Impersonate a user in Power Virtual Agents
In this article I am going to show you how to use impersonation in a Power Virtual Agent. In this example we are showing account records from Dynamics 365 Sales to which the logged on Sales user only has access to.
Original request
Another challenge from the Power Users community 🙂
How we can restrict the access to sales user so that they cant see the other’s record while chatting in PVA?
Power Users Community thread: Restrict sales user form accessing records which is not shared or assigned to user.
Microsoft Dataverse
You could use the Microsoft Dataverse Web API with an HTTP request action and use the CallerObjectID. Microsoft has a nice article on this called How to impersonate a user. You could use the Azure Active Directory (AAD) object id of the user interacting with the PVA chat bot in that request.
Delegation for Jane Doe
In this example we have Jane Doe, who only has access to two Accounts
While typically without delegation an admin or the same HTTP request would show the below list.
Setup Authentication
Before you start with the Power Automate flow and the Power Virtual Agent setup you need to make sure you enable authentication for your Power Virtual Agent. Otherwise you cannot retrieve the user id of the person which is interacting with the bot.
Also don’t forget to register an App in Azure Active Directory, you will need that for the HTTP action in the flow. Like mentioned earlier, Elaiza Benitez has written a nice blogpost about this, How to authenticate as an application with Microsoft Graph API with flow.
The flow steps
1. Create a flow with a When Power Virtual Agents calls a flow trigger action. Add a text UserID input field to that action.
2. Add three Initialize variable actions. Below is a table with the name, type and value for each of the variables.
| Name | Type | Value | |
|---|---|---|---|
| EnvironmentUrl | String | https://yourorg.crm11.dynamics.com | |
| Entity | String | accounts | |
| MarkDownTable | String | | AccountNumber | Name | |
3. Add an Append to string variable. Use the characters below as an separator between the headers and the rows of the table.
4. Add a HTTP action. Use the GET method to interact with the Microsoft Dataverse Web API. Use the input settings from below.
5. Add an Apply to Each action. Use the value collection for the Select an output from previous steps field.
6. Add another Add an Append to string variable within the Apply to Each action.
In this action the account number and the account name are appended as a row to the table.
7. Add a Return value(s) to Power Virtual Agents action
The bot steps
1. Create a new blank topic.
2. Give it a name, in this case Accounts. Add some trigger phrases. Via these you can interact with your topic. And save it. Go to the authoring canvas.
3. Add an Call an action. Select the flow you created earlier. Make sure you map the Bot.UserId to the flow with the UserId field
4. Add a message action. Use the ListRecords variable in the body of the message.
Testing the final result
You can publish the bot to the Microsoft Teams channel.
After that you can test it with Jane Doe. As you can see it will only list two accounts instead of all 5 accounts.
Happy testing!
