Re: Multiple client data in CDS - control scope of...

colmblake · ‎02-14-2020

Hello, this is my first post, apologies if this is covered elsewhere but I searched and couldn't find an answer........ I'm not even sure what I am looking for 🙂

I have the start of a model-driven app that is used collect information about applications/workloads at client ie application name, application owner, version, support agreement etc

I have managed to get a form together for the fields above and I have an account form from that entity that is used to add a vendor, in my test data this is Microsoft for exchange and putty.org for putty.

A this time it is a single organisation form, therefore, I also need to add a client , client A will have ~100 apps/wklds client B will have ~50 apps/wklds there will be some of the same apps in both but with unique data for each organisation eg: Exchange will be present in each org but have different owners per organisation.

My expectation is that I will be able to assign a license to someone from the client in the project team to the app and i want them to be able to CRUD only their data

I need to be able to work in scopes eg: i want to be able to search globally to find an answer if a new client doesn't have it, I also need to be able to search per client if I am looking for all web applications in a subnet for example

There is a lot of requirements there, thanks for reading 🙂

I am a network/server guy by trade so I will will need it explained simply but I really see the potential in the Power Platform, any guidance would be gratefully received.

GarethPrisk · ‎02-14-2020

There is a lot there, you aren't kidding. 🙂

On the CDS side, you will be able to control the User's access in a few ways.

They will need a PowerApps license to access ANY CDS environment/database
Each CDS environment can be controlled via an associated Security Group (enables/disables users)
THEN
- CDS Security Role's come into play
- A user must have a Security Role to access anything in CDS
- This can set the granular level's of CRUD access
- It also includes privilege depths, such as User-only, or Organization

This should allow you to control the CRUD operations against those CDS environments that the user has access to.

Some resources:

colmblake · ‎02-20-2020

Thanks Gareth, I'll read through the links and update the thread 🙂

DavidJennaway · ‎02-20-2020

Ultimately, the key to making this work is managing the ownership of records in CDS. The users from the client should be in a security role that only has user-level access to the entities that they will access. You then have 2 sets of 2 options:

If each client will only ever have one user, you could grant access to that user, but a more scalable option would be to create a team for each client, and add their users to that team
Granting access can be done in one of 2 ways. You could assign the records to the relevant client user/team - this is simpler, but a record can only have one owner, so this is only viable if you don't use ownership for other purposes. The other option is to share the records with the relevant client user/team

You can automate this via workflow, but would probably need to link the client to a team. If you're using sharing, then you can use https://github.com/demianrasko/Dynamics-365-Workflow-Tools to share from a workflow

Multiple client data in CDS - control scope of data displayed based on user

Helpful resources

Power Apps News & Announcements

Introducing the Community Calls Conversations

Power Apps Community Blog