cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
khadija
New Member

Control Dataverse Data Access To System Administrator

Hi all,

 

May I know if there is any way to control custom entities access on System Administrator role in environment?

 

I've built Model Driven App for HR solution, and it contains a lot of sensitive data. Now, for all users I can control access with custom security roles, but for our system administrators, they are able to access all the Model Driven Apps and all the custom entities that contains sensitive data. I can't seem to remove the access of System Administrator on my MDA and custom entities, since it is the all-powerful profile.

 

Since all the data is owned by department users, is there a way to control and block the access to Dataverse on data level? 

 

Appreciate your advice.

 

1 ACCEPTED SOLUTION

Accepted Solutions
ChrisPiasecki
Super User
Super User

Hi @khadija,

 

The system administrator role has full access to the environment and this cannot be changed.

 

My recommendation is to limit administrative access to a small subset of individuals, and enable Auditing and Activity Logging for all of your sensitive tables/columns. You can view reports for activity logs in the M365 Security & Compliance center. You should make this part of your security modelling and processes to do regular security reviews.

 

There should also be capability in M365 to Automate alerts for security events, so I imagine you could monitor and alert when those system administrator accounts access certain tables /columns (I have not had a chance to explore these M365 security features in depth so I am a bit limited on knowledge in that area).

 

---
Please click Accept as Solution if my post answered your question. This will help others find solutions to similar questions. If you like my post and/or find it helpful, please consider giving it a Thumbs Up.

View solution in original post

2 REPLIES 2
ChrisPiasecki
Super User
Super User

Hi @khadija,

 

The system administrator role has full access to the environment and this cannot be changed.

 

My recommendation is to limit administrative access to a small subset of individuals, and enable Auditing and Activity Logging for all of your sensitive tables/columns. You can view reports for activity logs in the M365 Security & Compliance center. You should make this part of your security modelling and processes to do regular security reviews.

 

There should also be capability in M365 to Automate alerts for security events, so I imagine you could monitor and alert when those system administrator accounts access certain tables /columns (I have not had a chance to explore these M365 security features in depth so I am a bit limited on knowledge in that area).

 

---
Please click Accept as Solution if my post answered your question. This will help others find solutions to similar questions. If you like my post and/or find it helpful, please consider giving it a Thumbs Up.

View solution in original post

Hi @ChrisPiasecki ,

 

Many thanks for your advice. I suspected as much, as we definitely need 1 people that can modify the table or application, and we cannot ask HR user to do it themselves. Guess the option now is to implement a process of access governance based on the Auditing and Activity Logging feature.

 

 

Helpful resources

Announcements
PA_User Group Leader_768x460.jpg

Manage your user group events

Check out the News & Announcements to learn more.

Power Query PA Forum 768x460.png

Check it out!

Did you know that you can visit the Power Query Forum in Power BI and now Power Apps

Carousel 2021 Release Wave 2 Plan 768x460.jpg

2021 Release Wave 2 Plan

Power Platform release plan for the 2021 release wave 2 describes all new features releasing from October 2021 through March 2022.

PowerPlatform 768x460.png

Microsoft Learn

Check out our new Discover Your Career Path blog post series and get all the details.

Users online (2,859)