Power Platform user roles - Change resonates to all environments?

(0) Share

Report

Posted on by VilPel

287

Hello all,

I have a Power Platform architecture where I'm developing a canvas app in environment DEV, and pushing a managed solution package to environment PROD every once in a while. My problem/question is with the user roles as I'm using Dataverse as my data source and I need to ensure row-level security in the PROD environment as the content in there is very confidential.

Let's say Developer A develops the canvas app solution and database in environment DEV so they need the "System administrator" user role. I don't want Developer A to have "System administrator" user role in environment PROD as the admin user role has full access to Dataverse tables in the environment.

For some reason I have seen behavior where assigning admin role in the DEV environment also resonates to the PROD environment even though the PROD environment user roles weren't touched in the PROD environment.

Is it supposed to work like that? Is there any way I could control the user roles so that they don't resonate between environments?

Thanks in advance,

Ville

Categories:

Environment

Management

All responses (5)

Answers (0)

Devikumari Krishna 988 Super User 2024 Season 1 on at

Like (0)

Report

Re: Power Platform user roles - Change resonates to all environments?

Hi @VilPel ,

At tenant level the developer has power platform admin access(full access on Dynamics 365 , power automate and Powerapps).Remove this access.
I suggest you create a security group and assign it to Prod environment. Only members who belong to that group can access P system. Assign the developer ID which is required to do deployments to the same group. Developer ID can have only system admin and environment admin access enabled for him in Prod environment.
-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.
My Blog: Dynamics 365 Key Topics – https://d365topicsbydk.com/

My Youtube Channel : https://www.youtube.com/channel/UCxSIryP2ah2VpEFr-Z72t1A

Regards
Devi
VilPel 287 on at

Like (0)

Report

Re: Power Platform user roles - Change resonates to all environments?

Hi,

Yes, I know how to remove the admin role in the PROD environment. But the problem is I have to do it pretty often as the roles seem to resonate to the PROD environment for some reason.

I just did a test 30 minutes ago where I unassigned all system admin roles from the PROD environment but after a while the system admin role was assigned automatically to one of the developers in the PROD environment. I asked what actions did he do in the DEV environment during that period and he said he only create a new canvas app in the DEV environment and extended his Power Apps trial.

Could it also be that the developer's user has the following admin roles in Office 365?

Ville
Devikumari Krishna 988 Super User 2024 Season 1 on at

Like (0)

Report

Re: Power Platform user roles - Change resonates to all environments?

Hi @VilPel ,

Yes. Definitely not solution movement. Follow my steps below and check the security role once. If System admin access is there - remove that access in prod environment for the user.

-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.
My Blog: Dynamics 365 Key Topics – https://d365topicsbydk.com/

My YouTube Channel : https://www.youtube.com/channel/UCxSIryP2ah2VpEFr-Z72t1A

Regards
Devi
VilPel 287 on at

Like (0)

Report

Re: Power Platform user roles - Change resonates to all environments?

Hi,

Thank you for the quick response. So you are saying that the solution movement is NOT the cause for this issue? Do you have an idea what could it be then? Something to do with Office 365 user roles?

Ville
Devikumari Krishna 988 Super User 2024 Season 1 on at

Like (0)

Report

Re: Power Platform user roles - Change resonates to all environments?

Hi @VilPel ,
The user role from one environment may not get resonated to another environment as part of solution movement.

Please login as admin into https://admin.powerplatform.microsoft.com
Click on Environment
Choose the prod environment
Navigate to Settings->Users+Permissions->Users.
Select the user.

or
Login to https://make.powerapps.com/
Choose the environment. Navigate to Settings->Advanced Settings
Navigate to Security->Users->Choose the User ->Manage Roles

Remove security role that grants the specific user full access on records.

-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.
My Blog: Dynamics 365 Key Topics – https://d365topicsbydk.com/
My YouTube Channel : https://www.youtube.com/channel/UCxSIryP2ah2VpEFr-Z72t1A

Regards
Devi