LowCodeGo logo

Power Apps – Restrict Control by User, Team or Security Role

  • Ryan Logan
    • |
  • December 2, 2022

Overview

In Canvas Apps you can make essentially any control Editable or Disabled. Typically, this is done based on the data that’s presented on the screen, but you can also take into consideration the current user accessing the app, teams they are part of, or security roles assigned to them.

This allows for much more flexibility controlling how the user can interact with the app.

YouTube

User Restriction

If you want to restrict controls based on the current user, this can be done by retrieving the user’s record during OnStart of the app.

  • Go to App
  • Select OnStart property
  • Assign a global variable with the user record

Set(currentUser, LookUp(Users, ThisRecord.’User Name’ = User().Email));

update onstart property retrieving user record

  • Go to the Control that requires restriction
  • Select the DisplayMode property

By default the Control will be open to any user with Display Mode being set to Edit

default display mode setting

Update the Display Mode property. Here is what the block of code does below:

  • Checks if Owner is either User or Team
  • If User, casts Owner as User data type
  • Checks to see if Owner equals current user
  • Otherwise, control is disabled

If(IsType(ThisItem.Owner, Users),
If(AsType(ThisItem.Owner, Users).User = currentUser.User,
DisplayMode.Edit,
DisplayMode.Disabled
),
DisplayMode.Disabled
)

display mode update with user ownership restriction

Here, the user is able to deactivate Account’s they are the owner of:

end result with user ownership restricted

Team Restriction

If you want to restrict controls based on the team’s the user is part of, this can be done by retrieving the team ID’s during OnStart of the app.

  • Go to App
  • Select OnStart property
  • Create a blank collection
  • Loop through User’s team associations and add to the collection

ClearCollect(teamList, Blank());

ForAll(currentUser.’Teams (teammembership_association)’ As team,
Collect(teamList,
{
teamId: team.Team
}
)
);

It’s important to note that the teammembership_association relationship must be used to retrieve the user’s related team ID’s.

update onstart property retrieving team's associated with user

Update the DisplayMode property. Here is what the code looks like when using in conjunction with the team restriction:


If(IsType(ThisItem.Owner, Users),
If(AsType(ThisItem.Owner, Users).User = currentUser.User,
DisplayMode.Edit,
DisplayMode.Disabled
),
If(CountRows(Filter(teamList, ThisRecord.teamId = AsType(ThisItem.Owner, Teams).Team)) > 0,
DisplayMode.Edit,
DisplayMode.Disabled
)
);

If the restriction should be based on Team only, the following logic can be used:

If(IsType(ThisItem.Owner, Teams),
If(CountRows(Filter(teamList, ThisRecord.teamId = AsType(ThisItem.Owner, Teams).Team)) > 0,
DisplayMode.Edit,
DisplayMode.Disabled
),
DisplayMode.Disabled
);

display mode update with team restriction

Here, the user is able to deactivate Accounts for records they own or team’s they are part of:

end result with team owner restricted

Security Role Restriction

If you want to restrict controls based on security role’s the user is part of, this can be done by retrieving the role ID’s during OnStart of the app.

  • Go to App
  • Select OnStart property
  • Create a blank collection
  • Loop through User’s security role associations and add to the collection

ClearCollect(secRoleList, Blank());

ForAll(currentUser.’Security Roles (systemuserroles_association)’ As role,
Collect(secRoleList,
{
roleId: role.Role
}
)
);

It’s important to note that the systemuserroles_association relationship must be used to retrieve the user’s related role ID’s.

update onstart property retrieving security role's associated with user

Update the DisplayMode property. Since we are basing this off of a Security Role, we will need to code in the role ID into the Filter query. Here is what the code looks like when using in conjunction with the user and team restriction:

If(CountRows(Filter(secRoleList, ThisRecord.roleId = GUID(“1f69a91c-ca71-ed11-81ac-000d3af3ac95”))) > 0,
DisplayMode.Edit,
If(IsType(ThisItem.Owner, Users),
If(AsType(ThisItem.Owner, Users).User = currentUser.User,
DisplayMode.Edit,
DisplayMode.Disabled
),
If(CountRows(Filter(teamList, ThisRecord.teamId = AsType(ThisItem.Owner, Teams).Team)) > 0,
DisplayMode.Edit,
DisplayMode.Disabled
)
)
)

If the restriction should be based on Team only, the following logic can be used:

If(CountRows(Filter(secRoleList, ThisRecord.roleId = GUID(“1f69a91c-ca71-ed11-81ac-000d3af3ac95”))) > 0,
DisplayMode.Edit,
DisplayMode.Disabled
)

The end result allows for the Deactivate button to be available for all Accounts:

end result with security role restricted

Ryan Logan

Leave a Reply

Categories

Follow us

Copyright ©LowCodeGo 2025

Discover more from LowCodeGo

Subscribe now to keep reading and get access to the full archive.

Continue reading