1. Verify Site Deployment — Check that

   .powerpages-site

   folder and table permissions exist
2. Gather Configuration — Read all web roles, table permissions, and site code
3. Run Local Schema Validation — Use the shared validator to detect invalid permission/site-setting YAML before deeper analysis
4. Analyze & Discover — Query Dataverse for relationships and lookup columns using deterministic scripts
5. Run Audit Checks — Compare permissions against code usage and best practices
6. Generate Report — Create the HTML audit report and display in browser
7. Present Findings & Track — Summarize findings, record skill usage, and ask user if they want to fix issues

Glob

• **/powerpages.config.json

  — identifies the project root

• **/.powerpages-site/table-permissions/*.tablepermission.yml

  — existing permissions

.powerpages-site

/deploy-site

**/.powerpages-site/table-permissions/*.tablepermission.yml

• entityname

  (permission name)

• entitylogicalname

  (table)

• scope

  (numeric code)

• read

  ,

  create

  ,

  write

  ,

  delete

  ,

  append

  ,

  appendto

  (boolean flags)

• adx_entitypermission_webrole

  (array of web role UUIDs)

• contactrelationship

  ,

  accountrelationship

  (if Contact/Account scope)

• parententitypermission

  ,

  parentrelationship

  (if parent scope)

• Web API calls (

  /_api/

  )
• Lookup bindings (

  @odata.bind

  )
• File uploads (

  uploadFileColumn

  ,

  uploadFile

  ,

  upload*Photo

  ,

  upload*Image

  )

• $expand

  usage (

  $expand

  ,

  buildExpandClause

  ,

  ExpandOption

  )

.datamodel-manifest.json

$expand

$schemaValidation = node "${CLAUDE_PLUGIN_ROOT}/scripts/validate-permissions-schema.js" --projectRoot "<PROJECT_ROOT>"

• error

  findings as critical

• warning

  findings as warning

• info

  findings as info

$envUrl

$schemaValidation = node "${CLAUDE_PLUGIN_ROOT}/scripts/validate-permissions-schema.js" --projectRoot "<PROJECT_ROOT>" --validate-dataverse-relationships --envUrl "$envUrl"

create

write

$lookups = node "${CLAUDE_PLUGIN_ROOT}/skills/audit-permissions/scripts/query-table-lookups.js" --envUrl "$envUrl" --table "<table_logical_name>"

{ logicalName, targets }

1. Source map (table → lookup columns): For each queried table, record which lookup columns it has and their targets. Used in Section H2 to check

   appendto

   on the source table.
2. Reverse target map (target table → list of source tables): For each target table found in any lookup's

   targets

   array, record which source table(s) reference it. Used in Section H to check

   append

   on the target table.

order_item

[{ logicalName: "cr4fc_orderid", targets: ["cr4fc_order"] }]

• Source map:

  order_item → [{ column: "cr4fc_orderid", targets: ["cr4fc_order"] }]

• Reverse target map:

  cr4fc_order → [{ sourceTable: "order_item", column: "cr4fc_orderid" }]

• The source table (with the lookup) needs

  appendto: true

  — it links TO other records (checked via the source map)
• Each target table in

  targets

  needs

  append: true

  — other records link TO it (checked via the reverse target map)

1. Tables referenced in code (from Step 2.3) — these may or may not have permissions
2. Tables with existing permissions (from Step 2.2) — these may or may not be referenced in code

in_progress

• If the table is referenced in code but has no permission → finding:
  • Severity:

    critical

  • Title:

    Missing permission for <table>

  • Reasoning: Which code files reference this table and what operations they perform
  • Fix: Create a permission with the appropriate scope and CRUD flags
• If a permission exists but the table is not referenced in code → finding:
  • Severity:

    info

  • Title:

    Unused permission for <table>

  • Reasoning: The table is not referenced in any source code — the permission may be unnecessary
  • Fix: Review whether this permission is still needed
• If both exist →

  pass

  , proceed to remaining checks

• Check

  adx_entitypermission_webrole

  — if empty or missing → finding:
  • Severity:

    warning

  • Title:

