Latest Posts

Role-based access control in portals

Posted on by Rishan Solutions

Loading

Role-Based Access Control (RBAC) is a foundational security concept in Power Pages portals (formerly Power Apps portals). It allows organizations to control who can access what content on a portal by assigning roles to authenticated users and configuring access permissions on portal components like web pages, lists, forms, and tables.

This guide breaks down RBAC in Power Pages step-by-step, including key components, setup process, examples, and best practices.

1. What is Role-Based Access Control (RBAC)?

RBAC is a method of limiting access based on the roles assigned to portal users. Roles define what actions a user is permitted to perform, such as viewing pages, submitting forms, or accessing data.

In Power Pages:

  • A Web Role is assigned to a Contact (portal user).
  • Web Roles are linked to access rules on web pages, forms, lists, and Dataverse tables.

2. Core Components of RBAC in Power Pages

Here are the primary building blocks involved in portal RBAC:

ComponentDescription
Web RoleRepresents a user role (e.g., Admin, Member, Guest).
ContactA user in Dataverse representing a portal user.
Authenticated UsersUsers who log in via identity providers like Azure AD B2C.
Anonymous UsersUsers accessing without logging in.
Entity PermissionsControl access to Dataverse tables (view, create, update, delete).
Page PermissionsControl access to specific web pages based on Web Roles.
Form and List PermissionsControl access to entity forms and views.

3. Types of Web Roles

Web Role TypeDescription
Authenticated UsersApplies to users who sign in to the portal.
Anonymous UsersApplies to all users, including those not signed in.
Custom RolesYou can create specific roles like “Students”, “Managers”, etc., to fine-tune permissions.

4. How RBAC Works in Power Pages

Step-by-step workflow:

  1. A user accesses your Power Pages portal.
  2. If authentication is required, the user logs in and becomes a Contact in Dataverse.
  3. Based on their profile, Web Roles are assigned to them (manually or automatically).
  4. Web Roles define access to pages, tables, forms, and content.
  5. The portal enforces these permissions accordingly.

5. Setting Up Role-Based Access in Power Pages

Step 1: Create Web Roles

  1. Go to Portal Management App (not the Design Studio).
  2. Navigate to Web Roles.
  3. Click New and define the name (e.g., Admin, RegisteredUser).
  4. Enable Authenticated Users Only if it’s not for anonymous users.
  5. Save the role.

Step 2: Assign Web Roles to Users (Contacts)

  1. Navigate to Contacts in the Portal Management App.
  2. Open a specific contact record.
  3. Go to the Web Roles subgrid.
  4. Click + Add Existing Web Role and select the appropriate role.
  5. Save the contact.

You can automate role assignment via Power Automate based on domain, registration form, etc.

Step 3: Apply Web Roles to Web Pages

  1. Go to Web Pages in the Portal Management App.
  2. Open the page you want to secure.
  3. In the Access Control Rules section:
    • Set Enable Page Permissions to Yes.
    • Create a new Page Permission or select an existing one.
    • Assign the relevant Web Roles to the permission.
  4. Save and publish.

Step 4: Configure Entity Permissions

For table-level security (Dataverse tables like “Courses”, “Jobs”, “Applications”):

  1. Go to Entity Permissions in the Portal Management App.
  2. Click New and fill in:
    • Name
    • Table (e.g., “Case”)
    • Scope (Global, Contact, Parent, etc.)
    • Permissions (Read, Create, Update, Delete, Append)
  3. Assign the Web Role.
  4. Save and publish.

This controls what actions users can perform on data (read-only, editable, etc.)

Step 5: Secure Forms and Lists

For Entity Forms:

  1. Go to Entity Forms.
  2. Open the form you want to secure.
  3. In the Security Roles section, specify which Web Roles can access it.

For Entity Lists:

  1. Go to Entity Lists.
  2. Open the list you want to secure.
  3. Add Entity Permissions to control access.

6. Use Cases of RBAC in Portals

Use CaseDescription
Student PortalOnly students can submit assignments; teachers can view all submissions.
Job Application PortalAnonymous users can browse jobs; registered users can apply.
Support PortalCustomers can view their own tickets; support agents see all.
Membership PortalMembers access exclusive content; guests only see public info.

7. Best Practices for RBAC in Power Pages

  • Use Descriptive Web Role Names (e.g., SupportAgent, PremiumMember)
  • Apply Least Privilege Principle – Give only the access needed.
  • Use Entity Permissions Instead of Filtering Records in Code.
  • Avoid Relying Only on Web Page Visibility – Secure data at the entity level.
  • Automate Role Assignment during sign-up or via flows.
  • Test each role using test accounts before go-live.

8. Advanced Tips

  • Hierarchy of Permissions: You can nest pages with different roles to build complex structures.
  • Page Templates & Layouts: Use conditional Liquid tags ({% if user.roles contains 'Admin' %}) to show/hide UI elements.
  • Use Liquid to Check Role:
    {% if user.roles contains 'Manager' %} <a href="/manager-dashboard">Manager Dashboard</a> {% endif %}
  • Audit Roles Regularly: Especially when user access is time-bound.

9. Troubleshooting Access Issues

IssueCauseSolution
Page not visibleWeb Role not assignedCheck contact and web page permissions
Data not showingMissing Entity PermissionsCreate & assign appropriate entity permissions
Access denied errorRole not mapped or wrong scopeValidate table scope and user access
Forms/Lists not appearingIncorrect permissionsVerify entity form/list role settings

Leave a Reply

Your email address will not be published. Required fields are marked *