cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Sheikx800
Helper II
Helper II

End User access control options

I feel like there may be answers to this question within other threads didn't find a great deal so I am asking for you geniuses to reach out and assist again!

 

The environment that I am creating has a 'dataverse' database and two PowerApps. There will be a 'manager' app for internal employees that is model-driven, and then a Canvas app for the end-users. End-users should only be able to access records for their accounts.

 

I am not sure where to start with the control of end-user access to data in the dataverse and would like some guidance/links for best practice. Ultimately, we only want to have end-users seeing their own data, but for them to access the data, my current understanding is that they need access to the database and would then have access to ALL the data in it and not just their own. 

 

The method that comes to mind as the 'easy' approach is to have the Canvas app do filtering based on the users login information... But my background tells me thats not the correct approach because you would essentially be 'hiding' the data, not preventing access. So someone who knows how to could gain access to the data in the dataverse because they, at the dataverse level, have access to the full table. It would only be the PowerApp filtering their access. So something tells me there is extra steps that need to be taken to ensure that anyone with malicious intent couldn't circumvent the 'forward facing' permissions of the Canvas app and simply grab all the data.

 

I hope this makes sense. I have no doubt that plenty have crossed this bridge before me but it has been difficult to find specific information relating to the use of dataverse as the storage location. Most of the guides/tutorials refer to people using sharepoint lists and spreadsheets which naturally have far simpler permissions. 

 

Thanks in advance.

 

1 ACCEPTED SOLUTION

Accepted Solutions
joe_hannes_col
Super User
Super User

Hello @Sheikx800,

 

You made a great design choice in going with Dataverse for your requirements.

The only thing you will have to do is to correctly set up security. In Dataverse, you can make very granular decisions about who can create, update, read, and delete records - and if users can access only their own records, all other records or even records created by their business unit.

 

Security in Dataverse works like this: you define Security Roles. For each Security Role, you can define if a person with this Role can access their own records, the organization's records, etc - for each entity (table). When you assign a Security Role to a user, Dataverse automatically displays only data the user should be able to access - no need to use custom filters etc.

You can find more information here: https://docs.microsoft.com/en-us/power-platform/admin/wp-security-cds

 

The easiest way to achieve your requirement would be to:

  1. Create a new security role for your users, or choose an existing one to update, e.g. "Basic User": https://docs.microsoft.com/en-us/power-platform/admin/database-security
  2. Create the correct privileges for the entity (table) you want to restrict access to. To do this, identify the entity (table) in the list of custom entities in the security role editor:
     

    security-role-privileges.png

    For this table, define the privileges. In your case, for users, this would be "User":
    security-role-privileges-key (1).png
  3. You can then assign the security role to your users: https://docs.microsoft.com/en-us/power-platform/admin/database-security#assign-security-roles-to-use...

You can then walk through the same process for the "Manager" role, but you would want to give them higher privileges, e.g. "Organization".

 

View solution in original post

3 REPLIES 3
joe_hannes_col
Super User
Super User

Hello @Sheikx800,

 

You made a great design choice in going with Dataverse for your requirements.

The only thing you will have to do is to correctly set up security. In Dataverse, you can make very granular decisions about who can create, update, read, and delete records - and if users can access only their own records, all other records or even records created by their business unit.

 

Security in Dataverse works like this: you define Security Roles. For each Security Role, you can define if a person with this Role can access their own records, the organization's records, etc - for each entity (table). When you assign a Security Role to a user, Dataverse automatically displays only data the user should be able to access - no need to use custom filters etc.

You can find more information here: https://docs.microsoft.com/en-us/power-platform/admin/wp-security-cds

 

The easiest way to achieve your requirement would be to:

  1. Create a new security role for your users, or choose an existing one to update, e.g. "Basic User": https://docs.microsoft.com/en-us/power-platform/admin/database-security
  2. Create the correct privileges for the entity (table) you want to restrict access to. To do this, identify the entity (table) in the list of custom entities in the security role editor:
     

    security-role-privileges.png

    For this table, define the privileges. In your case, for users, this would be "User":
    security-role-privileges-key (1).png
  3. You can then assign the security role to your users: https://docs.microsoft.com/en-us/power-platform/admin/database-security#assign-security-roles-to-use...

You can then walk through the same process for the "Manager" role, but you would want to give them higher privileges, e.g. "Organization".

 

An additional note to @joe_hannes_col response is that you should create a new Security Role by copying an existing one e.g. Basic User.  Don’t create a new Security Role from scratch as you will most likely find yourself in a world of pain trying to get the permissions correct. There are some base permissions that just about every user needs for Dataverse to work for them. These are included in the existing  Base User security role.

Sheikx800
Helper II
Helper II

@joe_hannes_col - Given your mention of choosing the Dataverse DB, I have to say - Planning for success with this project meant I needed a proper database that could scale. I was completely blown away with what the Microsoft CDS/Dataverse platform is capable of. I walked into this thinking I would need to develop an SQL database from scratch and then after a few clicks found myself literally months down the development track without any of the work... Systems Analysts must froth over this stuff!

 

Thank you for all of that information and for narrowing down what I need to read up on!

 

There seem to be a number of extremely granular (see: daunting) security settings within the 'Dynamics' admin area for the dataverse. It doesn't appear from what you linked me that I need to worry about this stuff which is good news. My use case is going to require record-specific restrictions for each user/group rather than simply restricting by table so I am suspecting I am going to have to do a fair bit of configuration to make this work, but its outlined as being possible so I will have to get reading and have a play. I may pop back here to ask more about this later. The forums have been extremely helpful!

@HSheild - Thank you for the tip. I think I made an attempt to create one from scratch while playing around a while back and it did NOT go well!

 

Helpful resources

Announcements
Power Platform Conf 2022 768x460.jpg

Join us for Microsoft Power Platform Conference

The first Microsoft-sponsored Power Platform Conference is coming in September. 100+ speakers, 150+ sessions, and what's new and next for Power Platform.

May UG Leader Call Carousel 768x460.png

June User Group Leader Call

Join us on June 28 for our monthly User Group leader call!

PA Virtual Workshop Carousel 768x460.png

Register for a Free Workshop

This training provides practical hands-on experience in creating Power Apps solutions in a full-day of instructor-led App creation workshop.

PA.JPG

New Release Planning Portal (Preview)

Check out our new release planning portal, an interactive way to plan and prepare for upcoming features in Power Platform.

Users online (2,648)