A way to implement Role Based Security in PowerApps

TL;DR : you can use a Microsoft (O365) Group to give both access to a SharePoint site and PowerApps, you can use the O365 Groups Connector to list members of a security group, you can use security groups to have role-based-security functionality within your PowerApp.


People who are familiar with creating PowerApps know that a PowerApp itself serves as the front-end UI and logic of your application. The data of your app is retrieved from, and stored in, back-end systems or services using a multitude of connectors.


Many times these back-end systems have their own access management system or model. Take as an example SharePoint Online. Users are given access to a SharePoint site by making them owner or member of the related Microsoft Group or by giving them access using SharePoint Groups.


In a typical scenario in which a PowerApp application uses a SharePoint Online team site to store and retrieve its data you need to give your users permissions to both the PowerApp and the SharePoint Online site. Wouldn't it be easier to configure these permissions in just 1 place?


Re-using Microsoft Groups in PowerApps


In case of a SharePoint Online Team site you can easily re-use the attached Microsoft Group to give you users automatically access to your PowerApp. Microsoft Groups created with the UI are not security group enabled by default. This means that you can not share your PowerApp with this group. But you can easily make them security enabled. Here is how.


First you will need the Group Id GUID of your Microsoft Group. There are a number of ways to get this. One of them is to navigate to your SharePoint site and paste the following Url after the site collection name: '/_layouts/15/user.aspx'. Click on the SharePoint members group followed by clicking the Microsoft Group. I named my group 'PowerApp Backend'. The part after the pipe is the Group Id GUID. Copy this id.

Now use PowerShell to security enable your Microsoft Group. Download and install the AzureAD module. Connect to Azure AD using Connect-AzureAD. Run the following command to enable security on your group:

Set-AzureADGroup -ObjectId **your Group Id guid** -SecurityEnabled $True


The Group now becomes available to select in the PowerApp share settings.

Getting members of a Microsoft Group or security group


Using the O365 Groups Connector you can easily get the members of your Group using the ListGroupMembers method and add them to a collection. In below example I use the Group Id from the 'PowerApp Backend' group:


ClearCollect(GroupMembers,Office365Groups.ListGroupMembers("2d3dfbc1-5252-4dfd-a3d1-3f2584b80355"));


Interestingly the Groups connector ListGroupMembers not only works with Microsoft Groups but also with plain Azure Ad security groups. In other words you do not need the Azure AD connector (which needs admin permissions) to list the members of a security group, the groups connector is sufficient.

So the below PowerApp script will give you a collection of the members of the 'My Security Group' AAD security group:


ClearCollect(GroupMembers,Office365Groups.ListGroupMembers("b8b9e996-c744-4f4c-a572-2b72f94028e2").value);


Role Based Security using Security Groups


And that brings us to the possibility to use security groups to implement Role Based Security in a PowerApp.


As seen above the Microsoft Group can be used to give users both access to the PowerApp and backend services, while Azure AD security groups can be used to give or deny users access to fine-grained functionality within PowerApps.


Take for example the "My Security Group" Azure AD security group. The following script only enables a button within PowerApps if you are a member of this group:

If(IsBlank(LookUp(GroupMembers,mail=User().Email).mail),DisplayMode.Disabled,DisplayMode.Edit)


This technique enables you to use security groups to enable (admin) functionality in your PowerApp based on group membership. Please be aware that Azure AD self-service security group management requires a P1 AAD license. So if your organization does not have this license you will need to implement a procedure to request membership to a security group.


References

https://www.c-sharpcorner.com/article/get-users-or-members-from-the-ad-security-group-in-power-apps/

https://docs.microsoft.com/en-us/powerapps/maker/canvas-apps/share-app

19 keer bekeken