    Permission <name> has no web role association

  • Reasoning: A permission without a web role has no effect — no users will receive this access
  • Fix: Associate with the appropriate web role
• If roles are assigned →

  pass

• Search the service code for scope-relevant patterns: contact-scoped filters (

  getCurrentContactId

  ,

  _contactid_value

  ,

  contactid

  ) and account-scoped filters (

  _accountid_value

  ,

  parentcustomerid

  )
• If Global scope (

  756150000

  ) with

  write

  or

  delete

  enabled → finding:
  • Severity:

    warning

  • Title:

    Global scope with write/delete on <table>

  • Reasoning: Any user with this role can modify/delete any record in this table
  • Fix: Narrow to Contact or Account scope, or remove write/delete if not needed
• If Global scope with only

  read

  →

  pass

  (acceptable for public reference data)
• If code uses contact-scoped filters but permission uses Global → finding:
  • Severity:

    warning

  • Title:

    Scope could be narrower for <table>

  • Reasoning: Code filters by current contact but permission grants Global access
  • Fix: Narrow to Contact scope
• Otherwise →

  pass

read

• Search the service code for GET/list/get patterns for this table: API calls to

  /_api/<entity_set>

  , list/get functions (

  list<TableName>

  ,

  get<TableName>

  )
• If code reads this table but

  read: false

  → finding:
  • Severity:

    critical

  • Title:

    Missing read permission for <table>

  • Reasoning: Code reads from this table but permission does not grant read access
  • Fix: Enable

    read: true

• If

  read: true

  and code reads →

  pass

create

• Search the service code for POST/create patterns: POST method usage (

  method: 'POST'

  ), create functions (

  create<TableName>

  )
• If code creates records but

  create: false

  → finding:
  • Severity:

    critical

  • Title:

    Missing create permission for <table>

  • Reasoning: Code creates records in this table but permission does not grant create access
  • Fix: Enable

    create: true

• If

  create: true

  but no create patterns in code → finding:
  • Severity:

    info

  • Title:

    Create enabled but not used for <table>

  • Reasoning: No create operations found in code — permission may be overly permissive
  • Fix: Consider disabling

    create

    if not needed
• If matched →

  pass

write

• Search the service code for PATCH/update/upload patterns: PATCH method usage (

  method: 'PATCH'

  ), update functions (

  update<TableName>

  ), file upload patterns (

  uploadFileColumn

  ,

  uploadFile

  ,

  upload*Photo

  ,

  upload*Image

  ,

  upload*File

  )
• If code updates records but

  write: false

  → finding:
  • Severity:

    critical

  • Title:

    Missing write permission for <table>

  • Reasoning: Code updates records (or uploads files) in this table but permission does not grant write access
  • Fix: Enable

    write: true

• If file upload patterns found but

  write: false

  → finding:
  • Severity:

    warning

  • Title:

    File upload detected but write is disabled on <table>

  • Reasoning: File uploads use PATCH which requires write permission
  • Fix: Enable

    write: true

• If

  write: true

  but

  read: false

  → finding:
  • Severity:

    warning

  • Title:

    Write enabled without read on <table>

  • Reasoning: Users can modify records they cannot see, which is unusual and likely unintended
  • Fix: Enable

    read: true

• If

  write: true

  but no write patterns in code → finding:
  • Severity:

    info

  • Title:

    Write enabled but not used for <table>

  • Reasoning: No update operations found in code — permission may be overly permissive
  • Fix: Consider disabling

    write

    if not needed
• If matched →

  pass

delete

• Search the service code for DELETE patterns: DELETE method usage (

  method: 'DELETE'

  ), delete functions (

  delete<TableName>

  )
• If code deletes records but

  delete: false

  → finding:
  • Severity:

    critical

  • Title:

    Missing delete permission for <table>

  • Reasoning: Code deletes records in this table but permission does not grant delete access
  • Fix: Enable

    delete: true

• If

  delete: true

  but no delete patterns in code → finding:
  • Severity:

    info

  • Title:

