How to: verify principle object access directly from the Flow

By | November 15, 2020

If you ever tried using “List Records” action with the POA table (principalobjectaccess), you might have noticed it’s not showing up in the dropdown list:


However, it’s easy to solve. You just need to know the “set” name for that table (which is “principalobjectaccessset”), and, then, you can enter that name as a custom value:


How would you know it’s supposed to be principalobjectaccessset? One option would be to open XrmToolBox and use metadata browser to figure it out:


Or you might just read this post, of courseSmile

Anyway, once that’s done, you can create a Flow similar to this one to get all POA records for a random contact (you’d need to define filter conditions to work with a specific contact record. This is just an example, so I’m using Top Count = 1 instead:


From there, you can iterate through the POA records and see if there is one that grants “write” access:


Now there is a math trick there. There are no bitwise operators in Power Automate flows, and “access mask” is, essentially, an integer where every “bit” corresponds to a certain permission.

“Write” access is granted in the second bit, which means we could just divide access mask by 2 to move that second bit to the first place, then use mod to divide by 2 again and see the remainder.

If the remainder is 0, there is no “write” permission.

If the remainder is 1, there is “write” permission.

In other words, my sample Flow above is using the following expression in the condition step:

mod(div(outputs(‘AccessRightMask’), 2), 2)

Depending on the permission you wanted to check, you might have to divide by 2 a few more times before using mod and looking at the remainder (check this post, for example, for the meaning of each bit:

Have fun!

One thought on “How to: verify principle object access directly from the Flow

Leave a Reply

Your email address will not be published. Required fields are marked *