cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Super User
Super User

Be careful with apps using flows and shared connections

I feel this needs to be highlighted on this forum as well as the flow forum as this can create big security issues, please see below link

 

https://powerusers.microsoft.com/t5/General-Flow-Discussion/Shared-Connection-Account/m-p/110071#M12...

2 REPLIES 2
Community Support Team
Community Support Team

Re: Be careful with apps using flows and shared connections

Hi @Delid4ve,

 

When sharing Flow, if you are sharing from the Flow web site, then the only option to share the flow with other users is to give the user owner permission on this flow, which means that all the connections inclued in this flow would login using your account.

捕获.JPG

 

With this scenario, the default login account should be yours. But he can change the login account to his own in his Flow site.

 

Default login account is Mona, but user can change it to his own(Aye)

捕获.JPG

 

But with Flow button trigger, you can restrict flow to only use your authentication, or require users to use their own connections. 

share-button-select-connection-provided-by-user.png

 

For more information about this, please refer to:

https://docs.microsoft.com/en-us/flow/share-buttons

 

Regards,

Mona

Community Support Team _ Mona Li
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
Super User
Super User

Re: Be careful with apps using flows and shared connections

This doesnt address my concern at all.

 

Look at it this way:

If i create a powerapp that saves all the data to SQL server first (user automatically uses 'My Connection' in the flow)

Then create another flow which is triggered by the first flow to do all my required tasks

The tasks will all be handled by the chosen 'My Connection' (ie:sharepoint,Outlook,Onedrive)

 

However, if i dont do it this way the user has to have permissions for all the connections.

This completely defies a security model designed to restrict access to users and is a HUGE oversight by MS.

Can you have somebody from your security team look at this as this 'By Design' is completely wrong.

Its not complex, if powerapps has no input directly in the flow it uses 'My Connection', otherwise it uses the users connection, this is wrong.

 

The Flow is also NOT directly shared with the user, and again, we shouldnt have to do this as the only way is to give them owner permissions which would mean they can edit it!!!!  And we are NOT talking about Buttons here, this is documented that you can change which accounts to use.

Helpful resources

Announcements
firstImage

Watch Sessions On Demand!

Continue your learning in our online communities.

SecondImage

PowerApps Monthly Community Call

Next Wednesday, August 21st at 8am PDT

Top Community Contributors for July 2019

Top Community Contributors for July 2019

Let's thank our top community contributors

Power Platform 2019 release wave 2 plan

Power Platform 2019 release wave 2 plan

Features releasing from October 2019 through March 2020

FirstImage

Power Platform World Tour

Coming to a city near you

thirdimage

PowerApps Community User Group Member Badge

Fill out a quick form to claim your user group badge now!

FourthImage

Join PowerApps User Group!!

Connect, share, and learn with your peers year-round

FifthImage

Dynamics 365 and Power Platform April 2019 Release notes

Features releasing from April 2019 through September 2019!

SixthImage

Power Summit Australia 2019

August 20-23rd 2019

Users Online
Currently online: 39 members 3,950 guests
Please welcome our newest community members: