Edit

Share via

Column-level security to control access

  • Article

Note

The new and improved Power Platform admin center is now in public preview and on by default! We designed the new admin center to be easier to use, with task-oriented navigation that helps you achieve specific outcomes faster. We'll be publishing new and updated documentation as the new Power Platform admin center moves to general availability.

Manage access to records at the table level using privileges associated with security roles. Some columns in a table might contain data that is more sensitive than others. Use column-level security to manage access to data in specific columns. Column-level security configurations are organization-wide and apply to all data access requests.

You can use column level security to prevent certain users from:

  • Setting the value of a column in a record.
  • Viewing the data in a column. You can choose to mask this value to show a portion of it, or not return any data at all.

Note

To configure column-level security, you need the system administrator role.

Column-level security doesn't apply for users who have the system administrator role. Data is never hidden from system administrators. To verify the configured results, you must use an an account that doesn't have the system administrator security role assigned.

Column-level security is available for most columns using this process:

  1. Enable column-level security on one or more columns for a given table.
  2. Optionally, select a masking rule.
  3. Associate one more existing security profiles, or create one or more new security profiles to grant the appropriate access to specific users or teams.

Enable column security

Use the following steps to secure a column:

  1. Sign in to Power Apps.

  2. Select Solutions.

  3. Select the unmanaged solution that contains the table that has the column, or create a new solution to hold your changes and add the table to it.

  4. Within the solution, in Objects, within Tables, select the table.

  5. Under Schema, select Columns.

    Screenshot showing where to select Columns.

  6. In the Columns list, select a column.

  7. Expand Advanced options, and then under General, select Enable column security.

    Screenshot showing how to expand Advanced options and turn on column security.

  8. Select Save.

Add teams or users to a column security profile to control access

A column security profile determines:

  • Users and teams assigned access.
  • Permissions to the secure columns.

Use a column security profile to grant user or team members the following permissions:

Permission Options Result
Read Allowed
Not Allowed		 Whether people can view the data for the column.
Masked values are shown if masking rule is applied to the column.
Read unmasked All Records
One record
Not Allowed		 When a secured column has a masking rule, a developer can write code to request unmasked data be returned.
This setting controls whether or not that request succeed.
The default setting is Not Allowed.
Learn more about granting permissions to a secured column with a masking rule
Update Allowed
Not Allowed		 Whether people can update the data in the column.
Create Allowed
Not Allowed		 Whether people can set the data in the column when creating a record.

Configure a combination of these four permissions to determine the user privileges for a specific data column.

Important

Unless one or more security profiles are assigned to a column with security, only users with the system administrator security role can access the column. Any users not defined in the column security profiles won't have access to the column on forms or views. The column value displays Lock icon. ********, indicating that the column is secured.

Add a column and set permissions for a column security profile

  1. Sign in to the Power Platform admin center using an account that is assigned the System Administrator security role.
  2. Select the environment to configure security profiles for.
  3. Select Settings > Users + permissions > Column security profiles.
  4. Select an existing profile, or select New Profile, enter a name, enter a description, and then select Save.
  5. Select the Teams or Users tab, select + Add Teams or + Add Users, select the teams or users that you want to control access, and then select Add.
  6. Select the Column Permission tab, in the Name column select one or more columns, and then select Edit. Configure the four properties for the desired access. These permissions control whether people in this security profile can read or set column values.
  7. Select Save.

Which columns can be secured?

When a column is eligible for column-level security, the Enable column security checkbox is enabled in the Advanced options area of the column definition in Power Apps.

Screenshot showing how to enable column security.

You can view this area when you create or edit a column.

Columns that can't be secured include:

  • Columns in virtual tables
  • Lookup columns
  • Formula columns
  • Primary name columns (The single-line of text column each table has to show the value in a lookup field. Typically with a name ending with name.)
  • System columns like createdon, modifiedon, statecode, and statuscode.

Whether the Enable column security checkbox is enabled depends on the value of these column properties: CanBeSecuredForCreate, CanBeSecuredForRead, and CanBeSecuredForUpdate. A developer can write a query to retrieve a list of these columns and you can view this data by installing the Metadata Browser solution described in Browse the Metadata for Your Organization. Learn more about which columns can be secured and how developers can retrieve this data.

Best practices

When a calculated column includes a column that is secured, data might be displayed in the calculated column to users that don't have permission to the secured column. Both the original column and the calculated column should be secured.

Composite columns include data from multiple columns. For example, the contact table fullname and address1_composite columns are composite columns. To completely secure data included in composite columns, you must secure and configure the appropriate column security profiles on multiple columns for the table. For example, to completely secure the address1_composite column, you need to secure all of these the columns that begin with address1_ in both the contact and address (customeraddress) tables.

Note

Changes to column security require a browser refresh from the end user on the client (like a model-driven app) for the changes to take effect. This should be considered when dynamically adjusting access rules.

Enable or disable security for a column to control access
Column-level security example
Hierarchy security