Implementing Role-Based Security in Power Apps with SharePoint
Using SharePoint as a data source in Power Apps provides flexibility and simplicity for managing user roles. In this guide, we’ll create a role-based security system where the app dynamically adapts the visible components (buttons, fields, menus) based on the logged-in user’s role. We’ll also secure SharePoint to restrict direct UI access.
Objective
Dynamically control which app components are visible or enabled based on the user’s role.
Restrict direct access to SharePoint while maintaining access for Power Apps.
Step 1: Create Role-Based SharePoint Lists
To manage roles, create a separate SharePoint list for each role. These lists will store the email addresses of users assigned to that role.
1️⃣ Example SharePoint Lists:
AdminList : For admin users.
Role1List, Role2List, Role3List: For specific user roles.
2️⃣ List Structure:
Each list will have:
A single column, Title (default column in SharePoint), to store user email addresses.
Example:
AdminList
Role1List
Step 2: Initialize Role-Based Variables in Power Apps
1️⃣ Define Role Variables in OnStart
Use the OnStart property of the app to check whether the logged-in user’s email exists in the respective SharePoint list. This determines their role.
Code Example:
Set(
isUserAdmin,
!IsBlank(LookUp(AdminList, Title = User().Email))
);
Set(
isUserRole1,
!IsBlank(LookUp(Role1List, Title = User().Email))
);
2️⃣ What This Does:
LookUp checks if the logged-in user’s email (User().Email) exists in the respective SharePoint list.
Set assigns the result to a variable (true if found, false otherwise).
Step 3: Use Variables to Adapt App Components
Once the role-based variables are initialized, use them to control the visibility or accessibility of components in the app.
2. Show a Validation Button for Role2 and Role3 Users:
Visible: isUserRole2 || isUserRole3
These variables ensure that each user sees only the components relevant to their role.
Step 4: Restrict Direct Access to SharePoint
By default, users can access SharePoint lists and libraries via the browser, potentially exposing data. To prevent this, you can restrict SharePoint access while allowing Power Apps to interact with the data.
1️⃣ Create a Custom Permission Level:
Go to your SharePoint Site Settings → Site Permissions → Permission Levels → Add a Permission Level.
Name the permission level (e.g., Restricted PowerApps Access).
Remove the following permissions:
View Application Pages (prevents access to site pages and lists).
Open Items (blocks direct data view).
Keep Use Remote Interfaces enabled to allow Power Apps to interact with SharePoint.
2️⃣ Apply the Custom Permission Level:
Assign this permission level to users or groups who should access SharePoint data only through Power Apps.
Please follow this link for a complete step by step guide.
Step 5: Test Your App and Permissions
Test Role-Based Visibility:
Log in as a user with admin rights and verify that admin-only components (e.g., buttons, fields) are visible.
Log in as a Role1 user and confirm that only Role1-specific components are visible.
Test SharePoint Restrictions:
Attempt to access the SharePoint list directly as a restricted user. You should see an access denied message.
Verify that Power Apps can still read/write data to the restricted SharePoint lists.
Conclusion
This approach combines the flexibility of Power Apps with SharePoint’s robust data management capabilities. By dynamically adapting the app’s interface and securing SharePoint, you ensure a seamless and secure user experience.
Have you implemented role-based security in your Power Apps? Share your thoughts and improvements in the comments! 🚀