cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
robotdre
Frequent Visitor

Security - the best possible approach

Hey,

I have read a lot of articles about the security and connections, so I just wanna make sure that my thinking and approach to the topic  is correct, and best possible.

Case:

I've created an application in power apps.

Application is extremely simple, but it its connected to the flow in power automate. Flow is invoked from the inside of the application, and its also very simple, inside the flow there is just one action which runs SQL stored procedure, and send back a response to power apps.

Development of the application is done, and now the last thing has left, so the security level. I know that we have let's say 2 type of connections, one is implicit and second explicit.

I'm not gonna say anything  about implicit connection, as for sure it is not suitable for our use case, and also once such a connection will be shared with the Business, then they can use it for development of other applications - which from our point of view is not okay.

 

When it comes to the explicit connection, I know we have 2 options available (Azure AD Integrated, Windows Authentication non shared.). Our SQL server is on prem, so we dont have any integrations with Azure AD as of now, when it comes to the second authentication type (Win authentication non shared) - that make sense, because If we would like to share it with someone, then someone has to provide his own credentials, and from our side, we need to give him an access to our SQL server. Then he will make a connection on his account, and he will be able to use our application - it would be almost perfect solution, but I think this user would also have access to the other things from our database. He will be able to see our tables, stored procedures etc. and this is something we would like to make impossible.

The conclusion that came from this use case, is the fact that one and only safest option we could use is 'Azure AD Integrated' - then we will be able to create groups, and easily specify members, also it seems to me that from this level we will be able to  manage their access, views, and put some limitations and restrictions - Of course this may happen only when our sql server will be configures in Azure AD. 

Could you please tell am I thinking correctly? or we could do it in any other way

8 REPLIES 8
Pstork1
Most Valuable Professional
Most Valuable Professional

Whether its Azure AD or Windows non-shared the user will only have access to the things on your SQL server that you give their account access to.  If you give them access to the database then they can see everything in the database.  If you give them access to only a table in the database then they will only be able to see that table.  You'll need to give them access to all the things they need in the app, but if you do that carefully they won't have access to anything else.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.
Nogueira1306
Super User
Super User

My advice would be to use Azure AD Groups or Office365 users groups. 

And you create as many groups as you want and the permissions that you want. In the app you just need to check if they belong to that groups. 

 

Example with office groups:

 

OnStart:

ClearCollect(SharePointGroupMembersRH;GruposdoOffice365.ListGroupMembers("....").value)

 

Visible of a button:

If(IsBlank(LookUp(SharePointGroupMembersRH;mail = User().Email)) = true; false; true)

 

 

If you need additional help please tag me in your reply and please like my reply.
If my reply provided you with a solution, pleased mark it as a solution ✔️!

Best regards,
Gonçalo Nogueira

Check my LinkedIn!

Check my User Group (pt-PT)!

Last Post on Community

My website!

Thank you for the answer - but how it can be distinguished? In Power apps, I'm not specifying any data source, it is taken automatically, due to the fact that Im invoking flows inside of the app that uses SQL server. In power Automate, when I was creating SQL Server connection, the only data that I was asked for was server name, database name, and credentials - so I wasn't able to specify anywhere what table they can access or something? 

Or probably you meant that it could be defined on the SQL side, and not power platform?

Pstork1
Most Valuable Professional
Most Valuable Professional

The Power Platform is not a security layer.  The user will have whatever permissions they get from the data source.  If its an implicitly shared connection they will get the permissions provided in the data source to the connection account.  If its Explicitly shared they will get the permissions given to them in the data source.  But the permissions are managed in SQL, not in the Power Platform.  If they are not given permission to access a particular table in SQL then they won't be able to use an Explicitly shared connector to access that table.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.

Hey,
Thank you very much for the clarifications, I got your point.
Then next question arises in my head, how to limit a user to only use specific application?

