cancel
Showing results for 
Search instead for 
Did you mean: 

Add ability to add Custom Connector with limited scope to DLP

There is another idea similar to mine here in the ideas section which should also be voted for

https://powerusers.microsoft.com/t5/PowerApps-Ideas/Add-ability-to-configure-DLP-for-custom-connecto...

 

I want to add that not only should there be a way to add a Custom Connector to your company's Data Loss Protection Policy (DLP) but also the ability to limit it's scope. For instance I've created a custom connector to a department database, even though my PowerApp will be available to all personnel in my company. The custom connector should not be allowed to be implemented into any other app that may be developed within the company. 

 

Right now all connectors in the Business Data group are available for use within any departments PowerApp.

We need to not only be able to add  Custom Connectors to the DLP business data only group but also be able to limit who can include the connector in their PowerApp.

 

Status: New
Comments
Level: Powered On

This is a great idea!  

Are you say that O365 Admins need to set the permissions of the custom connector?  I'd rather the user creating the custom connector be responsible for the permissions.

KC
Level 8

jcr5999,

Correct,sorry I was not more clear on that,  the creator of custom connector should have this ability since they are the most familiar with their datasources.

The admins should be able to override if required though.

Level: Power Up

To make sure we understand your request: When you create a custom connector, you would be able to decide whom to share it with. If you don't share with certain departments, won't it solve the problem of them not being able to see/use the custom connector in their apps?

KC
Level 8

Hi @Rohit_msft ,

Sorry for the late reply.

 

Most of the apps I create have to be shared with the entire Enterprise, this is world wide, not just for a select few employees. All employees must have access in one form or another most of the time. 

 

This was filed early last year, let me see if I can remember this correctly. 

 

Actually, any and all access to connections to the datasource(s) must be controlled, all actions must be verifiable as to who is performing an action on the datasource not just from within your own app but from the connection itself. 

 

The connections should always run with the permissions of the current user, not as the original creator. 

 

Sometimes, this does not happen often but it does happen from time to time, where we have to prove due diligence and chain of custody in court cases.

 

If you create your app within the default environment and because any creator in your enterprise has access to the default environment, they could potentially import your connections to their own apps if you share your app with them, which also shares your connections. 

 

The concern is that if another creator can include your connection in their own app, they would potentially be able to do what they wanted to with your data,  since the connection would still run with the original creators permissions, the original creator would be recorded as the person making the changes, not the new creator. Yes you can in your own app, record who is performing actions on your data, but you have no control over another creators app.

 

I moved some of my apps into a department environment to try to prevent access to creators who are not part of our department from being able to import my connections.

 

Even so, even if you only develop within your own departments environment, there are instances where you do not want even your own co-workers to be able to run your connections with your credentials, i.e. Internal Investigations. 

 

If your department co-worker is also a creator, then they more than likely will have access to not only the default environment but they will also have access to your departments environment.

 

This does not happen often but it has happened, where your co-worker is under investigation and most times they won't even know about the investigation, and they shouldn't know about the investigation, so you don't want to cut off their access and alert them. Your department co-workers could be in different countries or in your office space.

 

What happens if your co-worker is under investigation and they find out somehow that they are under investigation? What if the the data that the connection has access to is part of an investigation?  This is a serious issue if the connection runs as the original creator and not the person who is actually performing the actions.

 

Your co-worker could potentially delete information, act malicously, delete or corrupt your database, destroying evidence and thus destroying chain of custody or worse.

 

 

 

KC
Level 8

Ok I see in the docs, it pays to re-read the docs, that even though your connections are shared, the user must create their own connection. https://docs.microsoft.com/en-us/powerapps/maker/canvas-apps/share-app-resources

 

This should solve the part of the question of who is actually connecting and performing actions.

 

 

Level: Power Up

@KC : Thanks for the detailed reply. 

Regarding connections and proving the chain : Yes, as you discovered, it's already supported today. The app developer can force the users to create a per user connection when they use the app. 

Let me know if there's any other DLP ask with regards to custom connectors.

I am also curious to know if you were able to modify your app to use the per-user connections and if there are any other concerns you had along those lines.