Security Implementation in SharePoint driven Canvas Apps

One of the key practices I have implemented when building solutions for certain organisations, is to ensure that security permissions can be modified without the need for a Power Platform developer, allowing I.T. departments or group administrators to grant users permissions for solutions. I… READ
Security Implementation in SharePoint driven Canvas Apps
exc-6290cb27eda8cc2c30cd6a56
In: Low Code Lewis Content 🚀

One of the key practices I have implemented when building solutions for certain organisations, is to ensure that security permissions can be modified without the need for a Power Platform developer, allowing I.T. departments or group administrators to grant users permissions for solutions.

I use security in multiple ways when building my solutions, starting with simple visibility of buttons in a canvas app based on a user being part of a specific group. To maintain the ability for non-developers to adjust permissions, I do this by configuring a permissions setup  which results in an AAD security group being able to grant users access to view elements of an app.

To do this I need to use a condition in my app. But before I can do that, I need to set up my security in a SharePoint site, which I will add to my app as a data source.

To start I will create a list, which I generally name ‘Security’.

Then I will create the different items in my list, each item being for the groups of people. I will set the ‘title’ as the name of the group.

In the ‘People and Groups’ area of my SharePoint site, I will create corresponding SharePoint groups for each of my list items/groups of people.

I then need to go back to my list and grant each individual item access to the groups I have just created.

Finally, in either the Azure AD admin centre or the Microsoft 365 admin centre, I will create corresponding security groups as well for each group of people/list item/SP group. I will then go back to each of my SharePoint groups and grant the security groups access to them as if they were a user.

In order to differentiate my security group from my SharePoint group here, as both will appear when sharing items on my site. I include [SG] on the end of my security group name to show this is the security group and not the SharePoint group.

Now that I have configured my security in my SharePoint site, I can start to apply it to my app . To do this we need to implement the following code in the OnStart property of App. Here we are defining and setting a global variable with a value. Following, this value determines whether or not our ‘Security’ list does not contain an item where the title column is the same as a specific value (which would be our item title/group name). If the app has managed to retrieve the record for a group, the user would be part of the groups who can view this record/have access to it. Therefore we have a system whereby users can be added to a security group to grant them access to SharePoint list records which when an app picks up, it sets a global variable as true.

Set(ManagerAccess,!IsBlank(LookUp(Security, Title = "My App - Managers")))

In the above example, my variable is ‘ManagerAccess’, you can name this how you like, my SharePoint list is ‘Security’ and my list item/group name is ‘My App – Managers’

The finishing touch:

All we now need to do is select the items on our screen that we want to hide based on the person being part of a group or not, and set the Visible property as our global variable!

Concluding Result:

I now have a security structure whereby group administrators or IT departments in my organisation can assign users additional permissions in my Power Apps and Power Platform solutions using SharePoint as a data source.

Written by
Lewis Baybutt
Microsoft Business Applications MVP • Power Platform Consultant • Blogger • Community Contributor • #CommunityRocks • #SharingIsCaring
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to LewisDoesDev.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.