Security in Power Pages is built on layers. Understanding this hierarchical model is essential for implementing secure customer portals.
This guide visualizes how administrators, custom roles, authenticated users, anonymous visitors, and system components work together.
The Security Hierarchy
Level 1: Administrator
Web role with explicit permissions - Not automatic admin access!
Level 2: Custom Roles
Partner, customer, department-specific roles with table permissions
Level 3: Authenticated Users
All logged-in users (implicit "Authenticated Users" role)
Level 4: Anonymous Users
Public visitors without login - limited access
System Layer
Web API, Forms, Lists, Liquid templates - all respect permissions
Key Security Concepts
Web Roles
Define user groups (Partner, Customer, Admin)
- Assigned to Contact records
- Can have multiple roles per user
- Permissions are cumulative
Table Permissions
Control data access per role
- Global, Contact, Account, Self scopes
- Create, Read, Write, Delete access
- Column-level security available
Critical: Administrator Role Misconception
The "Administrator" web role is just a name - it has no special privileges. All data access requires explicit table permissions, just like any custom role. Always use specific scopes (Contact/Account) over Global scope whenever possible.
Need Security Architecture Review?
Get expert guidance on implementing secure access control for your Power Pages portal.
Book Consultation