cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Super User
Super User

Be careful with apps using flows and shared connections

I feel this needs to be highlighted on this forum as well as the flow forum as this can create big security issues, please see below link

 

https://powerusers.microsoft.com/t5/General-Flow-Discussion/Shared-Connection-Account/m-p/110071#M12...

2 REPLIES 2
Community Support Team
Community Support Team

Re: Be careful with apps using flows and shared connections

Hi @Delid4ve,

 

When sharing Flow, if you are sharing from the Flow web site, then the only option to share the flow with other users is to give the user owner permission on this flow, which means that all the connections inclued in this flow would login using your account.

捕获.JPG

 

With this scenario, the default login account should be yours. But he can change the login account to his own in his Flow site.

 

Default login account is Mona, but user can change it to his own(Aye)

捕获.JPG

 

But with Flow button trigger, you can restrict flow to only use your authentication, or require users to use their own connections. 

share-button-select-connection-provided-by-user.png

 

For more information about this, please refer to:

https://docs.microsoft.com/en-us/flow/share-buttons

 

Regards,

Mona

Community Support Team _ Mona Li
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
Super User
Super User

Re: Be careful with apps using flows and shared connections

This doesnt address my concern at all.

 

Look at it this way:

If i create a powerapp that saves all the data to SQL server first (user automatically uses 'My Connection' in the flow)

Then create another flow which is triggered by the first flow to do all my required tasks

The tasks will all be handled by the chosen 'My Connection' (ie:sharepoint,Outlook,Onedrive)

 

However, if i dont do it this way the user has to have permissions for all the connections.

This completely defies a security model designed to restrict access to users and is a HUGE oversight by MS.

Can you have somebody from your security team look at this as this 'By Design' is completely wrong.

Its not complex, if powerapps has no input directly in the flow it uses 'My Connection', otherwise it uses the users connection, this is wrong.

 

The Flow is also NOT directly shared with the user, and again, we shouldnt have to do this as the only way is to give them owner permissions which would mean they can edit it!!!!  And we are NOT talking about Buttons here, this is documented that you can change which accounts to use.

Helpful resources

Announcements
firstImage

PowerApps Monthly Community Call!

Join us next Wednesday for our Demo Extravaganza, October 16, 2019 8am PDT.

firstImage

Microsoft Business Applications Virtual Launch Event

Join us for an in-depth look at the new innovations across Dynamics 365 and the Microsoft Power Platform.

firstImage

Watch Sessions On Demand!

Continue your learning in our online communities.

Power Platform 2019 release wave 2 plan

Power Platform 2019 release wave 2 plan

Features releasing from October 2019 through March 2020

FirstImage

Power Platform World Tour

Coming to a city near you

thirdimage

PowerApps Community User Group Member Badge

Fill out a quick form to claim your user group badge now!

FourthImage

Join PowerApps User Group!!

Connect, share, and learn with your peers year-round

SecondImage

Power Platform Summit North America

Register by September 5 to save $200

Top Kudoed Authors
Users Online
Currently online: 415 members 4,784 guests
Please welcome our newest community members: