cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Highlighted
Frequent Visitor

PowerApps lack of security unless using Common Data Service?

Been struggling with this issue the past couple days, so hopefully one of my statements is incorrect:

 

I have HR analytics data stored on a SQL Server that I have created a PowerApp to view. This PowerApp uses the O365 login and a relationship table on the SQL server to determine which records of the primary table are viewable by that specific user. Everything works great, users have controlled access, etc. This app exists in the default tenant environment, and uses a On Premises Gateway to connect to the SQL server. Here's the problem:

 

Once the app has been shared with them, a savvy user could theoretically create a new app in the default environment, and use their existing SQL server connection (which was shared with the HR analytics app). They could then view and edit any data in the tables. 
It doesn't appear that I can take away the Environment Maker role for users in the default environment.

It doesn't appear that I can create a gateway in a non-default environment.

It doesn't appear that I can restrict use of existing connections that have been shared. 

 

Am I missing something?

5 REPLIES 5
Highlighted
Community Champion
Community Champion

Re: PowerApps lack of security unless using Common Data Service?

Hi @peterthegreat, excellent question.  I had been wondering about PowerApps and security, and happy that someone is trying to find the holes.

I seem to be able to take away Environment Maker role for all the tenant (by pressing the x) and then give it to individuals.  Please see screenshot below.  Do you see something different?  This is in my default environment.

Frankly I have not gone through with testing since we have running apps, but may do depending on your response.

 

__.JPG

Highlighted
Frequent Visitor

Re: PowerApps lack of security unless using Common Data Service?

We were able to click the X and remove the "Tenant" from the Environment Maker role, but upon clicking Save is when he had the error which says something along the lines of "unable to remove all users from default Environment Maker permission". 

 

Were you able to fully execute the removal, or did you stop at your screenshot below? 🙂

Highlighted
Community Champion
Community Champion

Re: PowerApps lack of security unless using Common Data Service?

Frankly I stopped at the screenshot as I have working apps here.  What about if you add yourself and someone else before removing the tenant?

Highlighted
Community Champion
Community Champion

Re: PowerApps lack of security unless using Common Data Service?

Actually I got up some courage and tried it.  I get your same result, even if I add myself before removing the tenant.

Hopefully someone with more knowledge will contribute to this discussion.

Highlighted
Advocate II
Advocate II

Re: PowerApps lack of security unless using Common Data Service?

See this link for other people's frustration with this issue (including mine!)

 

https://powerusers.microsoft.com/t5/PowerApps-Ideas/Making-SQL-Connector-Secure/idi-p/112599  

Helpful resources

Announcements
August 2020 Community Challenge: Can You Solve These?

August 2020 Community Challenge: Can You Solve These?

We're excited to announce our first cross-community 'Can You Solve These?' challenge!

secondImage

Return to Workplace

Reopen responsibly, monitor intelligently, and protect continuously with solutions for a safer work environment.

secondImage

Super Users Coming in August

We are excited for the next Super User season.

secondImage

Community User Group Member Badges

FIll out a quick form to claim your community user group member badge today!

secondImage

Power Platform 2020 release wave 2 plan

Features releasing from October 2020 through March 2021

Top Solution Authors
Top Kudoed Authors
Users online (8,096)