Answered

Power Platform authorization

(0) Share

Report

Posted on by Community Power Pla... Microsoft Employee

I realized this is a better place to ask this question rather than other forums.

Let's consider the following scenario:

I have a user role called ROLE_A limiting rights to "(a) These users can read only rows from the Accounts table which belong to their own branch, but they cannot manipulate it. (b) These users can read only a subset of columns the Accounts table.".

I also build a model-driven app for managing the Accounts table, with full authorization, let's call it ROLE_A_Extended. This model-driven app will have the full rights on this table.

I will give the users of ROLE_A access to this model-driven app.

Could you please help me understand the following:

1. Are the ROLE_A users getting more rights because they have access to an app with ROLE_A_Extended? Or, the user role ROLE_A is still enforced even though the application has ROLE_A_Extended?
2. If they are actually getting more rights, how I can enforce these users to keep only to their rights in ROLE_A (instead of getting ROLE_A_Extended)? Do I need to program/code every artifact in the app (data source connections, what is displayed in the tables in app, the button visibilities in app, etc.) to enforce such rights?

We can generalize this question not only to model-driven apps but other kind of apps also in the Power Platform.

Thank you.

Categories:

Governance & administering

I have the same question (0)

All responses (2)

Answers (1)

Verified answer

joe_hannes_col 1,843 Super User 2024 Season 1 on at

Like (0)

Report
Copy link

Link copied!

Hello @Anonymous,

Model-Driven Apps are based on Microsoft Dataverse as a database. In Dataverse, you can control user permissions using security roles.
In your case, you would create at least two roles: ROLE_A and ROLE_A_Extended. You can assign these different roles to users directly, or you could assign these roles to teams consisting of multiple users, to make it easier to manage a larger number of users.
Either way, you would give less permissions to ROLE_A, and more permissions to ROLE_A_Extended. Users with ROLE_A can then only perform the operations allowed by their permissions in any user interface: Model-Driven Apps, Canvas Apps, Power Automate, even the API...
If you want to learn more about security roles, please check this documentation.

Was this reply helpful? Yes No
Community Power Pla... Microsoft Employee on at

Like (0)

Report
Copy link

Link copied!
Thanks @joe_hannes_col for the answer.

I believe I understand the security (user permission) aspect of Microsoft Dataverse itself already. My confusion came from the application that uses Microsoft Dataverse instance based on the Microsoft documentation (see below). Now, I think it is clear from your answer: "Users with ROLE_A can then only perform the operations allowed by their permissions in any user interface".

Source of confusion: On the documentation from Microsoft has some statements, (as I interpreted) indicates that the applications have their own security roles: https://learn.microsoft.com/en-us/training/modules/how-build-model-driven-app/06-control-security-share-model-driven-apps. Some example statements there are:
"One or more security roles must be assigned to the app. The apps that users can use depend on the security roles they are assigned to."
"First, associate one or more security role(s) with the app."
Here, it seems that those roles need to be assigned to the users later on who is going to use the application. Still, the users seem to be accessing only to the data they are allowed to: "Users who have this role can run an app in the environment and perform common tasks for the rows they own."

Was this reply helpful? Yes No