cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
Medoomi
Resolver I
Resolver I

Field Level Security - Does Environment Maker override?

‎06-19-2020 03:30 PM

I'm feeling my way forward with permissions in PowerApps. I have a single field that is restricted from "salespeople." If I were to grant permissions to a salesperson to be an environment maker & granted them permissions to edit the app, while they do not have permissions on the level of field level security, will they be granted permissions by virtue of them being an environment maker and/or having permissions to edit the app?

thanks!

Labels:
Message 1 of 4
264 Views
0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
v-xida-msft
Community Support
Community Support

‎06-21-2020 07:32 PM

Hi @Medoomi ,

Firstly, I think you have some misunderstanding on the Security Privileges in PowerApps Environment (installed CDS). The Field Level Security is not supported in CDS Environment.

Currently, within CDS Environment, there are two types of Security Level supported -- record-level privileges and task-based privileges. Please check the following article for more details:

https://docs.microsoft.com/en-us/power-platform/admin/security-roles-privileges

 

According to the issue you mentioned, do you want to know if the user who assigned with "Environment Marker" role have permission to edit the canvas app?

Firstly, the Access Permission of Canvas app and the Access permission of CDS are actually separated. If you want your end uses to use your canvas app, you must share your canvas app to them. But it does not mean they could access data in your canvas app.

Actually, canvas app inherits data access permission from data source itself, if these end users want to access data in your shared app, they also must have sufficient permission to your CDS Entity data source (same mechanism for other data sources).

The "Environment Marker" role can create new resources associated with an environment, including apps, connections, custom APIs, gateways, and flows using Microsoft Power Automate. However, this role doesn't have any privileges to access data within an environment.

Please check the following article for more details:

https://docs.microsoft.com/en-us/power-platform/admin/database-security#predefined-security-roles

 

So if your canvas app's data source is CDS Entity, these end users with  "Environment Marker" Security Role would not be able to access data in your shared app, and could not edit your Entity data using your shared app.

 

Best regards,

Community Support Team _ Kris Dai
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

View solution in original post

Message 2 of 4
232 Views
3 REPLIES 3
v-xida-msft
Community Support
Community Support

‎06-21-2020 07:32 PM

Hi @Medoomi ,

Firstly, I think you have some misunderstanding on the Security Privileges in PowerApps Environment (installed CDS). The Field Level Security is not supported in CDS Environment.

Currently, within CDS Environment, there are two types of Security Level supported -- record-level privileges and task-based privileges. Please check the following article for more details:

https://docs.microsoft.com/en-us/power-platform/admin/security-roles-privileges

 

According to the issue you mentioned, do you want to know if the user who assigned with "Environment Marker" role have permission to edit the canvas app?

Firstly, the Access Permission of Canvas app and the Access permission of CDS are actually separated. If you want your end uses to use your canvas app, you must share your canvas app to them. But it does not mean they could access data in your canvas app.

Actually, canvas app inherits data access permission from data source itself, if these end users want to access data in your shared app, they also must have sufficient permission to your CDS Entity data source (same mechanism for other data sources).

The "Environment Marker" role can create new resources associated with an environment, including apps, connections, custom APIs, gateways, and flows using Microsoft Power Automate. However, this role doesn't have any privileges to access data within an environment.

Please check the following article for more details:

https://docs.microsoft.com/en-us/power-platform/admin/database-security#predefined-security-roles

 

So if your canvas app's data source is CDS Entity, these end users with  "Environment Marker" Security Role would not be able to access data in your shared app, and could not edit your Entity data using your shared app.

 

Best regards,

Community Support Team _ Kris Dai
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

View solution in original post

Message 2 of 4
233 Views
Medoomi
Resolver I
Resolver I
In response to v-xida-msft

‎06-22-2020 02:19 PM

Thanks you so much @v-xida-msft !

Maybe to clarify (as I had hoped to use record level security restrictions), I don't understand why this article discusses record level security under the common data service if it is unavailable in CDS: https://docs.microsoft.com/en-us/powerapps/developer/common-data-service/security-model

Apologies for being tedious, but am I really unable to use it in CDS?

Message 3 of 4
225 Views
0 Kudos
v-xida-msft
Community Support
Community Support
In response to Medoomi

‎06-22-2020 07:13 PM

Hi @Medoomi ,

Normally, we configure "Record-Level" Security to restrict data access for different users (assigned with Security Role). If you want to configure Field Security in your custom Entities, the answer is Yes, you could configure it. But the prerequisites for configuring Field Level security is you must have record access permission in your Entity already.

 

Firstly, you need to enable "Field Security" option for specific fields in your CDS Entity, then you need to create corresponding "Field Security Profile" in your current CDS instance. Please check and see if the following video resource would help in your scenario:

https://www.youtube.com/watch?v=hwEkaGst3Yc

 

Best regards,

Community Support Team _ Kris Dai
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
Message 4 of 4
214 Views

Helpful resources

Announcements
New Badges

New Solution Badges!

Check out our new profile badges recognizing authored solutions!

New Power Super Users

Congratulations!

We are excited to announce the Power Apps Super Users!

Power Apps Community Call

Power Apps Community Call: February

Did you miss the call? Check out the Power Apps Community Call here.

Microsoft Ignite

Microsoft Ignite

Join digitally, March 2–4, 2021 to explore new tech that's ready to implement. Experience the keynote in mixed reality through AltspaceVR!

View All
Top Solution Authors
View All
Top Kudoed Authors
View All
Users online (29,857)