← Back to Tips & Tricks Power Pages

Table Permissions Best Practices

Configure Dataverse table permissions correctly to secure your Power Pages portal data.

Understanding Table Permissions

Table permissions control what data authenticated users can access through your Power Pages site. Without proper permissions, users see nothing.

Permission Components

Scope Types

Global: Access all records (dangerous for sensitive data)
Contact: Records linked to the user's contact record
Account: Records linked to the user's parent account
Parent: Access through a parent record relationship
Self: Only the user's own contact record

Privileges

Read: View records
Write: Update existing records
Create: Add new records
Delete: Remove records
Append: Associate records
Append To: Be associated with other records

Common Patterns

User Sees Only Their Records

Table: Support Cases
Scope: Contact
Relationship: customerid (case → contact)
Privileges: Read, Write, Create

Company-Wide Access

Table: Company Documents
Scope: Account
Relationship: parentaccountid
Privileges: Read

Nested Access (Parent Scope)

// User can see orders...
Table: Orders
Scope: Contact

// ...and order line items through parent
Table: Order Lines
Scope: Parent
Parent: Orders
Relationship: orderid
Privileges: Read

Web Roles

Create web roles to group permissions:

Create a web role (e.g., "Customer", "Partner")
Create table permissions
Link table permissions to web roles
Assign web roles to contacts

Testing Permissions

Always test with a non-admin account
Verify both what users CAN see and what they CAN'T
Test all CRUD operations
Check edge cases (no records, many records)

Security Checklist

Never use Global scope for sensitive data
Grant minimum necessary privileges
Review permissions after table changes
Audit who has which web roles

Start restrictive, then add permissions as needed. It's easier to grant access than to revoke it after a data breach.