In my last article,
we have seen how to set up a Dataverse environment for selected Microsoft Teams and created 2 tables, "Tickets" and "Category," in the Dataverse, which will be used by Power Apps to display records in a proper manner.
To extend this scenario, I will articulate how to manage role-based access on the Dataverse table and add a layer of security in the power app so logged-in users can perform operations based on the access they have.
Table of Content
- Dataverse environment should be created in one of Microsoft Team
- The table should be created in the Dataverse environment.
If you want to set up a Dataverse environment and create a table, I have written an article that is available here
Let's get started.
Step 1 - Permission roles available in Microsoft Teams
Once Power App is published in the Microsoft Teams channel, the owner or app creator doesn't have the option to go and share an app with anyone in the organization.
The reason is that in the sharing feature in the Power app which is created in Dataverse for Microsoft Team, security follows the security protocols of your Microsoft Team and the same model is applicable for records which are stored in the Dataverse table.
The security model of Microsoft Teams is as below,
A Team can have multiple users and these users are added in 3 roles called the OMG pattern,
O stands for Owners
M stands for Members
G stands for Guests.
As shown in the image, the Dataverse team has 4 members.
The owner has one user and he is "Dipen Shah".
Members have two users, Alex and Lynne.
The guest has a one-user dips365.
Users which are not part of the domain or organization, they will be added as a guest directly.
Step 2 - Permission management in Dataverse tables
If you look at the owner logging in, the Owner has full access to all the tables which is created as part of this app. As part of apps, I have created tables in Dataverse for a Team called "Tickets" and owners have full access that means owners can add, update and delete records from the table.
The owner can have full access to Tables in Dataverse for Teams by default which means owners can create new records, read all records, and also they can update and delete records from a table.
A member as well by default has full access to all tables which are created in Dataverse for Teams and which are part of the application.
So, for example, Lynne can delete and update records that are created by "Dipen Shah" or she can create her own record because Lynne has full access to tables.
What is the default behavior when a guest user will be logged in?
When Dips365 logs in as a guest user, Dips365 does not see any records and the reason is that guest users have private access to the tables. That means they can create new records, however they can read only records that are created by them only and they can update and delete only their own records.
How many types of Permission levels are available in Dataverse for Teams?
Let's explore some permission levels which are provided by Dataverse for Teams.
User can add, read, update and delete records which are created by them as well as created by others.
User can add new records, read all records but he or she can update and delete records which are created by them only. User can not update and delete records which are created by other people on this permission level.
Users can create new records. Users also can read, update and delete record which is created by them only.
In this permission level, the User cannot create new records, update or delete existing records but can only read or view all records.
User can not access records at all.
How can anyone change the permission level for Owners, Members, and Guests?
To change the permission, the User needs to go to the permission management screen from Power apps in Microsoft Teams.
Click on the Power apps icon first in Teams.
Click on Build.
Click on See all
Click on tables and select your table where you want to change the permission level.
Click on Manage permissions
Once you click on the permissions below screen will be appeared on the left side in the Microsoft Team window.
Here, you can see that Owners is disabled so you can not change the access of the owner's group. It will be full control only in associated tables in-app.
You can change the permission level for members and guests as per your requirement.
If you want to allow users to change their records only then put users in members group and assign member groups to Collaborate. So users who are part of the member's group will not be able to update and delete records that are not owning by them.
If you want to make the rule that users can only read their records then assign the group to the Private Permission level.