cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
lgpower
Helper II
Helper II

Dataverse default environment security considerations

Hi, 

 

I have an app performing CRUD operations on a Dataverse prod environment/database. 

 

Security is currentely managed in two ways: 

 

1. Security roles on Tables

2. App as only point of interaction with the data thus interactions can be controlled in canvas app design

 

In my prod environment this is suffices my security needs.

 

Then however, there still is the default environment. I believe currently nothing would stop an user to create their own app here , use the common data service connector with their account credentials, switch to the prod environment, and start CRUD operations on records they would not have access to in the Prod app. 

Of course I could decide not to make any premium licenses available in the Default environment but then still users have the option to start a free trial period. 

How would one manage this scenario in Dataverse? 

 

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
EricRegnier
Super User II
Super User II

Hi @lgpower,

Security role privileges are applied at the data access level and so whatever channel (canvas app, Excel, API, Power Automate, etc) the users decides to access/manage the data the privileges assigned will apply. 

From what I understand about your issue is that greater privileges to what is actually required are granted and restriction is more at the app level. And therefore, there's a risk of accessing/updating data via other channels that they shouldn't. The quick answer is unfortunately you can't limit your users from using other channels such as Excel if they already have access to the data. You should restrict access via security role(s) to minimum of what they required with the right access level

 

For the Default environment even if users have Power Apps licenses and get automatically created in the Default environment with app maker roles, they will not have access to the Prod environment if a security role in the Prod environment isn't assigned. It is not recommended to install a CDS instance on the Default environment. Instead, have a separate trial environment as you mentioned or a separate playground environment for them to experiment. More details: https://docs.microsoft.com/en-us/power-platform/guidance/adoption/environment-strategy 

 

Other items to consider for your environments are:

  1. Control access with security groups:  https://docs.microsoft.com/en-us/power-platform/admin/control-user-access 
  2. Enable DLP policies to limit your users from using certain connectors in Power Automate, Datafows, etc. Unfortunately however CDS connector can't be blocked. More on this: https://docs.microsoft.com/en-us/power-platform/admin/wp-data-loss-prevention 

Hope this helps!

View solution in original post

Hi @lgpower 

 

As @EricRegnier said, short cutting the security roles and giving more access than really needed opens you up to more data access risks than just from the default environment.  What are the problems that you are having with security roles and dataflows? Long term it’s best that you resolve that issue than trying to work around it.

View solution in original post

6 REPLIES 6
HSheild
Super User
Super User

Hi @lgpower 

 

If you are using security roles to restrict a users access to tables in the Prod environment then this would still apply to an app that connects to the Prod Dataverse from the Default environment. An app in the Default environment will not give users access to Prod Dataverse data that they should not have access to.

 

 

lgpower
Helper II
Helper II

Hi @HSheild 

 

thanks for your reply. 

 

My security roles are a bit too liberal as they are now. I have a hard time getting row security in place in dataverse on data from external sources coming in via dataflows . For that reason I decided to solve this in the canvas app.


I guess I am looking to cut corners, not allowing users to access tables in prod from default, whilst they still can access these tables from the prod application.. 

 

 

 

 

 


 

 

 

 

EricRegnier
Super User II
Super User II

Hi @lgpower,

Security role privileges are applied at the data access level and so whatever channel (canvas app, Excel, API, Power Automate, etc) the users decides to access/manage the data the privileges assigned will apply. 

From what I understand about your issue is that greater privileges to what is actually required are granted and restriction is more at the app level. And therefore, there's a risk of accessing/updating data via other channels that they shouldn't. The quick answer is unfortunately you can't limit your users from using other channels such as Excel if they already have access to the data. You should restrict access via security role(s) to minimum of what they required with the right access level

 

For the Default environment even if users have Power Apps licenses and get automatically created in the Default environment with app maker roles, they will not have access to the Prod environment if a security role in the Prod environment isn't assigned. It is not recommended to install a CDS instance on the Default environment. Instead, have a separate trial environment as you mentioned or a separate playground environment for them to experiment. More details: https://docs.microsoft.com/en-us/power-platform/guidance/adoption/environment-strategy 

 

Other items to consider for your environments are:

  1. Control access with security groups:  https://docs.microsoft.com/en-us/power-platform/admin/control-user-access 
  2. Enable DLP policies to limit your users from using certain connectors in Power Automate, Datafows, etc. Unfortunately however CDS connector can't be blocked. More on this: https://docs.microsoft.com/en-us/power-platform/admin/wp-data-loss-prevention 

Hope this helps!

View solution in original post

Hi @lgpower 

 

As @EricRegnier said, short cutting the security roles and giving more access than really needed opens you up to more data access risks than just from the default environment.  What are the problems that you are having with security roles and dataflows? Long term it’s best that you resolve that issue than trying to work around it.

View solution in original post

lgpower
Helper II
Helper II

@HSheild @EricRegnier 

 

Thanks for both your comments. I have to agree that not resolving this now would be unwise for a number of reasons.

 

The main problem I am facing with dataflows is that I find myself unable to change the owner field on records. By default the data flow owner is the owner for the record.

 

Say I have 100k records with a employee field that I import, and I have 1k User records/200 Team records. I would have to find a way to update the owner field to either the corresponding User/Team record.

 

 

lgpower
Helper II
Helper II

Regarding changing the Owner field via dataflows,

Think I got it through this proces: 

1. Set alternate key (employeeid) on systemuser (Users) table 
2. Create relationship between Fact table and systemuser (Users) table 
3. Dataflow loads employeeid field into Fact.Lookup (Users) column field
4. Set Business rule in Dataverse to set Fact.Owner value as Fact.Lookup (Users) value 

Helpful resources

Announcements
PA User Group

Welcome to the User Group Public Preview

Check out new user group experience and if you are a leader please create your group

MBAS Attendee Badge

Claim Your Badge & Digital Swag!

Check out how to claim yours today!

secondImage

Are Your Ready?

Test your skills now with the Cloud Skill Challenge.

Top Solution Authors
Users online (40,583)