cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Highlighted
aabrin
Level: Powered On

MAJOR Connections security hole - PowerApp shares any related Connections with all users to be able to create their OWN PowerApps

If I create a PowerApp with a Connection to a SQL Server database, any user that I grant permission to use my PowerApp is then given "Can Use" permissions on the connection, and can then subsequently go create their OWN PowerApp using MY Connection.

 

This is not made clear ANYWHERE in the process, and I can guarantee there are tons of users who don't understand or expect this to be the case.  It means that ANY in-app data access management is right out the window if any user has the ability to make their own applications in the environment.  If UserA is only meant to have access to RoleA data in my app, they can simply go create a new application, use the Connection from my application, and have it feed in ANY data from the connection they want.

 

This is really heinous, and needs to be addressed in some way ASAP.  This is undercutting the basic expectations of your users about how data permissions will pass through these applications.

1 ACCEPTED SOLUTION

Accepted Solutions
Super User
Super User

Re: MAJOR Connections security hole - PowerApp shares any related Connections with all users to be able to create their OWN PowerApps

Hi @aabrin 

I agree that many users will not be aware of this, so thanks for highlighting this issue to those that may not appreciate the workings of a shared SQL connector.

I know you will have seen these posts already, but I would suggest that anyone affected by this vote on these ideas. I think this would be the most effective route towards progressing a fix for this issue.

 

https://powerusers.microsoft.com/t5/PowerApps-Ideas/Making-SQL-Connector-Secure/idi-p/112599

 

https://powerusers.microsoft.com/t5/PowerApps-Ideas/Removing-user-ability-to-access-data-source-with...

View solution in original post

4 REPLIES 4
Community Support Team
Community Support Team

Re: MAJOR Connections security hole - PowerApp shares any related Connections with all users to be able to create their OWN PowerApps

Hi @aabrin ,

 

Thanks for your post.

Please reference this case:

https://powerusers.microsoft.com/t5/General-Discussion/Role-based-Security-implementation-in-PowerAp...

 

Hope this could be helpful.

 

Best Regards.

Yumia

 

Super User
Super User

Re: MAJOR Connections security hole - PowerApp shares any related Connections with all users to be able to create their OWN PowerApps

Hi @aabrin 

I agree that many users will not be aware of this, so thanks for highlighting this issue to those that may not appreciate the workings of a shared SQL connector.

I know you will have seen these posts already, but I would suggest that anyone affected by this vote on these ideas. I think this would be the most effective route towards progressing a fix for this issue.

 

https://powerusers.microsoft.com/t5/PowerApps-Ideas/Making-SQL-Connector-Secure/idi-p/112599

 

https://powerusers.microsoft.com/t5/PowerApps-Ideas/Removing-user-ability-to-access-data-source-with...

View solution in original post

Community Support Team
Community Support Team

Re: MAJOR Connections security hole - PowerApp shares any related Connections with all users to be able to create their OWN PowerApps

Hi @aabrin  @timl ,

 

Thanks for your posts.

 

Best Regards.

Yumia

aabrin
Level: Powered On

Re: MAJOR Connections security hole - PowerApp shares any related Connections with all users to be able to create their OWN PowerApps

That is very helpful for setting up role based security in a single application, which is genuinely something I need to do, so thank you for that.

 

Unfortunately I also think it might only exaserbate the fact that if a user is also a Maker in a given environment, this gives the *impression* of role level security for the data connection backing the application, but actually they can go take that connection and create their *own* application which would then let them see any and all data available.

Helpful resources

Announcements
firstImage

Microsoft Business Applications Virtual Launch Event

Join us for an in-depth look at the new innovations across Dynamics 365 and the Microsoft Power Platform.

firstImage

Watch Sessions On Demand!

Continue your learning in our online communities.

Power Platform 2019 release wave 2 plan

Power Platform 2019 release wave 2 plan

Features releasing from October 2019 through March 2020

FirstImage

Power Platform World Tour

Coming to a city near you

thirdimage

PowerApps Community User Group Member Badge

Fill out a quick form to claim your user group badge now!

FourthImage

Join PowerApps User Group!!

Connect, share, and learn with your peers year-round

Top Kudoed Authors
Users Online
Currently online: 357 members 4,207 guests
Please welcome our newest community members: