Episode 5: Data Sources and Tables
Mastering Dataverse Integration and Security for External Portals
Introduction
The heart of any Power Pages site is its data. Unlike internal applications, external portals require sophisticated security controls to protect organizational data while enabling productive user experiences. This episode teaches you how to configure secure table permissions, design efficient data relationships, and implement robust data access controls that follow the principle of least privilege.
Key Concepts
- Table Permissions: Security rules that control who can read, create, update, and delete records in Dataverse tables
- Entity Relationships: Configured connections between tables that enable complex business scenarios
- Security Roles: Collections of permissions that can be assigned to portal users and contact records
- Portal Security Model: How Power Pages implements a unique security layer on top of Dataverse
Learning Objectives
By the end of this episode, you will be able to:
- Configure secure table permissions following least-privilege principles
- Design efficient data relationships for portal scenarios
- Implement proper data access controls for external users
- Understand the relationship between Dataverse security and Power Pages security
- Troubleshoot common data access issues in portals
Why Data Security Matters in Portals
External portals present unique security challenges. Unlike internal applications where users are typically trusted employees, portals serve external users who should only access data relevant to their specific needs. A customer should see their own orders, not everyone’s orders. A partner should access their own resources, not competitor information.
Step-by-Step Guide
1. Understanding the Portal Security Model
Power Pages implements a multi-layered security approach:
- Dataverse Security: Base-level security applied to all data access
- Portal Table Permissions: Additional portal-specific permissions
- Web Page Access Control: Page-level security rules
- Row-level Security: Record-specific access controls
2. Configuring Table Permissions
-
Navigate to Portal Management:
- Go to the Power Pages design studio
- Select Security > Table permissions
-
Create a New Table Permission:
- Click + New table permission
- Select the target table (e.g., “Case” for support tickets)
- Choose the permission type:
- Global: Access to all records (use sparingly)
- Contact: Access to records owned by the contact
- Account: Access to records owned by the contact’s account
- Self: Access only to the contact’s own record
-
Configure Access Rights:
- Read: Allow viewing records
- Write: Allow updating existing records
- Create: Allow creating new records
- Delete: Allow deleting records (rarely needed for external users)
3. Designing Entity Relationships
For portal scenarios, configure relationships that support common business patterns:
Parent-Child Relationships:
Account (Parent) → Contact (Child) → Case (Grandchild)
Many-to-Many Relationships:
Contact ←→ Product Interest ←→ Product
Lookup Relationships:
Case → Product (What product is this case about?)
Case → Priority Level (What's the urgency?)
4. Implementing Row-Level Security
Use Dataverse security roles in combination with table permissions:
-
Create Custom Security Roles:
- Portal User: Basic read access to public information
- Customer: Access to own account data and cases
- Partner: Access to shared resources and collaboration tools
-
Configure Field-Level Security:
- Mark sensitive fields as secured (e.g., internal notes, pricing)
- Create field security profiles for different user types
- Apply profiles to appropriate security roles
Practical Example: Customer Support Portal
Scenario: TechStart Solutions needs a customer support portal where customers can:
- View their own support cases
- Create new support cases
- Access knowledge base articles
- Update their account information
Table Permission Configuration:
| Table | Permission Type | Access Rights | Scope |
|---|---|---|---|
| Case | Contact | Read, Write, Create | Own cases only |
| Account | Contact | Read, Write | Own account only |
| Contact | Self | Read, Write | Own record only |
| Knowledge Article | Global | Read | All published articles |
| Product | Global | Read | All active products |
Security Implementation:
<!-- Example: Showing only user's own cases -->
{% assign user_cases = entities.case | where: 'customerid', user.contactid %}
{% for case in user_cases %}
<div class="case-summary">
<h3>{{ case.title }}</h3>
<p>Status: {{ case.statuscode.label }}</p>
<p>Created: {{ case.createdon | date: "MMM dd, yyyy" }}</p>
</div>
{% endfor %}
Advanced Security Patterns
Hierarchical Security
For organizations with complex structures:
Corporate Account
├── Division A
│ ├── Department 1 (users see division and department data)
│ └── Department 2
└── Division B
└── Department 3
Time-Based Access
For scenarios requiring temporal security:
- Training materials available only during enrollment periods
- Financial reports accessible only during specific quarters
- Event registration open only during registration windows
Conditional Access
Based on user attributes:
- Premium customers see advanced features
- Certified partners access specialized resources
- Regional users see location-specific content
Troubleshooting Common Issues
Problem: “Access Denied” errors for legitimate users Solution: Check table permissions, security roles, and ensure the user’s contact record has proper account association
Problem: Users see too much data Solution: Review table permission scope and implement more restrictive row-level security
Problem: Related data not displaying Solution: Verify entity relationships are properly configured and permissions exist for related tables
Problem: Performance issues with large datasets Solution: Implement proper indexing, use views with filtering, and consider pagination for large result sets
Security Best Practices
- Principle of Least Privilege: Give users only the minimum access needed
- Regular Access Reviews: Periodically audit who has access to what
- Defense in Depth: Use multiple security layers, not just one
- Audit Trail: Enable auditing to track data access and changes
- Test Thoroughly: Always test security with realistic user scenarios
Summary
Data security in Power Pages requires careful planning and implementation of multiple security layers. By understanding how table permissions, security roles, and entity relationships work together, you create portals that are both functional and secure. Remember that security is not a one-time configuration—it requires ongoing monitoring and adjustment as your business needs evolve.
In the next episode, you’ll use this secure data foundation to create compelling pages that present information effectively using the design studio’s powerful page creation tools.
Before implementing any technical solution, take time to understand your requirements:
- What data needs to be displayed or collected?
- Who are your users and what are their skill levels?
- What security and compliance requirements must you meet?
2. Implementation Best Practices
Follow these proven practices for consistent, maintainable results:
- Start with the simplest solution that meets your needs
- Test thoroughly in a development environment
- Document your configurations for future reference
- Follow the principle of least privilege for security
3. Testing and Validation
Always validate your implementation:
- Test with different user personas and scenarios
- Verify security controls work as expected
- Check performance with realistic data volumes
- Ensure mobile responsiveness and accessibility
Practical Example
Consider a customer support portal where users need to submit and track support tickets. This scenario requires:
- Secure authentication to protect customer data
- Forms for ticket submission with proper validation
- Lists showing ticket history with appropriate filtering
- Proper permissions so users only see their own tickets
By applying the concepts from this episode, you can create a solution that is both functional and secure.
Troubleshooting Tips
- Common Issue 1: Always check your security roles and table permissions if users report access issues
- Common Issue 2: Verify your authentication configuration if users can’t sign in properly
- Common Issue 3: Review your form and list configurations if data isn’t displaying as expected
- Common Issue 4: Check the portal error logs for detailed diagnostic information
Summary
Data security in Power Pages requires careful planning and implementation of multiple security layers. By following the principle of least privilege and understanding how table permissions, security roles, and entity relationships work together, you create a portal that is both functional and secure. In the next episode, you’ll use this secure foundation to start building pages that present and collect data effectively.