One of the key practices I have implemented when building solutions for certain organisations, is to ensure that security permissions can be modified without the need for a Power Platform developer, allowing I.T. departments or group administrators to grant users permissions for solutions.
I use security in multiple ways when building my solutions, starting with simple visibility of buttons in a canvas app based on a user being part of a specific group. To maintain the ability for non-developers to adjust permissions, I do this by configuring a permissions setup which results in an AAD security group being able to grant users access to view elements of an app.
To do this I need to use a condition in my app. But before I can do that, I need to set up my security in a SharePoint site, which I will add to my app as a data source.
To start I will create a list, which I generally name ‘Security’.
Then I will create the different items in my list, each item being for the groups of people. I will set the ‘title’ as the name of the group.
In the ‘People and Groups’ area of my SharePoint site, I will create corresponding SharePoint groups for each of my list items/groups of people.
I then need to go back to my list and grant each individual item access to the groups I have just created.
Finally, in either the Azure AD admin centre or the Microsoft 365 admin centre, I will create corresponding security groups as well for each group of people/list item/SP group. I will then go back to each of my SharePoint groups and grant the security groups access to them as if they were a user.
In order to differentiate my security group from my SharePoint group here, as both will appear when sharing items on my site. I include [SG] on the end of my security group name to show this is the security group and not the SharePoint group.
Now that I have configured my security in my SharePoint site, I can start to apply it to my app . To do this we need to implement the following code in the OnStart property of App. Here we are defining and setting a global variable with a value. Following, this value determines whether or not our ‘Security’ list does not contain an item where the title column is the same as a specific value (which would be our item title/group name). If the app has managed to retrieve the record for a group, the user would be part of the groups who can view this record/have access to it. Therefore we have a system whereby users can be added to a security group to grant them access to SharePoint list records which when an app picks up, it sets a global variable as true.
Set(ManagerAccess,!IsBlank(LookUp(Security, Title = "My App - Managers")))
In the above example, my variable is ‘ManagerAccess’, you can name this how you like, my SharePoint list is ‘Security’ and my list item/group name is ‘My App – Managers’
The finishing touch:
All we now need to do is select the items on our screen that we want to hide based on the person being part of a group or not, and set the Visible property as our global variable!
I now have a security structure whereby group administrators or IT departments in my organisation can assign users additional permissions in my Power Apps and Power Platform solutions using SharePoint as a data source.