cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
jchenevert
Advocate I
Advocate I

Controlling dataverse access within production environments

I was wondering if it was possible to restrict specific users from accessing dataverse information outside of a Canvas app.

 

For most of our users we use the web link for them to access a canvas app on each of their computers. Using the app in this way only allows for data to be accessed using the linked Canvas app. However a user could log into powerapps from Microsoft's home page bringing them to the PowerApps' home screen. Here they have access to Dataverse tables, option sets, flows and can create apps. From my testing even giving a user no permissions within the environment still allows them a shocking amount of access to your data. They can access any of your dataverse tables, delete tables and edit records. They can't create tables citing "you are missing the necessary privilege to create tables" so I know something is preventing them from having completely unrestricted access. To apply security roles I am going to the admin center then Environments/"Environment name"/Settings/Users/Manage security roles. Are security roles managed somewhere else in the admin center?

 

What is the purpose of creating specific user privileges when a user can open the environment and subvert all of the carefully designed controls in a canvas app? What am I missing here? 

 

Any help is appreciated.

2 REPLIES 2
HSheild
Super User
Super User

Hi @jchenevert , the behaviour you are describing doesn’t sound quite right. What security roles have you given your users? It is the security roles that control the access to Dataverse data. I assume you have looked at the definition of the security roles assigned to your users and have seen what they have access to?

Hi @HSheild. I agree it doesn't make any sense. I have attached a picture of my custom "norights" user that I used to access my dataverse tables. I all of the tabs have no read/write access in any of my custom dataverse entities. Do previous user permissions linger on after being changed? I made sure to refresh my test user's permissions after changing them and completely logining out before accessing the dataverse information.

Helpful resources

Announcements
UG GA Amplification 768x460.png

Launching new user group features

Learn how to create your own user groups today!

Community Connections 768x460.jpg

Community & How To Videos

Check out the new Power Platform Community Connections gallery!

Welcome Super Users.jpg

Super User Season 2

Congratulations, the new Super User Season 2 for 2021 has started!

Carousel 2021 Release Wave 2 Plan 768x460.jpg

2021 Release Wave 2 Plan

Power Platform release plan for the 2021 release wave 2 describes all new features releasing from October 2021 through March 2022.

Users online (2,307)