Nonprofits

Security and Permissions Checklist

Use this checklist to confirm that Volunteer Engagement exposes only the data it should. Changes to anonymous access, table permissions, Web API fields, or web roles are security-sensitive. For background, see Power Pages security.

Web roles

• The site has one Anonymous Users role and one Authenticated Users role.
• Custom roles are assigned only where needed.

See Create and assign web roles.

Table permissions

• Every table used by the site has a matching table permission.
• Anonymous access is granted only to public opportunity data.
• Profile and participation data use self- or contact-scoped access for authenticated users.

See Configure table permissions and Assign table permissions.

Web API

• Each table used through /_api has Webapi/<table>/enabled and Webapi/<table>/fields set.
• Field lists expose only the columns the site needs.

See Portals Web API overview.

Site visibility and authentication

• Site visibility is set correctly (private during development, public for go-live).
• Identity providers and registration settings match your access policy.

See Site visibility in Power Pages and Set up site authentication.

After changes

• Run npm run permissions:patch-roles if table-permission role assignments changed.
• Run npm run powerpages-site-agent:patch-roles if the Power Pages site agent web roles changed.
• Re-validate anonymous and authenticated flows.

For deployment steps, see the Deployment Checklist.

This site is open source. Improve this page.