cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Resolver I
Resolver I

Field Level Security - Does Environment Maker override?

I'm feeling my way forward with permissions in PowerApps. I have a single field that is restricted from "salespeople." If I were to grant permissions to a salesperson to be an environment maker & granted them permissions to edit the app, while they do not have permissions on the level of field level security, will they be granted permissions by virtue of them being an environment maker and/or having permissions to edit the app?

thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Community Support
Community Support

Hi @Medoomi ,

Firstly, I think you have some misunderstanding on the Security Privileges in PowerApps Environment (installed CDS). The Field Level Security is not supported in CDS Environment.

Currently, within CDS Environment, there are two types of Security Level supported -- record-level privileges and task-based privileges. Please check the following article for more details:

https://docs.microsoft.com/en-us/power-platform/admin/security-roles-privileges

 

According to the issue you mentioned, do you want to know if the user who assigned with "Environment Marker" role have permission to edit the canvas app?

Firstly, the Access Permission of Canvas app and the Access permission of CDS are actually separated. If you want your end uses to use your canvas app, you must share your canvas app to them. But it does not mean they could access data in your canvas app.

Actually, canvas app inherits data access permission from data source itself, if these end users want to access data in your shared app, they also must have sufficient permission to your CDS Entity data source (same mechanism for other data sources).

The "Environment Marker" role can create new resources associated with an environment, including apps, connections, custom APIs, gateways, and flows using Microsoft Power Automate. However, this role doesn't have any privileges to access data within an environment.

Please check the following article for more details:

https://docs.microsoft.com/en-us/power-platform/admin/database-security#predefined-security-roles

 

So if your canvas app's data source is CDS Entity, these end users with  "Environment Marker" Security Role would not be able to access data in your shared app, and could not edit your Entity data using your shared app.

 

Best regards,

Community Support Team _ Kris Dai
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

View solution in original post

3 REPLIES 3
Community Support
Community Support

Hi @Medoomi ,

Firstly, I think you have some misunderstanding on the Security Privileges in PowerApps Environment (installed CDS). The Field Level Security is not supported in CDS Environment.

Currently, within CDS Environment, there are two types of Security Level supported -- record-level privileges and task-based privileges. Please check the following article for more details:

https://docs.microsoft.com/en-us/power-platform/admin/security-roles-privileges

 

According to the issue you mentioned, do you want to know if the user who assigned with "Environment Marker" role have permission to edit the canvas app?

Firstly, the Access Permission of Canvas app and the Access permission of CDS are actually separated. If you want your end uses to use your canvas app, you must share your canvas app to them. But it does not mean they could access data in your canvas app.

Actually, canvas app inherits data access permission from data source itself, if these end users want to access data in your shared app, they also must have sufficient permission to your CDS Entity data source (same mechanism for other data sources).

The "Environment Marker" role can create new resources associated with an environment, including apps, connections, custom APIs, gateways, and flows using Microsoft Power Automate. However, this role doesn't have any privileges to access data within an environment.

Please check the following article for more details:

https://docs.microsoft.com/en-us/power-platform/admin/database-security#predefined-security-roles

 

So if your canvas app's data source is CDS Entity, these end users with  "Environment Marker" Security Role would not be able to access data in your shared app, and could not edit your Entity data using your shared app.

 

Best regards,

Community Support Team _ Kris Dai
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

View solution in original post

Thanks you so much @v-xida-msft !

Maybe to clarify (as I had hoped to use record level security restrictions), I don't understand why this article discusses record level security under the common data service if it is unavailable in CDS: https://docs.microsoft.com/en-us/powerapps/developer/common-data-service/security-model

Apologies for being tedious, but am I really unable to use it in CDS?

Hi @Medoomi ,

Normally, we configure "Record-Level" Security to restrict data access for different users (assigned with Security Role). If you want to configure Field Security in your custom Entities, the answer is Yes, you could configure it. But the prerequisites for configuring Field Level security is you must have record access permission in your Entity already.

 

Firstly, you need to enable "Field Security" option for specific fields in your CDS Entity, then you need to create corresponding "Field Security Profile" in your current CDS instance. Please check and see if the following video resource would help in your scenario:

https://www.youtube.com/watch?v=hwEkaGst3Yc

 

Best regards,

Community Support Team _ Kris Dai
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Helpful resources

Announcements
secondImage

Experience what’s next for Power Apps

Join us for an in-depth look at the new Power Apps features and capabilities at the free Microsoft Business Applications Launch Event.

Power Apps Community Call

Power Apps Community Call: February

Did you miss the call? Check out the Power Apps Community Call here.

New Power Super Users

Congratulations!

We are excited to announce the Power Apps Super Users!

New Badges

New Solution Badges!

Check out our new profile badges recognizing authored solutions!

Top Solution Authors
Top Kudoed Authors
Users online (2,208)