cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Jerome2
Frequent Visitor

multiple table permission in portal on same table?

Hi,

 

I have a need requiring 2 differents permissions agaisnt the same table, the account table on a custom portal

first,

my user are authorized to access (read and edit) multiple specific accounts. and fill related record, like contracts information.

so I have a page listing the authorized account.

 

second,

in my contract, there is a lookup field connected to the account table, and there, the user can select any account, not only the authorized ones.

 

so it's where I have a conflict, I have to grant read access to all the accounts, else the lookup is not able to search for any account, but this allows the user to see the details of all the accounts at the same time.

 

is there an option, at the form level, which can be used to make sure the user access the record through the right permission?

or with the right privilege? (if the user can't edit the record, the access is denied)

or an option allowing the lookup field to bypass the permissions?

 

or do I have to add some liquid code to test this?

1 ACCEPTED SOLUTION

Accepted Solutions
chleverenz
Super User
Super User

Hi @Jerome2 ,

as far as i know there is no chance solving this issue out of the box. The problem is, that you really need access to all accounts in order to select _and_ append one to your lookup. 

 

Even if i see a lot of securityissues here, this could be done with some external helpers: You could provide an azurefunction or whatever to access the dataverse (this bypasses all security....) and provide a service so search for all accounts. Another function could take an accountid and a contactid and relate the specific account to the contact again by bypassing all security.

You could use implicit grant ( https://docs.microsoft.com/en-us/power-apps/maker/portals/oauth-implicit-grant-flow ) to ensure, that the contactid updating itself is the contactid it claims to be (or to read the contactid via implicit grant)

This all involves a lot of no/low-code or a lot of pro-code and will be a severe securitybreach 🙂 .

 

So, i did not write this 🙂

 

Have fun,

  Christian

View solution in original post

1 REPLY 1
chleverenz
Super User
Super User

Hi @Jerome2 ,

as far as i know there is no chance solving this issue out of the box. The problem is, that you really need access to all accounts in order to select _and_ append one to your lookup. 

 

Even if i see a lot of securityissues here, this could be done with some external helpers: You could provide an azurefunction or whatever to access the dataverse (this bypasses all security....) and provide a service so search for all accounts. Another function could take an accountid and a contactid and relate the specific account to the contact again by bypassing all security.

You could use implicit grant ( https://docs.microsoft.com/en-us/power-apps/maker/portals/oauth-implicit-grant-flow ) to ensure, that the contactid updating itself is the contactid it claims to be (or to read the contactid via implicit grant)

This all involves a lot of no/low-code or a lot of pro-code and will be a severe securitybreach 🙂 .

 

So, i did not write this 🙂

 

Have fun,

  Christian

Helpful resources

Announcements
Carousel Community Blog

Check out the Community Blog

Read all about the most recent blogs in the community!

Community Call Conversations

Introducing the Community Calls Conversations

A great place where you can stay up to date with community calls and interact with the speakers.

Carousel News & Announcements

What's New in the Community?

Check out the latest News & Events in the community!

Top Solution Authors
Users online (6,671)