    Delete enabled but not used for <table>

  • Reasoning: No delete operations found in code — permission may be overly permissive
  • Fix: Consider disabling

    delete

    if not needed
• If matched →

  pass

append: true

• Check the reverse target map from Step 3.2: is this table referenced as a lookup target by any other table that has

  create

  or

  write

  permissions?
• Also search the service code for

  @odata.bind

  references to this table's entity set (e.g.,

  /<entity_set>(

  )
• If this table appears in the reverse target map (i.e., another table with create/write has a lookup to this table), but

  append: false

  → finding:
  • Severity:

    critical

  • Title:

    Missing append on <table>

  • Reasoning: Table

    <source_table>

    has lookup column

    <column>

    targeting this table and sets it during create/write. The target table needs append permission so records can be linked to it. Users will see "You don't have permission to associate or disassociate"
  • Fix: Enable

    append: true

• If

  append: true

  and justified →

  pass

• If

  append: true

  but this table does NOT appear in the reverse target map and no code references it as a lookup target → finding:
  • Severity:

    info

  • Title:

    Append enabled but not needed on <table>

  • Reasoning: No other table with create/write has a lookup to this table — append may be unnecessary
  • Fix: Consider disabling

    append

    if not needed

appendto: true

• Check the source map from Step 3.2: does this table have lookup columns?
• Also search the service code for

  @odata.bind

  patterns in create/update calls for this table
• If this table has lookup columns (in source map or code) AND has

  create

  or

  write

  enabled, but

  appendto: false

  → finding:
  • Severity:

    critical

  • Title:

    Missing appendto on <table>

  • Reasoning: This table sets lookup column

    <column>

    targeting

    <target_table>

    during create/write, which requires appendto permission. Users will see "You don't have permission to associate or disassociate"
  • Fix: Enable

    appendto: true

• If

  appendto: true

  and justified →

  pass

756150003

• Verify

  parententitypermission

  references a valid permission ID that exists
• Verify

  parentrelationship

  is a valid Dataverse relationship (if API available, using Step 3.3 results)
• If broken → finding:
  • Severity:

    critical

  • Title:

    Broken parent chain for <permission>

  • Reasoning: The parent permission reference is invalid — this permission will not grant any access
  • Fix: Correct the parent permission ID and/or relationship name
• If valid →

  pass

$expand

• Check the

  $expand

  analysis from Step 2.3 (search site source code for

  $expand

  ,

  buildExpandClause

  ,

  ExpandOption

  )
• If this table is expanded from another table but has no table permission with

  read: true

  for the same web role → finding:
  • Severity:

    critical

  • Title:

    Missing read permission for expanded table <table>

  • Reasoning: This table is fetched via

    $expand

    on

    <parent_table>

    in

    <service_file>

    , but has no read permission. Power Pages enforces table permissions on every entity in the query.
  • Fix: Create a table permission with

    read: true

    for the same web role. For collection-valued expansions (one-to-many), use Parent scope with the relationship name. For single-valued expansions (lookups to reference data), use Global scope with read-only access.
• If properly covered →

  pass

completed

TaskUpdate

1. Append/AppendTo consistency: Using the source map and reverse target map from Step 3.2, verify: (a) every source table (with lookups and create/write) has

   appendto: true

   , (b) every target table in the reverse map has

   append: true

   , (c) no table has

   appendto: true

   without lookup columns in the source map, (d) no table has

   append: true

   without being in the reverse target map
2. $expand coverage: For every

   $expand

   usage, verify the expanded table has

   read: true

3. Parent chain completeness: For every Parent scope permission, verify the parent permission exists and is valid
4. Web role consistency: If two related tables (e.g., parent and child) are accessed by the same feature, verify they share the same web role assignment

