Governance and Security Management in Power Platform Solutions

Like (0) Share

Report

Posted on 1 Feb 2022 13:21:11 by Mister_Shaik

1,006

Hi everyone,

I want to know what best practices are being followed by the community for setting up governance for a Power App Solution and know if what I'm doing right now is up to the standard.

Currently for any solution, these are the steps I'm following for setting up security and governance.

Creating Security roles for Admins and Users - different privileges' on Dataverse tables based on role
Using admin center, creating teams for the 2 user profiles and assigning the security roles to them (team type can be either owner or AAD Security Group)
Granting access to users to the Canvas App
1. If we setup team type of "Owner" - I'm sharing the app with all users manually
2. If team type is AAD Security Group - them I'm just sharing the app with security group
On the power app, using the "Users" entity, I'm checking logged in users role and different capabilities based on role

Now here is the tricky part, which I'm not sure if I'm doing right

When a security role is created, I'm only granting them access to the Dataverse tables and configuring to allow them to be able to run flows - In the same security role, will I be able to define which canvas app the user has access to?
If I'm going for a "Owner" based team, Admins are able to add users to the Owner team, which is granting access to the users on Dataverse tables. But they are manually going back to Canvas app and sharing it separately - Is there any way to make it, such that whoever is added to the Owner team has access to the app, without admin explicitly sharing it ( maybe sharing the app with the Owner team)?

Any suggestions will be much appreciated! Keen to know how the community is handling the security and governance.

Kind Regards,

Shaik Sha

Categories:

Management

Environment

All responses (6)

Answers (1)

Devikumari Krishna 988 Super User 2024 Season 1 on 01 Feb 2022 at 15:01:19

Like (0)

Report

Re: Governance and Security Management in Power Platform Solutions

Hi @Mister_Shaik ,

As per my understanding you are assigning owner to the environment. This will only provide full control on the environment. But still not enough to share the canvas App. You need to use AAD group or Office 365 groups for the same.
If you use office 365 groups you can also assign the Microsoft team name to this group.

-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.
My Blog: Dynamics 365 Key Topics – https://d365topicsbydk.com/

My YouTube Channel : https://www.youtube.com/channel/UCxSIryP2ah2VpEFr-Z72t1A

Regards
Devi
Mister_Shaik 1,006 on 01 Feb 2022 at 14:45:54

Like (0)

Report

Re: Governance and Security Management in Power Platform Solutions

Hi @DeviKrishna ,

Thanks for the response:)

Small correction, we are mainly talking about the "Owner" teams and AAD groups, not the O365 groups. I know we can share the app with a O365 group or and AAD Group, what I'm looking for is to be able to share the app with an "Owner" type team

Regards,
Shaik Sha
Devikumari Krishna 988 Super User 2024 Season 1 on 01 Feb 2022 at 14:26:39

Like (0)

Report

Re: Governance and Security Management in Power Platform Solutions

Hi @Mister_Shaik ,

Canvas Apps need to be shared separately. You can share to individuals/Everyone/User groups.
In your case User groups will work.

Login to https://admin.microsoft.com/Adminportal
Navigate to Users ->Teams and Groups
You can add members to this group.
When you share the App you can share it with this group

Reference Link : Share a canvas app with your organization - Power Apps | Microsoft Docs

-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.
My Blog: Dynamics 365 Key Topics – https://d365topicsbydk.com/

My YouTube Channel : https://www.youtube.com/channel/UCxSIryP2ah2VpEFr-Z72t1A

Regards
Devi
joe_hannes_col 1,843 Super User 2024 Season 1 on 01 Feb 2022 at 14:21:09

Like (0)

Report
Re: Governance and Security Management in Power Platform Solutions

Hi @Mister_Shaik,

I can understand your point. I can think of two options:
Create an app that you can use to manage and keep track of the security groups you are creating for your apps. You should also be able to use this app to create AAD security groups and assign members, e.g. using the AAD connector in Power Automate:
https://powerautomate.microsoft.com/en-us/connectors/details/shared_azuread/azure-ad/
You could automatically sync membership of owner teams with AAD security groups by monitoring the teammembership_association table, which is the intersect table between the Team and User tables:
However, you would then obviously need one AAD security group for every owner team, so that would only make sense if you'd prefer managing the members of the owner team instead of the AAD security group 😉
Verified answer

Mister_Shaik 1,006 on 01 Feb 2022 at 13:51:52

Like (0)

Report

Re: Governance and Security Management in Power Platform Solutions

Hi @joe_hannes_col ,

I do want to use AAD security groups instead of Owner teams, and I have been using it for most of the solutions I build.

But as we are building more and more solutions, the number of security groups we need are increasing and we can't use a single set of groups to manage this, as the solutions are built to be accessed by a set of individuals or teams.

This is where we were thinking on how we can manage this more efficiently, and maybe somehow use the owner team itself just like how we are using the AAD groups.

Regards,
Shaik Sha
joe_hannes_col 1,843 Super User 2024 Season 1 on 01 Feb 2022 at 13:34:58

Like (1)

Report

Re: Governance and Security Management in Power Platform Solutions

Hi @Mister_Shaik,

Unfortunately, in contrast to model-driven apps, you cannot grant access to an app based on the user's security role in Dataverse.
However, if you want to streamline the process, you could assign a security role to an AAD security group (which you seem to be doing), and then share the app with this security group. If you add a new user to the team, you would automatically assign the security role for access to Dataverse and grant access to the app.
Sharing an app with an owner team is not possible.

Your overall approach to governance and security seems sound to me. If possible, I think you could simplify your security model if you switched to AAD security groups instead of owner teams.