cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
max81
Impactful Individual
Impactful Individual

How to protect CDS environment with or without security group

Hello,

 

I'm confused because of these 2 cases:

1) I can create an Canvas App or a flow in a CDS environment that is secured by a Security Group and share it with users that are not members of this Security Group. No Problem

2) I cannot send an Approval out of the CDS environment that is secured by a Security Group to a user that is not member of this Security Group. Error message ("user is not member of security group").

 

So my question is: how shall I setup my environment.

I want to have a protected environment called "IT solutions". In this environment with CDS, only a couple of users should have the rights for creating solutions, canvas apps, flows, custom connectors. All other users should only be able to use shared apps and flows and react on approvals.

How can I handle this?

 



1 ACCEPTED SOLUTION

Accepted Solutions

it sounds like to me you need 2 environments. One to build solutions, then export those to another environment for your other users to use. Can you clarify what you mean by Approvals?

here is the doc on Security Groups. https://docs.microsoft.com/en-us/power-platform/admin/control-user-access

 

We are building a more traditional environment, DEV, TEST, & PROD. Controlling access to those via Security Groups, Business unit, Teams and Security Roles. Basically DEV is where everyone works and builds,and Developers are not in the SG's that are controlling our TEST and PROD environments. Test is basically the same, individuals who test are not allowed in DEV. PROD only has a few implementer's.

View solution in original post

4 REPLIES 4
v-xida-msft
Community Support
Community Support

Hi @max81 ,

According to the issue that you mentioned, I think you have some misunderstanding on the "Security Group" in CDS Environment.

 

Actually, the "Security Group" is used to control data access to Common Data Service in a Environment for users in your tenant. For your first case, please note that the "Sharing" mechanism of a canvas app in PowerApps is not related to "Security Group".

The "Sharing" mechanism of a canvas app is used to share canvas app Run or Edit permission to the users in your Org, it would not share the data source resource access permission to the users.

 

For your second case, if you create a Approval flow in your CDS Environment using Power Automate flow, it would essentially store the Approval flow record in Approval Entities in your Common Data Service. In other words, the "Approvals" functionality in Power Automate flow is based on the "Approval" Entities in your Common Data Service:

2.JPG

If you assign a "Security Group" to your current Environment, only users with Common Data Service licenses that are members of this security group will be created as users and enabled in the Common Data Service environment, the other users who are not members of this Security Group would be disabled in this Environment.

So the other users are not members of this Security Group could not access the CDS data (including the "Approval" Entity) in your Environment. So you could not send an approval flow to a user outside the Security Group.

Best regards,

Community Support Team _ Kris Dai
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
max81
Impactful Individual
Impactful Individual

thank you @v-xida-msft for that clearification. Helps indeed to understand it a little bit more.

Mayby you can also help me with the rest of my confusion.

 

 

But still my question:

I want to have a protected environment called "IT solutions". In this environment with CDS, only a couple of users should have the rights for creating solutions, canvas apps, flows, custom connectors. All other users should only be able to use shared apps and flows and react on approvals.

How can I handle this?

 

 

And also an additional question: where are Approvals stored in environments without CDS?

 

 

it sounds like to me you need 2 environments. One to build solutions, then export those to another environment for your other users to use. Can you clarify what you mean by Approvals?

here is the doc on Security Groups. https://docs.microsoft.com/en-us/power-platform/admin/control-user-access

 

We are building a more traditional environment, DEV, TEST, & PROD. Controlling access to those via Security Groups, Business unit, Teams and Security Roles. Basically DEV is where everyone works and builds,and Developers are not in the SG's that are controlling our TEST and PROD environments. Test is basically the same, individuals who test are not allowed in DEV. PROD only has a few implementer's.

max81
Impactful Individual
Impactful Individual

Ok, it was a kind of misunderstanding the security roles of CDS. I will therefore create a new topic.

 

Thanks for your feedback.

Helpful resources

Announcements
October Events

Mark Your Calendars

So many events that are happening this month - don't miss out!

Ignite 2022

WHAT’S NEXT AT MICROSOFT IGNITE 2022

Explore the latest innovations, learn from product experts and partners, level up your skillset, and create connections from around the world.

Power Apps Africa Challenge 2022

Power Apps Africa Challenge

Your chance to join an engaging competition of Power Platform enthusiasts.

Users online (2,463)