 ($1800 value, does not include travel, lodging, or any other expenses) Winners are also eligible to do a 10-minute presentation of their demo or solution in a community solutions showcase at the event. To qualify for the drawing, templates, samples or demos must be related to Copilot Studio or a Copilot feature of Power Apps, Power Automate, or Power Pages, and must demonstrate or solve a complete unique and useful business or technical problem. Power Automate and Power Pagers posts should be added to the Power Apps Cookbook. Final determination of qualifying entries is at the sole discretion of Microsoft. Weekly updates and the Final random winners will be posted in the News & Announcements section in the communities on July 29th, 2024. Did you submit entries early?  Early Bird Entries March 1 - June 2:  If you posted something in the "early bird" time frame complete this form: https://aka.ms/Copilot_Challenge_EarlyBirds if you would like to be entered in the challenge.   Week 1 Results:  Congratulations to the Week 1 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge. Copilot Cookbook Gallery:Power Apps Cookbook Gallery:1.  @Mathieu_Paris 1.   @SpongYe 2.  @Dhanush 2.   @Deenuji 3.  n/a3.   @Nived_Nambiar  4.  n/a4.   @ManishSolanki 5.  n/a5.    n/a

Your Moment to Shine: 2024 PPCC’s Got Power Awards Show

For the third year, we invite you, our talented community members, to participate in the grand 2024 Power Platform Community Conference's Got Power Awards. This event is your opportunity to showcase solutions that make a significant business impact, highlight extensive use of Power Platform products, demonstrate good governance, or tell an inspirational story. Share your success stories, inspire your peers, and show off some hidden talents.  This is your time to shine and bring your creations into the spotlight!  Make your mark, inspire others and leave a lasting impression. Sign up today for a chance to showcase your solution and win the coveted 2024 PPCC’s Got Power Award. This year we have three categories for you to participate in: Technical Solution Demo, Storytelling, and Hidden Talent.        The Technical solution demo category showcases your applications, automated workflows, copilot agentic experiences, web pages, AI capabilities, dashboards, and/or more. We want to see your most impactful Power Platform solutions!  The Storytelling category is where you can share your inspiring story, and the Hidden Talent category is where your talents (such as singing, dancing, jump roping, etc.) can shine! Submission Details:  Fill out the submission form https://aka.ms/PPCCGotPowerSignup by July 12th with details and a 2–5-minute video showcasing your Solution impact. (Please let us know you're coming to PPCC, too!)After review by a panel of Microsoft judges, the top storytellers will be invited to present a virtual demo presentation to the judges during early August. You’ll be notified soon after if you have been selected as a finalist to share your story live at PPCC’s Got Power!  The live show will feature the solution demos and storytelling talents of the top contestants, winner announcements, and the opportunity to network with your community.  It's not just a showcase for technical talent and storytelling showmanship, show it's a golden opportunity to make connections and celebrate our Community together! Let's make this a memorable event! See you there!   Mark your calendars! Date and Time: Thursday, Sept 19th Location: PPCC24 at the MGM Grand, Las Vegas, NV 

Tuesday Tip | Accepting Solutions

It's time for another TUESDAY TIPS, your weekly connection with the most insightful tips and tricks that empower both newcomers and veterans in the Power Platform Community! Every Tuesday, we bring you a curated selection of the finest advice, distilled from the resources and tools in the Community. Whether you’re a seasoned member or just getting started, Tuesday Tips are the perfect compass guiding you across the dynamic landscape of the Power Platform Community.   To enhance our collaborative environment, it's important to acknowledge when your question has been answered satisfactorily. Here's a quick guide on how to accept a solution to your questions: Find the Helpful Reply: Navigate to the reply that has effectively answered your question.Accept as Solution: Look for the "Accept as Solution" button or link, usually located at the bottom of the reply.Confirm Your Selection: Clicking this button may prompt you for confirmation. Go ahead and confirm that this is indeed the solution.Acknowledgment: Once accepted, the reply will be highlighted, and the original post will be marked as "Solved". This helps other community members find the same solution quickly. By marking a reply as an accepted solution, you not only thank the person who helped you but also make it easier for others with similar questions to find answers. Let's continue to support each other by recognizing helpful contributions. 

Reminder: To register for the Community Ambassador Call on June 13th

Calling all Super Users & User Group Leaders   Reminder: To register for the Community Ambassador Call on June 13th—for an exclusive event for User Group Leaders and Super Users! This month is packed with exciting updates and activities within our community.   What's Happening: Community Updates: We'll share the latest developments and what's new in our vibrant community.Special Guest Speaker: Get ready for an insightful talk and live demo of Microsoft Copilot Studio templates by our special guest.Regular Updates: Stay informed with our routine updates for User Groups and Super Users.Community Insights: We'll provide general information about ongoing and upcoming community initiatives. Don't Miss Out: Register Now: Choose the session that fits your schedule best.Check your private messages or Super User Forum for registration links. We're excited to connect with you and continue building a stronger community together.   See you at the call!

Users online (2,704)