Announcements
Hello,
I am just a regular maker and administrator of PowerApps.As it's possible to every maker to upload PCF found over the wed and use it into their apps, I would like to know if it's safe to let code "injected" in our app. Is there any leaks risk ?
Thx
Hi @Anonymous ,
The PCF is written by a developer, and he/she is free to make requests (will run under your name), change the DOM content, so there might be a risk. That's why it's good to check the PCFs beforehand. In my opinion you always have this risk if you don't check the imported content; even if a LowCode ( CanvasComponent ) is imported, not only with the PCFs.
But the PCFs cannot be free imported in the CanvasApps. First the PCF-Solution (.zip) has to be installed in your organization. For that they need the right "System Customizer", while for making Apps they need "Environment Maker". Maybe you can decide by role, who's allowed to import PCFs.
Maybe this helps: https://docs.microsoft.com/en-us/power-platform/admin/database-security
That's only my opinion. I must say that usually I just write code, and don't care about the governance. Maybe this still helps.
Kind regards,
Diana
Thank you for your comprehensive answer.
I will check the roles, but I fear that Environment Maker is assigned by default to all my users.
That would be ok; so they can make Apps.
I think that if they don't have the SystemCustomizer role, they cannot import the PCFs in your organization, so they cannot use them in the Apps. This way the SystemCustomizers can decide which PCFs are allowed to be used.
Under review
Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.
Congratulations to our 2026 Super Users!
Congratulations to our 2025 community superstars!
These are the community rock stars!
Stay up to date on forum activity by subscribing.
WarrenBelz 542 Most Valuable Professional
Haque 206
Kalathiya 201 Super User 2026 Season 1