TaskList

in_progress

• If working in context of a website (project root with

  powerpages.config.json

  exists): write to

  <PROJECT_ROOT>/docs/permissions-audit.html

• Otherwise: write to the system temp directory

render-audit-report.js

<OUTPUT_DIR>/audit-data.json

{
  "SITE_NAME": "The site name (from powerpages.config.json or folder name)",
  "AUDIT_DESC": "Security audit of table permissions for Contoso Portal",
  "SUMMARY": "2-3 sentence summary of the audit results",
  "FINDINGS_DATA": [/* array of finding objects */],
  "INVENTORY_DATA": [/* array of current permission objects */]
}

{
  "id": "f1",
  "severity": "critical",
  "title": "Missing permission for cra5b_product",
  "table": "cra5b_product",
  "scope": null,
  "permission": null,
  "reasoning": "The table cra5b_product is referenced in src/services/productService.ts with GET requests to /_api/cra5b_products, but no table permission exists for this table.",
  "fix": "Create a table permission with Global scope and read-only access for the Anonymous Users role.",
  "details": "Referenced in: src/services/productService.ts (line 23), src/components/ProductList.tsx (line 45)"
}

• severity

  : One of

  critical

  ,

  warning

  ,

  info

  ,

  pass

• table

  : The table logical name this finding relates to (or

  null

  for general findings)

• scope

  : The current scope if applicable (numeric code or friendly name), or

  null

• permission

  : The permission name if this finding is about an existing permission, or

  null

• reasoning

  : Detailed explanation of why this is an issue — reference specific code files, line patterns, or Dataverse metadata

• fix

  : Actionable suggestion for how to resolve the issue (or

  null

  for

  pass

  findings)

• details

  : Additional context like file references, column names, or relationship details

{
  "name": "Product - Anonymous Read",
  "table": "cra5b_product",
  "scope": "Global",
  "roles": ["Anonymous Users"],
  "read": true,
  "create": false,
  "write": false,
  "delete": false,
  "append": true,
  "appendto": false
}

Reference:

${CLAUDE_PLUGIN_ROOT}/references/skill-tracking-reference.md

--skillName "AuditPermissions"

1. Critical findings count — these need immediate attention
2. Warning findings count — should be addressed
3. Report location — where the HTML file was saved
4. Ask the user using

   AskUserQuestion

   : "Would you like me to fix any of these issues? I can create or update table permissions to resolve the critical and warning findings."

• For 403 / Web API access issues (missing table permissions, missing CRUD flags, incorrect scope, missing append/appendto, missing

  $expand

  read coverage — any finding that would result in a 403 Forbidden response from the Power Pages Web API): Spawn the table-permissions-architect agent using the

  Agent

  tool. Pass it a prompt that includes the specific tables, the required CRUD flags, scope recommendations, and relationship details from the audit findings. The agent will analyze the site, propose a permissions plan, and create the correct table permission YAML files after user approval. Example prompt:

  "Create table permissions for the following tables based on audit findings: <table1> needs Global scope with read:true; <table2> needs Parent scope under <parent_table> with read:true, create:true, append:true; <table3> needs appendto:true for lookups from <source_table>. The site project root is <PROJECT_ROOT>."

• For non-permission issues (e.g., unused permissions, scope narrowing suggestions, informational findings): explain what manual changes are needed or suggest running

  /integrate-webapi

  so the Web API settings architect can address site-setting-level issues.

• Read-only analysis: This skill only reads existing configuration and code. It does NOT modify any files unless the user explicitly asks to fix issues.
• Deterministic API calls: Always use the Node.js scripts (

  query-table-lookups.js

  ,

  query-table-relationships.js

  ) for Dataverse API queries — never use inline PowerShell

  Invoke-RestMethod

  calls.
• No questions during analysis: Autonomously gather all data, run checks, and present findings. Only ask the user at the end about fixing issues.
• Security: Never log or display auth tokens. The scripts handle token acquisition internally via

  getAuthToken()

  .
• Graceful degradation: If Dataverse API scripts fail (exit code 1), skip API-dependent checks (H/H2 append/appendto validation, I parent chain integrity) and note in the report which checks were skipped.