March 6, 2019 - Flexmind

PowerApps Role Based Security using SharePoint Group & Flow

In this blog, you will learn how to implement role based security in PowerApps controlled by SharePoint Groups. It is straightforward to check user membership in Office 365 group as we have a direct connector available for the same.

Customers keep asking this question that how can we show/hide screens in PowerApps based on user membership in a SharePoint Group. This blog post will show you one approach to find out the SharePoint Group membership of current logged in user and show/hide screen based on the same.

Create a SharePoint Group

Create a SharePoint group and add members that you would want to use for role based security in your PowerApps app & open SharePoint group settings.

Choose everyone under Group settings “Who can view the membership of the group?”.

Why this is required?
Our PowerApps will invoke a Flow to check user membership in a SharePoint group using a SharePoint HTTP REST call. Not all of the users using PowerApps app will have admin privilege to read group membership detail. To allow each user to have read access to group membership it is required to provide “Everyone” access.

Steps to create Flow & invoke it from PowerApps

Create a new flow using blank template.
Add a PowerApps trigger so that we can invoke this Flow from our PowerApps.

Add initialize variable action to create a new variable IsGroupMember(boolean). Add one more initialize variable action & create a new variable MembershipJSONResult(string)

IsGroupMember(boolean) – It will store true or false depending on the user is a member of the SharePoint group.
MembershipJSONResult(string) – It will store JSON payload that we will receive from the REST API call in the next step

Add “Send an HTTP request to SharePoint” action available under SharePoint actions. we will configure this action to make a REST call to SharePoint to determine user group membership.

Site Address: Provide URL of the site where you have created the SharePoint Group
Method: Get
Uri:_api/web/sitegroups/getByName(‘Your-SharePoint-Group-Name‘)/Users?$filter=Email eq ‘[email protected]‘

Note: Above Uri should be updated correctly. Replace ‘Your-SharePoint-Group-Name’ with your SharePoint Group Name. My SharePoint Group Name is “OrgAdmins” so my Uri looks like _api/web/sitegroups/getByName(‘OrgAdmins’)/Users?$filter=Email eq ‘[email protected]’ . After this we will have to replace [email protected] with the email id of current logged in user in PowerApps. To do this remove [email protected] , place your cursor between single quote and click on Ask in PowerApps under Flow Dynamic content as shown here:

After adding variable using Ask in PowerApps

This SharePoint REST call will return an empty object or user properties based on the user is member of OrgAdmins SharePoint group or not:

If User is Member of the SharePoint Group, it will non-empty object & will include user properties:

If user in not a member of the SharePoint group it will return empty object like this:
{ “d”: { “results”: [] }}

Once we have received response from the above SharePoint REST call, we can parse it to get the results. Add a set variable action to set the variable ‘MembershipJSONResult’ created before to expression body(‘CheckUserGroup’)[‘d’][‘results’]

CheckUserGroup is the name of previous action which includes REST call to SharePoint. If your action name has spaces, replace the spaces with underscore (_) character.
Add a condition step to check the results value. If the results object is empty then user is not a member of the group. Use the expression equals(variables(‘MembershipJSONResult’),'[]’) to evaluate the object. ‘MembershipJSONResult’ is the variable used to store the object value and [] compares to an empty object.
Set the variable ‘IsGroupMember’ to false if this condition is true as shown below:

Last step in our Flow would be to send the group membership check result back to PowerApps as an output parameter to show/hide screens/controls. Add “Respond to PowerApps” action and choose a text output. Provide a name IsGroupMember to the output parameter and set value equal to variable “IsGroupMember”

PowerApps Output parameter

This is how the complete Flow will look. Verify that you have not missed any step.

Create PowerApps to call flow

Our Flow is complete and now we should call this flow from PowerApps app. Create a blank screen in PowerApps & rename it as WelcomeScreen. Navigate to OnVisible property of the WelcomeScreen, click on Flows tab –> Add the Flow you created from the right navigation to the formula bar to associate the flow to the ‘OnVisible’ event of the screen.

Type the below function on the ‘OnVisible’ formula bar.

In this above formula, first we are creating a global variable isMember and setting the value equal to the text returned by Flow i.e. True or False. In the next step, we are setting IsVisible boolean equal to true/false based on the text value.

Add a button on the screen and set Visible property of the button to IsVisible variable defined above

If you are interested, I can train your team in PowerApps and Flow anywhere in the world. My workshops are fully hands-on oriented.