Role Based Security In PowerApps using SharePoint Groups

Recently a customer asked if PowerApps can support role based security controlled by SharePoint Security Groups. For example, can you make an Admin screen that is visible only to users who belong to a specific SharePoint Security Group? Yes, you can and this is where Microsoft Flow comes to the rescue!

This blog post is an attempt to share an approach for finding out the SharePoint Group membership of a signed in user and make certain features or screens of an app available to them.

Prerequisites

Create a SharePoint security group with members that you would want to use for role based security in your PowerApps App and navigate to the group settings .

grpsetting
And enable “Everyone” access to view the members of this group
grpsec

We will be creating a Flow to check group membership using a SharePoint HTTP REST call. Users triggering the Flow from your app may not necessarily have admin privileges to read group membership details. To enable all users to read group membership it is necessary to allow “Everyone” to view members of the security group.

Steps

  • Create a blank flow using a Site Collection Admin/Flow owner account.
  • Add a PowerApps Trigger step so you can call this Flow from the app. Then add an Initialize variable step to store a boolean value (IsAdministrator). Next add another Initialize variable step with a string variable (UserGroupInfo) to store the user group information we will be retrieving in the next step.

1

  • Search for ‘Send an HTTP request to SharePoint’ action under SharePoint actions and add it. Now let’s configure this action to make a SharePoint REST call to determine user group membership.

Site Address: Select the site collection where your SharePoint Security group exists

Method: Get

Uri: api/web/sitegroups/getByName(‘SP Group Name’)/Users?$filter=Email eq ‘’

Replace ‘SP Group Name’ with your group name. Place cursor in between the single quotes after $filter=Email eq and select ‘Ask In PowerApps’ under manual content. This will auto generate a variable name that will be used as an input parameter for this Flow. The goal here is to pass the logged in user’s email id as a parameter from PowerApps to Flow.

Below is how the action looks after configuration. ‘RequestAdmins’ is the SharePoint User Group I used for this example.

chkUsergrp

This REST call will return an empty object if the user is not member of the group.

emptyresults

It will return an object with User properties in the following format if the user is a member of the group.

resultsjson

  • Now that we have an output from the REST call above, we can parse it to extract the results section. Add a ‘Set Variable’ action to set the variable ‘UserGroupInfo’ created earlier with the value set to expression body(‘CheckUserGroup’)[‘d’][‘results’]

extractUsrgrp

Here ‘CheckUserGroup’is the name of the previous action. If your action name has spaces, replace the spaces with underscore (_) character. At this stage, we have extracted the results which can be used to determine if the User is a member of the group.

  • Add a ‘Condition’ step to evaluate the results value. If the results object is empty then the user is not a member.

Use the expression @not(equals(variables(‘UserGroupInfo’), ‘[]’)) to evaluate the object.

‘UserGroupInfo’ is the variable used to store the object value and ‘[]’ compares to an empty object.

Set the variable ‘IsAdministrator’ that was initialized earlier to true if the condition evaluated to be true. If not, set it to be false.

isadmin

  • One final step in the flow would be to pass the results of our user group membership check back to PowerApps as an output parameter that can be used to enable certain features of the app for the logged in user. Add ‘Respond to PowerApps’ action and choose a text output. An output of type boolean would have been ideal but is not available at this time and we’ll stick to a text output. Provide a name for the text output parameter (I used ‘IsAdminUser’) and set the value to variable ‘IsAdministrator’.

respondtpPA

Here’s how entire Flow looks like and it’s time to save it and see it in action.

fullflow

  • Now that we have Flow ready, let’s implement and test it on the app. Navigate to your PowerApps app, create a new blank screen, click on Properties dropdown and select the ‘OnVisible’ event of the screen. Next click on the ‘Action’ tab and select ‘Flows’. Select the Flow you created to add it to the formula bar to associate the Flow to the ‘OnVisible’ event of the screen. Type the below functions on the ‘OnVisible’ formula bar.

PAFunction

First we are creating a variable (isAdmin) to store the user group membership status in Boolean format and setting the default value to be false. Next we are triggering the Flow ( ‘CheckUserPermission’ is the name of the Flow I created) and passing in an encoded format of the current logged in user’s email as the input parameter.

The output returned from Flow is being stored in a variable ‘UserGroupInfo’. Lastly, we are validating the value of the output parameter ‘isadminuser’ we configured earlier and setting the ‘isAdmin’ variable with Boolean equivalent.

  • Drop a button on the screen and set the “Visible’ property of the button to variable ‘isAdmin’. This will show/hide the button based on the value of the variable. You can set the ‘OnSelect’ event of the button to navigate to an Admin Only Screen.

And we are done! Publish the app and run. If all goes well, you should see that the flow ran successfully.

On the app side, Flow is triggered (when the screen is visible) with the current user’s encoded email id as the input parameter which in turns makes a SharePoint Rest Call to determine the user’s membership.It returns a Text output of value “True” or “False”. The app then validates the returned value and shows/hides the button based on the user’s group membership.

Here’s how my sample app looks like if the current user is an admin:

PAScreen1.png

If the current user is not an admin then the admin button is hidden.

PAScreen2.png

Resources

Here are some resources I found to be very useful to help design this solution:

  • Doctor Flow’s post how you can use SharePoint REST APIs in Flow
  • For those interested in the SharePoint REST/OData API, you can find the complete set of REST/OData APIs here.

7 thoughts on “Role Based Security In PowerApps using SharePoint Groups

  1. Pingback: Role based Canvas Apps | Dreaming in CRM

  2. Pingback: Role based Canvas Apps - Microsoft Dynamics CRM Community

  3. Thanks for your quick response! I’m obviously doing something wrong and it is probably due to me being new to PowerApps. Unfortunately I can’t add a screenshot in the comments but I did upload one to my flicker account @ https://c1.staticflickr.com/5/4886/45183199304_cae95116ac_b.jpg. In PowerApps, I do the following:
    1. Add a blank screen.
    2. Immediately above the Screens frame on the left, there is a Properties dropdown – I scroll to that and select “OnVisible.”
    3. Next, I click the Action tab and select FLOWS and pick the Flow I created. It populates the formula bar with: ‘PowerApp->Initializevariable,Initializevariable2,SendanHTTPrequesttoSharePoint,Setvariable’.Run(
    4. I pasted your formula after the Run( as follows: Set(isAdmin,false);Set(UserGroupInfo,CheckUserPermission.Run(EncodeUrl((User().Email)));Set(isAdmin,If(UserGroupInfo.isadminuser=”true”,true)) and closed it with another ).
    5. I get error messages indicating that CheckUserPermission.Run(EncodeUrl((User().Email))) is an invocation of an unknown or unsupported function and that UserGroupInfo.isadminuser is an improper use of “.”

    I’m sure I’m making a silly mistake.

    Like

    • No worries. Been there and I’m still learning. Here’s what I think is happening. ‘CheckUserPermission’ is the name of the Flow I created. You may want to update occurrences of ‘CheckUserPermission’ with your Flow (name). Or You could rename your Flow to ‘CheckUserPermission’ and redo the step to add the Flow and update the formula bar.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s