- (Implicit) I can build and share an application with someone, and then someone will be able to build their own app and use my previously shared SQL connection. (Thats not okay I would like to avoid it)
- (Explicit) I can build and share an application with someone, and then someone will create their own connection to the SQL (of course only when such account will be created on the
SQL side), and then once they would like to create their own application, then again they will have an opportunity to use that created connection, and have still same accesses etc.


So basically the question is, May I create account for the user, and give them accesses to the specific tables, or stored procedures, but only in the area of that one particular application - so whenever they
want to create their own application, they won't be able to use SQL connection that was built/shared for this old application.

Whether the above thing that I'm referring to, can only be obtained by using AZURE AD INTGRATED connection type, I know that in there we can specify groups, and have the unique id /key or something.

Thanks

Pstork1
Most Valuable Professional
Most Valuable Professional

In everything other than the default environment you can limit whether a user is an App Maker or not.  In the default environment anyone can make an app, and that can't be changed.  However you can use Date Policies in the admin center to block/allow the use of certain connectors in any specific environment.  So the key here would be to do three things.

1) Create the app using the SQL connector in an environment other than the default environment

2) Block the use of SQL in the default environment using a DLP policy

3) Limit whether the user can create apps or only use apps in the environment where the app resides.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.

@Pstork1 : I really want to take the time to thank you. Your replies on this forum are always great. Detailed, but you explain things well.

 

I was wondering if I could get your thoughts on this:

 

Since a Power App has a unique ID, could you store the APP ID in the tables and run a stored procedure to check if the submitted data came from one of the "approved" apps? If someone else tries to reuse a connection, that would have a different id. Or you could store other metadata about the app and control it that way? Just spitballing.

Pstork1
Most Valuable Professional
Most Valuable Professional

The problem with that scenario is that when you create the connection you give the user access to the database (explicit connection). If you have restricted their access to specific Tables in the database in SQL then that is all they will be able to access. Power Apps and Power Automate don't enter into it.  Security is set and maintained in SQL. But there is nothing that requires that connection to call a stored procedure. So they could reuse the connection from a different app and the App id wouldn't be checked. As I mentioned in a previous reply Power Apps and Power Automate aren't security layers. They simply abide by whatever security has been established in the data source for the user making the connection. Hope that helps.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.

Helpful resources

Announcements

Exclusive LIVE Community Event: Power Apps Copilot Coffee Chat with Copilot Studio Product Team

  It's time for the SECOND Power Apps Copilot Coffee Chat featuring the Copilot Studio product team, which will be held LIVE on April 3, 2024 at 9:30 AM Pacific Daylight Time (PDT).     This is an incredible opportunity to connect with members of the Copilot Studio product team and ask them anything about Copilot Studio. We'll share our special guests with you shortly--but we want to encourage to mark your calendars now because you will not want to miss the conversation.   This live event will give you the unique opportunity to learn more about Copilot Studio plans, where we’ll focus, and get insight into upcoming features. We’re looking forward to hearing from the community, so bring your questions!   TO GET ACCESS TO THIS EXCLUSIVE AMA: Kudo this post to reserve your spot! Reserve your spot now by kudoing this post.  Reservations will be prioritized on when your kudo for the post comes through, so don't wait! Click that "kudo button" today.   Invitations will be sent on April 2nd.Users posting Kudos after April 2nd. at 9AM PDT may not receive an invitation but will be able to view the session online after conclusion of the event. Give your "kudo" today and mark your calendars for April 3rd, 2024 at 9:30 AM PDT and join us for an engaging and informative session!

