cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
schuess3
Kudo Kingpin
Kudo Kingpin

Security in Dataverse for Teams – Can Members get to Raw Table Data?

I have a few questions concerning how a team member might access the Raw Table Data in Dataverse for Teams

 

  1. If I build a Power App in Teams using Dataverse for Teams, is there a way for the team members to get to the raw data in the tables or just what is exposed to them via the Canvas App?
  2. What permissions are needed to pin the Power Apps App in Teams? 
  3. Is there a method to obscure members getting to backend tables?

Permissions to Dataverse for Teams Tables.png

 

Thanks for any suggestions or input you may have.

 

Matt

 

 

2 REPLIES 2
GarryPope
Impactful Individual
Impactful Individual

Hello @schuess3 

 

I hope you are well. Did you get any further with your questions and or find out the answers? I was wondering exactly the same thing only recently. Here's what I found out. Sorry there's so much detail
 

Question 1:

In Power Apps app:

  • Regarding the data, it depends on the permissions you grant to the roles (Member, Guest, Colleagues with access" to what they can do.
  • If you have a user that is a "Member" of the team and you assign the "Table permission" or "Full access" to the role "Members", then any "Member" will be able to "Read all records" and "Update or delete all records", even if in your Canvas App doesn't show all the records, such as you put a filter to only show records starting with the letter "A". They can get access to the data outside of your "Canvas App" in the "back end" so to speak. More below...
  • By default, when a new table is created, "Members" are assigned the table permission of "Full access", which seems bonkers to me...
  • So from my testing, a user that is a "Member" can
    • download the Power Apps app >
    • click the Build tab >
    • Select the environment >
    • find the table where, for example, in your canvas app you added the filter to the gallery only show the records with the letter "A" meaning a user of the app couldn't see any data that doesn't begin with "A" >
    • click Edit data >
    • and see all the data.
  • They can create new records, edit those records and delete those records.
  • They can also edit and delete a record not created by them.
  • And of course, they can do all the same create, read, update and delete operations as above on the table data if they created their own Canvas App.
  • And, I would imagine, but haven't tested, they can do the same if they create a Flow as well.
  • So if you provide a different "table permission" to the "Member" role, such as "Collaborate" which allows them to "Read all records" and "Update or delete their own records" on that table, then they can do all of the above, but only interact with their own records.
  • So the first thing is definitely to look at and assign correct access in "Manage permissions" on a table.
Power BI
  • They can also point Power BI to the Dataverse for Team environment and see all the records.
Flow.microsoft.com
  • They can go to flow.microsoft.com, see the environment, tables etc, but I can't find a way to get to the data, even with the "Full access" permissions assigned to "Members".


Question 2

  • I'm not sure what permissions are needed, but I believe you can prevent people from downloading the Power Apps app.
  • Here's a link that might be of use
  • And another. Let us know if you find out anything more.

 

Question 3
  • Not that I've found for "Members".
  • For me, this is one of the biggest drawbacks with Dataverse for Teams. As it allows members to go into the "back end" and mess with your tables, such as edit the display name. It even allowed me to delete the entire table! I'm really hoping someone reads this and then provides an answer on how to stop this, as it seems madness that any "Member" can edit/delete someone else's entire table.
  • Instead, to stop this, what I did was
  • create a canvas app in a different environment,
  • then on the "table permissions" I used "Colleagues with access" and assigned it the permission of say, "Collaborate".
  • I then selected a Microsoft Security Group for the Canvas App and shared it that way.
  • As the users were not "Members" of the environment where I created the "Canvas App" they were not able to get into the back end tables/data and mess around.
  • This Microsoft Doc explains more.
  • Seems like a lot of hoops to jump through to prevent people messing with your tables. Again hopefully someone has a better solution.

Hope this helps you, or someone else stumbling across this article. Any further input from anyone would be greatly appreciated.

Sunidhigambhir1
Helper II
Helper II

Hello,

Security in Data verse for Teams :

1.Role-based security:
Data verse uses role-based security to group together a collection of
privileges.

2.Record-level security in Data verse:
Field-level security in Data verse Sometimes record-level control of access is
not adequate for some business scenarios

3.Field-level security in Data verse:
Data verse has a field-level security feature to allow more granular
control of security at the field level.
Field-level security can be enabled on all custom fields and most system
fields.

Helpful resources

Announcements
PA Virtual Workshop Carousel 768x460.png

Register for a Free Workshop

This training provides practical hands-on experience in creating Power Apps solutions in a full-day of instructor-led App creation workshop.

Microsoft Build 768x460.png

Microsoft Build is May 24-26. Have you registered yet?

Come together to explore latest innovations in code and application development—and gain insights from experts from around the world.

May UG Leader Call Carousel 768x460.png

What difference can a User Group make for you?

At the monthly call, connect with other leaders and find out how community makes your experience even better.

Top Solution Authors
Users online (1,931)