cancel
Showing results for 
Search instead for 
Did you mean: 

Expand CDM Permissions

Currently, users are able to create, read, write, delete entities.

 

I am suggesting that PowerApps distinguish between reading data in the app and reading data in Excel (downloading the entity and opening it in Excel). As it is right now, users that you allow to Read can do both. I think that is a major security concern.

 

I filter all data that comes through all of my apps. I presume that everyone does as well--it is hard to imagine working with entire data sets all at once. I want my users to be able to filter all that data in app so I have to enable Read, but it's filtered on purpose: I don't want them seeing everything else. If PowerApps eventually allows the making of public apps, you also would not want your data freely downloaded and viewed.

 

That is why I am suggesting:

  • separate the "Read" permission into Read in PowerApps and Read in Excel or
  • provide a way to enable/disable downloading of an entity as a permission

 

Status: Under Review

@jonoluk to confirm status pls.

Comments
Level 10

I agree on this. CDM via excel is a great way for reporting, but i do not want my users resesign or punlish data all the time, so i should be able to control who could do what.

Level 10

@v-micsh-msft@sarafankit

 

Is there any way to lock down who can view the data in Excel without losing the ability to read the data within the app?

PowerApps Staff

@Vijeta/@jonoluk - is this possible?

Level 10

To be exact, if I have an app for showing grades, I would need to share the app and the associated entities with my users. My users are students and parents. If they have access to the entity, they could download the Excel file for that entity and see everyone's grades.

 

Distinguishing between "Read in app" and "Read in Excel" could be one solution. Or, perhaps making a permission for downloading the Entity could be another solution.

Microsoft Employee

Hi @mr-dang,

 

I'll break down your comments into two asks. The ability to prevent user, the student in your example, from viewing viewing records they should not have access to, and the ability to block reading data from Excel.


Regarding the former, Record Level Security (RLS) is on the roadmap for the Common Data Service and will provide the ability to restrict the data returned to a user from a given entity based on a policy an administrator defines. In your example, a policy would be created for a students role to only allow read access on records where the student in the record equals the current user.

 

In regards to restricting Excel reads, assuming the ability to set record level security is in place, do you still see a need to restrict reading data from Excel?

 

Thanks,
Matthew

Level 10

Thank you for the response, Matthew.

 

 

My district recently signed up for Office 365 for every student. The teacher accounts have been enabled, but not the student accounts yet. I have been building my apps on my own domain name instead. Since I cannot afford to pay monthly for users on my domain for 90+ students, I have all of my students use one login under my own domain name for PowerApps. They save that login so they do not have to type it in again. Their real login is within the app itself. 

 

Each student has been given a username/password. But that information is stored in an entity. The app will perform a lookup to match what the student inputs against what is in the entity. In my situation, the limitation of Record Level Security is that all my students use the same O365 account. This means I cannont benefit from RLS since each row would be associated with the same account for access. 

 

I played out some other scenarios for RLS. Suppose that all 90+ of my students had their own O365/PowerApps account username and password instead of sharing just one. Just to clarify, with RLS, I could create a policy for "Student" where some entities only have read access for records associated with their Username. Could I still make other entities available without requiring the username-association? Could Users be assigned multiple policies?

 

I will have to revisit this after playing out more scenarios to see if RLS solves the need to restrict Excel data.

Level 10

@maertenm,

 

Do you know if Record Level Security will also allow you to limit the writing to Excel?

 

For an app for Grades, I think your description of RLS would work. That is because I, as the teacher, am the sole content creator, so only I would need permission to create, update, read, and delete. The student is not the one who inputs grades, so they would only need permission to read--and with RLS, they would only be able to read their grades that are linked to their account.

 

Suppose instead that you had an app where students were expected to create, update, and read data. For instance, in a game where students pick up items, they will write data back to the source, so they need the create permission. They can view their items later when they read their data. If they use the item or gain one more of that item, they update the quantity. The three actions are limited to the conditions specified from within the app. However, the three actions can be manipulated in Excel by a student account, which requires permission to create/update/read--the app would not work otherwise. If RLS works the way it is described, then the records linked to the student would still have its security at risk.

 

If there is a permission to enable/disable downloading or viewing of the Excel file, an unauthorized user could not manipulate your data.

Level 10

Could we get an update on this?

 

It's important to distinguish between reading data in app and reading data in the Excel Add-in.

Power Automate Staff
Status changed to: Under Review

@jonoluk to confirm status pls.

Level: Powered On

Is there any progress?

 

Users can read data at the CDM entity web page,not only excel.

Normal users do not need to access powerapps web page.

Please let us control who can access backend,read data/download excel.