Column-level security to control access

Manage access to records at the table level using privileges associated with security roles. Some columns in a table might contain data that is more sensitive than others. Use column-level security to manage access to data in specific columns. Column-level security configurations are organization-wide and apply to all data access requests.

You can use column level security to prevent certain users from:

• Setting the value of a column in a record.
• Viewing the data in a column. You can choose to mask this value to show a portion of it, or not return any data at all.

Note

To configure column-level security, you need the system administrator role.

Column-level security doesn't apply for users who have the system administrator role. Data is never hidden from system administrators. To verify the configured results, you must use an account that doesn't have the system administrator security role assigned.

Column-level security is available for most columns using this process:

1. Enable column-level security on one or more columns for a given table.
2. Optionally, select a masking rule.
3. Associate one more existing security profiles, or create one or more new security profiles to grant the appropriate access to specific users or teams.

Enable column security

Use the following steps to secure a column:

1. Sign in to Power Apps.

2. Select Solutions.

3. Select the unmanaged solution that contains the table that has the column, or create a new solution to hold your changes and add the table to it.

4. Within the solution, in Objects, within Tables, select the table.

5. Under Schema, select Columns.

   

6. In the Columns list, select a column.

7. Expand Advanced options, and then under General, select Enable column security.

   

8. Select Save.

Add teams or users to a column security profile to control access

A column security profile determines:

• Users and teams assigned access.
• Permissions to the secure columns.

Use a column security profile to grant user or team members the following permissions:

Permission	Options	Result
Read	Allowed Not Allowed	Whether people can view the data for the column. Masked values are shown if masking rule is applied to the column.
Read unmasked	All Records One record Not Allowed	When a secured column has a masking rule, a developer can write code to request unmasked data be returned. This setting controls whether or not that request succeeded. The default setting is Not Allowed. Learn more about granting permissions to a secured column with a masking rule
Update	Allowed Not Allowed	Whether people can update the data in the column.
Create	Allowed Not Allowed	Whether people can set the data in the column when creating a record.

Configure a combination of these four permissions to determine the user privileges for a specific data column.

Important

Unless one or more security profiles are assigned to a column with security, only users with the system administrator security role can access the column. Any users not defined in the column security profiles won't have access to the column on forms or views. The column value displays ********, indicating that the column is secured.

Add a column and set permissions for a column security profile

To add a column and set permissions for a column security profile, use the following steps:

New admin center

1. Sign in to the Power Platform admin center.
2. Select Manage in the navigation pane.
3. In the Manage pane, select Environments. Then select an environment.
4. Select Settings > Users + permissions > Column security profiles.
5. Select an existing profile, or select New Profile, enter a name, enter a description, and then select Save.
6. Select the Teams or Users tab, select + Add Teams or + Add Users, select the teams or users that you want to control access, and then select Add.
7. Select the Column Permission tab, in the Name column select one or more columns, and then select Edit. Configure the four properties for the desired access. These permissions control whether people in this security profile can read or set column values.
8. Select Save.

Classic admin center

1. Sign in to the Power Platform admin center using an account that is assigned the System Administrator security role.
2. Select the environment to configure security profiles for.
3. Select Settings > Users + permissions > Column security profiles.
4. Select an existing profile, or select New Profile, enter a name, enter a description, and then select Save.
5. Select the Teams or Users tab, select + Add Teams or + Add Users, select the teams or users that you want to control access, and then select Add.
6. Select the Column Permission tab, in the Name column select one or more columns, and then select Edit. Configure the four properties for the desired access. These permissions control whether people in this security profile can read or set column values.
7. Select Save.

Which columns can be secured?

When a column is eligible for column-level security, the Enable column security checkbox is enabled in the Advanced options area of the column definition in Power Apps.

You can view this area when you create or edit a column.

Columns that can't be secured include:

• Columns in virtual tables
• Lookup columns
• Formula columns
• Primary name columns (The single-line of text column each table has to show the value in a lookup field. Typically with a name ending with name.)
• System columns like createdon, modifiedon, statecode, and statuscode.

Note

• File and Image data types can be secured, but they can't be masked.
• Text data type with Rich text format can be secured, but an embedded image in Rich text can't be masked or bypassed for masking.

Whether the Enable column security checkbox is enabled depends on the value of these column properties: CanBeSecuredForCreate, CanBeSecuredForRead, and CanBeSecuredForUpdate. A developer can write a query to retrieve a list of these columns and you can view this data by installing the Metadata Browser solution described in Browse the Metadata for Your Organization. Learn more about which columns can be secured and how developers can retrieve this data.

Best practices

When a calculated column includes a column that is secured, data might be displayed in the calculated column to users that don't have permission to the secured column. Both the original column and the calculated column should be secured.

Composite columns include data from multiple columns. For example, the contact table fullname and address1_composite columns are composite columns. To completely secure data included in composite columns, you must secure and configure the appropriate column security profiles on multiple columns for the table. For example, to completely secure the address1_composite column, you need to secure all of these the columns that begin with address1_ in both the contact and address (customeraddress) tables.

Note

Changes to column security require a browser refresh from the end user on the client (like a model-driven app) for the changes to take effect. This should be considered when dynamically adjusting access rules.

Related information

Enable or disable security for a column to control access Column-level security example Hierarchy security