Similar to what I explained using Dataverse C# Plugins in my previous posts, sometimes people add business logic in standard forms or custom forms using JavaScript, but this is not enough to prevent certain updates (if the user modifies the DOM or calls the Web API directly,y they could be bypassed).
For basic logic scenarios, we can also use Dataverse business rules to prevent updates from Power Pages, too.
What are business rules?
Dataverse business rules provide a no-code way to apply logic such as display error messages, show or hide fields in a form and set field values directly within Dataverse tables, without needing custom plugins or JavaScript. However, the scope and complexity we can achieve with business rules will be more basic compared to what we can do with custom code.
Business rules can run on the server side (when we set them with “Entity” scope), or in the forms (client side). When we configure them to have “Entity” scope, they will be triggered regardless of where the update came from (Power Pages, Power Automate, Power Apps), and this is how we are going to show error messages based on updates from Power Pages.
Create and enable business rules
From the table within your solution, go to Business rules:

Click “New business rule”:

Let the scope as Entity.

For the trigger, use the following (in the example below, we will prevent updates if the status is Completed or Cancelled), and we check if the modified by field contains “# Portals” (default value added for Power Pages Application users)- click apply to confirm:


As an action, add Show Error Message in the Status field (click apply to confirm)

Final layout of the business rule:

Click Activate, and confirm so that the business rule is enabled:

Now, when you try to run creates or updates using this status using the Power Pages Web API it will fail:
Create (post)

Update (patch)

But for the other statuses, it will work fine:
Create (post)

Update (patch)

Conclusion
Remember, we cannot compare previous and current values, so this will be limited, but it’s an extra and simple option to add validation logic.
While Dataverse business rules aren’t as flexible as C# plugins or custom JavaScript, they offer a lightweight option for basic server-side validations. By leveraging business rules with “Entity” scope, we can enforce logic consistently across different entry points like Power Pages, Power Apps, and Power Automate. It’s a great way to add quick validation enforcements, such as preventing updates based on status, text content, or user type, without writing a single line of code.
Just keep in mind the limitations, for example, the inability to compare previous and current values. It’s also important to note that only business rules set with “Entity” scope will be triggered from Power Pages; rules configured with form scope won’t work with Power Pages, even when using Out-of-the-box forms. Also, we cannot use related entity fields in Business rules.
References:
Define and create business rules in Dataverse – Microsoft Learn
 
[…] post Power Pages: Using Dataverse Business Rules for server-side validation of Web API calls appeared first on […]