PowerApps Governance — Role based app experience / security

A frequent pattern implemented in PowerApps is to have some form of debug buttons or panels that are only displayed when the Makers of the app are the logged in users. This solves the issue of not having access to PowerApps studio when out in the field testing on a users device and these controls are also super handy for triggering events in the app when in the studio itself.

So here is the issue, how best to implement such a frequent pattern, have the makers assigned by who is a maker on the app rather than matching the current users email to a list of pre defined hard coded makers.

This tends to be how, us Citizen Developers implement this feature. Unfortunately, at enterprise level something more flexible is required for when staff move around in a business or leave. It also supports externally created apps imported into your company.

The old way of doing it, not flexible and hard coded

Not dynamic and a fixed set of data

Having the boolean variable gloIsMaker is still going to be used in our new implementation as it is perfect for the visible property and triggering XYZ events in your apps.

To the rescue PowerApps Maker Connector!!!

The great thing about this scenario is that you don’t need to be an Admin, a Maker can implement this.
We’re going to call on the PowerAppsforAppMakers Connector.

You are going to need your App ID. To get that go to Apps on the left hand menu column of the PowerApps Portal (web.powerapps).

Then select details from the ellipsis menu of the app your building.

Copy your App ID (obviously I’ve edited mine, but it should look like a bunch of random numbers — or GUID)

The code for our solution using the MakerConnector

Paste in this piece of code and add your app ID. Now, no matter who is logged on, anyone with Maker rights will get all of the debugging functionality to the app. No more hard coding!

The ForAll is going to go over all the records in PowerAppsforAppMakers.GetAppRoleAssignment and create a collection with a Email and Role column. The roles that are returned are Owner, CanEdit and CanView. In this instance we are simply going to say if something is not CanView, however, you could use this to give the Owner further elevated privileges in the app.

Here is the code for a straight copy and paste

Set(gloCurrentUserEmail,User().Email);

ClearCollect(Makers,
 ForAll(PowerAppsforAppMakers.GetAppRoleAssignment(“Your App ID Goes Here”).value,
 {Email:properties.principal.email,Role:properties.roleName})
);

Set(gloIsMaker,
 And(gloCurrentUserEmail exactin Makers.Email,
 Not(LookUp(Makers,Email=gloCurrentUserEmail).Role=”CanView”))
);

I hope that was of use, check out my Youtube videos, I’m going to make a video of this one for us Visual Learners, I get up to a lot of PowerApps chat on Twitter so if you want to join the party that’s a good place to start :)