I was wondering if it was possible to restrict specific users from accessing dataverse information outside of a Canvas app.
For most of our users we use the web link for them to access a canvas app on each of their computers. Using the app in this way only allows for data to be accessed using the linked Canvas app. However a user could log into powerapps from Microsoft's home page bringing them to the PowerApps' home screen. Here they have access to Dataverse tables, option sets, flows and can create apps. From my testing even giving a user no permissions within the environment still allows them a shocking amount of access to your data. They can access any of your dataverse tables, delete tables and edit records. They can't create tables citing "you are missing the necessary privilege to create tables" so I know something is preventing them from having completely unrestricted access. To apply security roles I am going to the admin center then Environments/"Environment name"/Settings/Users/Manage security roles. Are security roles managed somewhere else in the admin center?
What is the purpose of creating specific user privileges when a user can open the environment and subvert all of the carefully designed controls in a canvas app? What am I missing here?
Any help is appreciated.