Tuesday Tip: Unlocking Community Achievements and Earning Badges

TUESDAY TIPS are our way of communicating helpful things we've learned or shared that have helped members of the Community. Whether you're just getting started or you're a seasoned pro, Tuesday Tips will help you know where to go, what to look for, and navigate your way through the ever-growing--and ever-changing--world of the Power Platform Community! We cover basics about the Community, provide a few "insider tips" to make your experience even better, and share best practices gleaned from our most active community members and Super Users.   With so many new Community members joining us each week, we'll also review a few of our "best practices" so you know just "how" the Community works, so make sure to watch the News & Announcements each week for the latest and greatest Tuesday Tips!     THIS WEEK'S TIP: Unlocking Achievements and Earning BadgesAcross the Communities, you'll see badges on users profile that recognize and reward their engagement and contributions. These badges each signify a different achievement--and all of those achievements are available to any Community member! If you're a seasoned pro or just getting started, you too can earn badges for the great work you do. Check out some details on Community badges below--and find out more in the detailed link at the end of the article!       A Diverse Range of Badges to Collect The badges you can earn in the Community cover a wide array of activities, including: Kudos Received: Acknowledges the number of times a user’s post has been appreciated with a “Kudo.”Kudos Given: Highlights the user’s generosity in recognizing others’ contributions.Topics Created: Tracks the number of discussions initiated by a user.Solutions Provided: Celebrates the instances where a user’s response is marked as the correct solution.Reply: Counts the number of times a user has engaged with community discussions.Blog Contributor: Honors those who contribute valuable content and are invited to write for the community blog.       A Community Evolving Together Badges are not only a great way to recognize outstanding contributions of our amazing Community members--they are also a way to continue fostering a collaborative and supportive environment. As you continue to share your knowledge and assist each other these badges serve as a visual representation of your valuable contributions.   Find out more about badges in these Community Support pages in each Community: All About Community Badges - Power Apps CommunityAll About Community Badges - Power Automate CommunityAll About Community Badges - Copilot Studio CommunityAll About Community Badges - Power Pages Community

Tuesday Tips: Powering Up Your Community Profile

TUESDAY TIPS are our way of communicating helpful things we've learned or shared that have helped members of the Community. Whether you're just getting started or you're a seasoned pro, Tuesday Tips will help you know where to go, what to look for, and navigate your way through the ever-growing--and ever-changing--world of the Power Platform Community! We cover basics about the Community, provide a few "insider tips" to make your experience even better, and share best practices gleaned from our most active community members and Super Users.   With so many new Community members joining us each week, we'll also review a few of our "best practices" so you know just "how" the Community works, so make sure to watch the News & Announcements each week for the latest and greatest Tuesday Tips!   This Week's Tip: Power Up Your Profile!  🚀 It's where every Community member gets their start, and it's essential that you keep it updated! Your Community User Profile is how you're able to get messages, post solutions, ask questions--and as you rank up, it's where your badges will appear and how you'll be known when you start blogging in the Community Blog. Your Community User Profile is how the Community knows you--so it's essential that it works the way you need it to! From changing your username to updating contact information, this Knowledge Base Article is your best resource for powering up your profile.     Password Puzzles? No Problem! Find out how to sync your Azure AD password with your community account, ensuring a seamless sign-in. No separate passwords to remember! Job Jumps & Email Swaps Changed jobs? Got a new email? Fear not! You'll find out how to link your shiny new email to your existing community account, keeping your contributions and connections intact. Username Uncertainties Unraveled Picking the perfect username is crucial--and sometimes the original choice you signed up with doesn't fit as well as you may have thought. There's a quick way to request an update here--but remember, your username is your community identity, so choose wisely. "Need Admin Approval" Warning Window? If you see this error message while using the community, don't worry. A simple process will help you get where you need to go. If you still need assistance, find out how to contact your Community Support team. Whatever you're looking for, when it comes to your profile, the Community Account Support Knowledge Base article is your treasure trove of tips as you navigate the nuances of your Community Profile. It’s the ultimate resource for keeping your digital identity in tip-top shape while engaging with the Power Platform Community. So, dive in and power up your profile today!  💪🚀   Community Account Support | Power Apps Community Account Support | Power AutomateCommunity Account Support | Copilot Studio  Community Account Support | Power Pages

