Latest Posts

Web API for CRUD operations

Posted on by Rishan Solutions

Loading

Power Pages (formerly Power Apps Portals) can interact with the Dataverse Web API to perform CRUD operationsCreate, Read, Update, and Delete—on Dataverse data. This is particularly useful when building custom front-end functionality in Power Pages, where you need precise control over data operations.

This guide provides a deep-dive explanation, step-by-step implementation, and code examples to help you use Web API for CRUD operations in Power Pages.

1. Introduction to Dataverse Web API

The Dataverse Web API is a RESTful endpoint provided by Microsoft that allows programmatic access to data stored in Microsoft Dataverse. Power Pages can use this Web API to manage records using HTTP requests such as:

  • POST (Create)
  • GET (Read)
  • PATCH (Update)
  • DELETE (Delete)

Authentication

When using the Web API in Power Pages, authenticated portal users (external or internal) must have:

  • Proper Web Roles assigned
  • Table permissions configured
  • Site Settings enabled for API usage

2. Prerequisites

Before calling the Web API from Power Pages:

Enable site setting:

  • Site Setting: WebAPI/EnableReadOperation (and others like EnableCreate, EnableUpdate, EnableDelete)
  • Value: true

Example site settings:

Name: WebAPI/EnableReadOperation
Value: true

Set proper Table Permissions:

  • Go to Portal Management App
  • Navigate to Table Permissions
  • Assign permissions (Read, Create, Write, Delete) on the relevant Dataverse table
  • Link to appropriate Web Roles

3. Basic Setup – Add jQuery and Token Retrieval

To perform authenticated Web API calls, use the Xrm object provided by Power Pages to get the token and use it for REST calls.

Here’s a standard pattern for retrieving a token:

<script type="text/javascript">
    function getToken(callback) {
        $.ajax({
            type: "GET",
            url: "/_services/auth/token",
            success: function (data) {
                callback(data.access_token);
            },
            error: function (error) {
                console.log("Token error: ", error);
            }
        });
    }
</script>

4. Perform CRUD Operations

Create Record (POST)

getToken(function (token) {
    $.ajax({
        type: "POST",
        url: "/_api/accounts",
        headers: {
            "Authorization": "Bearer " + token,
            "Content-Type": "application/json",
            "OData-MaxVersion": "4.0",
            "OData-Version": "4.0"
        },
        data: JSON.stringify({
            "name": "New Account from Portal",
            "telephone1": "1234567890"
        }),
        success: function (data) {
            console.log("Created account ID: ", data.accountid);
        },
        error: function (error) {
            console.log("Create error: ", error);
        }
    });
});

Read Record (GET)

getToken(function (token) {
    $.ajax({
        type: "GET",
        url: "/_api/accounts?$select=name,accountid",
        headers: {
            "Authorization": "Bearer " + token,
            "Accept": "application/json",
            "OData-MaxVersion": "4.0",
            "OData-Version": "4.0"
        },
        success: function (data) {
            console.log("Records: ", data.value);
        },
        error: function (error) {
            console.log("Read error: ", error);
        }
    });
});

Update Record (PATCH)

To update a record, use the PATCH method with the record’s GUID:

getToken(function (token) {
    $.ajax({
        type: "PATCH",
        url: "/_api/accounts(ACCOUNT_GUID)",
        headers: {
            "Authorization": "Bearer " + token,
            "Content-Type": "application/json",
            "OData-MaxVersion": "4.0",
            "OData-Version": "4.0"
        },
        data: JSON.stringify({
            "telephone1": "9876543210"
        }),
        success: function () {
            console.log("Account updated");
        },
        error: function (error) {
            console.log("Update error: ", error);
        }
    });
});

Delete Record (DELETE)

getToken(function (token) {
    $.ajax({
        type: "DELETE",
        url: "/_api/accounts(ACCOUNT_GUID)",
        headers: {
            "Authorization": "Bearer " + token,
            "OData-MaxVersion": "4.0",
            "OData-Version": "4.0"
        },
        success: function () {
            console.log("Account deleted");
        },
        error: function (error) {
            console.log("Delete error: ", error);
        }
    });
});

5. Security Best Practices

  1. Secure Forms: Always validate user inputs to avoid injection attacks.
  2. Use Web Roles Wisely: Only assign minimal privileges needed.
  3. Use HTTPS: To ensure token and data encryption in transit.
  4. Avoid Exposing Sensitive Data: Don’t expose internal GUIDs or fields to frontend unnecessarily.

6. Debugging Tips

  • Use browser developer tools (Network tab) to inspect requests and responses.
  • If receiving 403 Forbidden, double-check:
    • Table permissions
    • Web Role assignment
    • Token configuration

7. Advanced Concepts

  • Batch Requests: You can combine multiple operations in a single API call.
  • Navigation Properties: Use $expand to retrieve related records.
  • Filtering Data: Use $filter, $top, $orderby, etc., for advanced queries.
  • Custom APIs: Extend Dataverse with custom API for logic you want to centralize.

Leave a Reply

Your email address will not be published. Required fields are marked *