Skip to main content

Notifications

Power Apps - Power Apps Governance and Administ...
Unanswered

Best Practices for Environments-Security Groups-Teams-User

(0) ShareShare
ReportReport
Posted on by 36

Hi Community, 

 

I am not sure if this is the right place, but I havent found any "admin" section in the Power Platform Subforums. 

I am currently looking at the creation of environments and I found that there are multiple way to set things and accesses as there are the environments themselves, security group, teams, users and roles.

 

I also tried online research but I haven't found any good description or advice on how to make the best use of them. 

This is what I made up so far:

 

Security Groups as a pre-filtering. If there is already a Teams team/Sharepoint team or whatever, you can make use of that to prefilter. However, I do not know if its reasonable to create a security group for each environment (and so for each solution because of DLP reasons). 

 

Teams. I would go for a "Developer"-Team to assign developers to it and the related role to it. This should ease that I do not have to assign roles to each of the developers separately. 

 

However, I think that there might be better approaches based on experience towards this.

 

Maybe you can give me some advice/experience in this context? 
Thanks a lot in advance.

Categories:
  • velegandla Profile Picture
    velegandla 202 on at
    Re: Best Practices for Environments-Security Groups-Teams-User

    I get the point of the AD Group - however, in our case, this would mean that we have to create a lot of AD groups which can mess up the AD system itself because of various reasons. Having too many AD groups is definitely not a good way to resilience.

    This is why I wanted to understand the "Teams" and "Users" a little bit better - maybe there is something of interest for us and best practices here would be superb.

     

    So far, I could imagine that the security Group is used for prefiltering if there is no fitting group - if there is a fitting group already then use it as final filtering.

    For separating between admins and developers, use the teams to create two teams. I guess apps have to be shared anyway separately?

     

    And so on, but I am not sure if this is a good approach. 

     


    In your environment strategy, i would ask if these questions answered if not answered before.

     

    • Who will create the environments and manage it? 
    • Does the user access control need to be part of env admins or IT department managing AD groups? 
    • What is the risk if env admins add more people or grant access without IT control?
    • How many AD groups are too many? 
    • How many environments are too many?
    • Is every professionally build project got different developers or the same?
    • Each application business impact and criticality is being answered before creation of environment?

    Once you answer those questions, then i would decide AD groups or Teams.

     

    You can use teams in Dataverse and add users which means the systems admins of env got the control. Do you have a process to train the system admins? If not what is the risk?

     

    If you like to manage the access then Teams are great way to manage. If you would like to manage from central then AD groups.

     

    In a nutshell.

    If the application is Low critical and business impact is less then i might go with Teams for managing access and will train the admins to monitor it. 

     

    If the application is High critical and major impact on business, i prefer central managed access system. 

     

    Every organization is different and there is no one way to do as long as expectations of benefits and risks are understood and communicated with all the relevant stakeholders.

     

    For Sharing the apps you can use the AD groups as well. Yes, once the apps are developed you need to share them explicitly. 

    ====================================================

    If this response helped you in any way, please give kudos by clicking the 'Thumbs Up'/'Like' button and/or marking it as an 'Accepted Solution'. This helps others by providing a quick way to identify likely solutions to their issues.

    https://www.linkedin.com/in/devendravelegandla/ 

  • BennyS27 Profile Picture
    BennyS27 36 on at
    Re: Best Practices for Environments-Security Groups-Teams-User

    Hi @Velegandla ,

     

    thank you for your fast response.

     

    We have indeed an environment strategy so far. We are creating a set of environments for every "professionally" built solution including Dev-Test-Prod. All processes to get there and forth are set and properly implemented. User management is currently done manually, which is why I wanted to understand all capabilities and possibilities within the admin center to have a better overview.

     

    I get the point of the AD Group - however, in our case, this would mean that we have to create a lot of AD groups which can mess up the AD system itself because of various reasons. Having too many AD groups is definitely not a good way to resilience.

    This is why I wanted to understand the "Teams" and "Users" a little bit better - maybe there is something of interest for us and best practices here would be superb.

     

    So far, I could imagine that the security Group is used for prefiltering if there is no fitting group - if there is a fitting group already then use it as final filtering.

    For separating between admins and developers, use the teams to create two teams. I guess apps have to be shared anyway separately?

     

    And so on, but I am not sure if this is a good approach. 

     

  • velegandla Profile Picture
    velegandla 202 on at
    Re: Best Practices for Environments-Security Groups-Teams-User

    @BennyS27 :

     

    If you donot have any env strategy. The first step is to define how you want to structure your environments.

     

    Is the environments used by business users to develop apps or pro devs.

     

    Once you define then you can have separate approach for each category.

     

    For business users, you can have DEV and Prod environments. where as Pro Devs - You need to have DEV/TEST/UAT and PROD environments. 

     

    It seems in your case you got developers who are building solutions. So start with Azure AD group for Developers and associate the AD group to a TEAM in DEV environment. In this case only your developer team will develop the solutions. 

     

    According to who needs access for TEST/UAT/PROD - you can create separate AD groups and manage the users for each scenario.

     

    sometimes, less is better.

     

    Also, keep an eye on new changes coming to environments such as grouping, leveraging managed environments etc which could help further in managing and securing the environments.

     

    Hope this gives a starting point. 

    ====================================================

    If this response helped you in any way, please give kudos by clicking the 'Thumbs Up'/'Like' button and/or marking it as an 'Accepted Solution'. This helps others by providing a quick way to identify likely solutions to their issues.

    https://www.linkedin.com/in/devendravelegandla/

     

     

     

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Kickstarter Events…

Register for Microsoft Kickstarter Events…

Tuesday Tip #12 Start your Super User…

Welcome to a brand new series, Tuesday Tips…

Tuesday Tip #13 Writing Effective Answers…

Welcome to a brand new series, Tuesday Tips…

Leaderboard

#1
WarrenBelz Profile Picture

WarrenBelz 144,858

#2
RandyHayes Profile Picture

RandyHayes 76,287

#3
Pstork1 Profile Picture

Pstork1 64,505

Leaderboard

Featured topics