Super User of the Month | Chris Piasecki

In our 2nd installment of this new ongoing feature in the Community, we're thrilled to announce that Chris Piasecki is our Super User of the Month for March 2024. If you've been in the Community for a while, we're sure you've seen a comment or marked one of Chris' helpful tips as a solution--he's been a Super User for SEVEN consecutive seasons!       Since authoring his first reply in April 2020 to his most recent achievement organizing the Canadian Power Platform Summit this month, Chris has helped countless Community members with his insights and expertise. In addition to being a Super User, Chris is also a User Group leader, Microsoft MVP, and a featured speaker at the Microsoft Power Platform Conference. His contributions to the new SUIT program, along with his joyous personality and willingness to jump in and help so many members has made Chris a fixture in the Power Platform Community.   When Chris isn't authoring solutions or organizing events, he's actively leading Piasecki Consulting, specializing in solution architecture, integration, DevOps, and more--helping clients discover how to strategize and implement Microsoft's technology platforms. We are grateful for Chris' insightful help in the Community and look forward to even more amazing milestones as he continues to assist so many with his great tips, solutions--always with a smile and a great sense of humor.You can find Chris in the Community and on LinkedIn. Thanks for being such a SUPER user, Chris! 💪🌠

Tuesday Tips: Community Ranks and YOU

TUESDAY TIPS are our way of communicating helpful things we've learned or shared that have helped members of the Community. Whether you're just getting started or you're a seasoned pro, Tuesday Tips will help you know where to go, what to look for, and navigate your way through the ever-growing--and ever-changing--world of the Power Platform Community! We cover basics about the Community, provide a few "insider tips" to make your experience even better, and share best practices gleaned from our most active community members and Super Users.   With so many new Community members joining us each week, we'll also review a few of our "best practices" so you know just "how" the Community works, so make sure to watch the News & Announcements each week for the latest and greatest Tuesday Tips!This Week: Community Ranks--Moving from "Member" to "Community Champion"   Have you ever wondered how your fellow community members ascend the ranks within our community? What sets apart an Advocate from a Helper, or a Solution Sage from a Community Champion? In today’s #TuesdayTip, we’re unveiling the secrets and sharing tips to help YOU elevate your ranking—and why it matters to our vibrant communities. Community ranks serve as a window into a member’s role and activity. They celebrate your accomplishments and reveal whether someone has been actively contributing and assisting others. For instance, a Super User is someone who has been exceptionally helpful and engaged. Some ranks even come with special permissions, especially those related to community management. As you actively participate—whether by creating new topics, providing solutions, or earning kudos—your rank can climb. Each time you achieve a new rank, you’ll receive an email notification. Look out for the icon and rank name displayed next to your username—it’s a badge of honor! Fun fact: Your Community Engagement Team keeps an eye on these ranks, recognizing the most passionate and active community members. So shine brightly with valuable content, and you might just earn well-deserved recognition! Where can you see someone’s rank? When viewing a post, you’ll find a member’s rank to the left of their name.Click on a username to explore their profile, where their rank is prominently displayed. What about the ranks themselves? New members start as New Members, progressing to Regular Visitors, and then Frequent Visitors.Beyond that, we have a categorized system: Kudo Ranks: Earned through kudos (teal icons).Post Ranks: Based on your posts (purple icons).Solution Ranks: Reflecting your solutions (green icons).Combo Ranks: These orange icons combine kudos, solutions, and posts. The top ranks have unique names, making your journey even more exciting! So dive in, collect those kudos, share solutions, and let’s see how high you can rank! 🌟 🚀   Check out the Using the Community boards in each of the communities for more helpful information!  Power Apps, Power Automate, Copilot Studio & Power Pages

Find Out What Makes Super Users So Super

We know many of you visit the Power Platform Communities to ask questions and receive answers. But do you know that many of our best answers and solutions come from Community members who are super active, helping anyone who needs a little help getting unstuck with Business Applications products? We call these dedicated Community members Super Users because they are the real heroes in the Community, willing to jump in whenever they can to help! Maybe you've encountered them yourself and they've solved some of your biggest questions. Have you ever wondered, "Why?"We interviewed several of our Super Users to understand what drives them to help in the Community--and discover the difference it has made in their lives as well! Take a look in our gallery today: What Motivates a Super User? - Power Platform Community (microsoft.com)

Top Solution Authors
Top Kudoed Authors
Users online (5,941)