SlideShare a Scribd company logo
1 of 22
Power Apps Security
with Common Data
Service
BY: ISHA KAPOOR | M365 ENTERPRISE CHAMPION | FORMER MVP
M365LEARNING.COM
Premium Content
This document is a premium content offering–
part of enterprise software strategy and M365
Power Solutions.
YouTub
e
Twitter LinkedInVisit: http://m365learning.com/ for more
info.
Power Apps and Common Data Service (CDS)
Common Data Service, the underlying data platform for Power Apps, handles security from user
authentication to authorization that allows users to perform actions with data and services.
Security in Common Data Service can be implemented as a simple security model with broad access all the
way to highly complex security models where users have specific record and field level access.
In this presentation, we’ll look different options that you can utilize to implement granular security for your
Power Apps app connected with Common Data Service.
Security in Common Data Service
The following is a high-level overview of how security model is implemented in Common Data
Service.
• Users are authenticated by Azure Active Directory (Azure AD).
• Licensing is the first control-gate to allowing access to Power Apps components.
• Ability to create applications and flows is controlled by security roles in the context of
environments.
• A user's ability to see and use apps is controlled by sharing the application with the user.
Sharing of canvas apps is done directly with a user or Azure AD group (or security group) but
is still subject to Common Data Service security roles. Sharing of model-driven apps is done
via Common Data Service security roles.
• Environments with Common Data Service add support for more advanced security models
that are specific to controlling access to data and services in the Common Data Service
environment.
Implement Security in Common Data Service
SECURITY USING TEAMS –
OWNER & ACCESS TEAMS
RECORD-LEVEL SECURITY USING
SHARING
AAD SECURITY GROUPS AND
AAD OFFICE GROUPS
Options -
Key Components of a user’s role in CDS
Roles Teams
BusinessUnits
I. SECURITY USING TEAMS – OWNER & ACCESS TEAMS
Business Unit
Role-based security in CDS
Inherited by:
Assigned
to:
Role-based security: Roles
Users Teams
Users
Common Data Service
I. SECURITY USING TEAMS – OWNER & ACCESS TEAMS
Teams
Owner Teams Access Teams
Types of Teams
Business Units
I. SECURITY USING TEAMS – OWNER & ACCESS TEAMS
Owner Teams
Owner teams are groups like SharePoint or
Office 365 Groups with pre-assigned
security roles and a set of Members.
Admins can create Owner Teams and add
Members directly to it.
Security Roles can be assigned to an Owner
Team from All Teams window in
environment’s settings in Power Platform
admin center.
Access Teams
Access teams are tied to one or more Access Templates that
defines the privileges of users on records owned by these
access teams.
Access teams are created per CDS record, often dynamically
with users added to them in response to end-user’s actions.
Roles are inherited by users as per the template assigned to the
Access team.
Entity
Access Template with Read rights.
Access Template with Read, Write,
Append to, Assign, Share rights.
Access Team 1
Access Team 2
Access Team 3
Access Team 4
Access Teams
properties
In Access Teams, the permissions are granted to the records
via sharing.
Rapidly changing team memberships
Allows for >1,000 team memberships per user
Individual record-based access
Owner of the record allowed to define access to other users
Can accommodate varying levels of group access types to
records
While Access teams provide access to a
group of users, you must still associate
individual users with security roles that
grant the privileges they need to create,
update, or delete user-owned records.
These privileges cannot be applied by
assigning security roles to a team and then
adding the user to that team.
I. SECURITY USING TEAMS – OWNER & ACCESS TEAMS
Sharing an Individual CDS Record
An Individual Record can be shared using the Share button in command bar of your model-app.
 With the new Common Data Service (current environment) connector this can achieved using
Microsoft Power Automate (or MS flow).
Let’s look at an example of how to configure this using Power Automate.
II. RECORD-LEVEL SECURITY USING SHARING
Before you share a record, make sure
that your users have at least a user level
security role assigned on record’s entity.
Common Data
Service (Current
Environment)
With Power Automate (previously
MS flow), you can use the premium
connector Common Data Service
(Current Environment) and Perform
an unbound action which will let
grant induvial users’ access to CDS
record based on conditions.
GrantAccess
Use Grant access from Perform an
unbound action options to grant
access to induvial CDS records.
PrincipalAccess
• Use JSON to add PrincipalAccess
• Add target with unique Id for entity.
• Add systemuserid or teamid and add the appropriate id for user or team.
• Add the AccessMask such as ReadAccess or WriteAccess
II. RECORD-LEVEL SECURITY USING SHARING
Things to Note
 User permission roles are only granted within a single database and are individually tracked in
each Common Data Service database.
 All access is accumulative across all concepts in the scope of a Common Data Service database
environment :
◦ the teams they are members of
◦ and the records that are shared with them
 For sharing records, users must have at least a user level security role assigned to record entity.
II. RECORD-LEVEL SECURITY USING SHARING
Sharing with Azure AD or Office 365 Groups
Sharing your model-app with Azure AD group or a Security group synced from your on-prem Active
Directory is possible using AAD Security group option in PowerApps Teams.
Groups supported are:
 Azure AD group
 On-prem synced security group
 Office 365 Group
All the above team types can be mapped with a security role which eliminates the need to individually
assign a role to users that’ll be part of these teams.
III. AAD SECURITY GROUPS AND AAD OFFICE GROUPS
When you assign a role to a team, you do
not need to assign users with a minimum
level security role on record’s entity.
See related M365 Learning Video @ https://youtu.be/Yf3JEjwYEM8
Power Apps
Group Team
In power platform (with CDS)
environment’s settings -> create a new
Team under Teams.
In the new Team select Team Type as
AAD Security group to map it with your
security groups from Azure AD.
For Object Id move to the next slide.
See related M365 Learning Video @ https://youtu.be/Yf3JEjwYEM8
III. AAD SECURITY GROUPS AND AAD OFFICE GROUPS
Azure AD
Security group
Configure a Security group in
Azure AD or use the security
group synced from Active
directory.
Copy the Object Id and add to
your group team created
previously.
See related M365 Learning Video @ https://youtu.be/Yf3JEjwYEM8
Assign Role to
your Team
Navigate to dynamics legacy settings
to assign Role to your new AAD Group
Team.
Once you add security role to the
team, individual users need Not to
have security role individually
assigned to them. All access will be
managed through team’s role.
See related M365 Learning Video @ https://youtu.be/Yf3JEjwYEM8
So, how is user access determined you
asked?
IT IS THE
COMBINATION OF ALL
THEIR SECURITY ROLES
THE BUSINESS UNIT
THEY ARE ASSOCIATED
WITH
THE TEAMS THEY ARE
MEMBERS OF
AND THE RECORDS
THAT ARE SHARED
WITH THEM.
This document is a premium content offering–
part of enterprise software strategy and M365
Power Solutions.
YouTub
e
Twitter LinkedInVisit: http://m365learning.com/ for more
info.
THANK YOU!

More Related Content

What's hot

Power apps presentation
Power apps presentationPower apps presentation
Power apps presentationInnoTech
 
Centralized IAM Governance using CloudFormation StackSets and AWS Organizatio...
Centralized IAM Governance using CloudFormation StackSets and AWS Organizatio...Centralized IAM Governance using CloudFormation StackSets and AWS Organizatio...
Centralized IAM Governance using CloudFormation StackSets and AWS Organizatio...Amazon Web Services
 
Powerapps & Flow
Powerapps & FlowPowerapps & Flow
Powerapps & FlowXpand IT
 
Building a Recommender System on AWS
Building a Recommender System on AWSBuilding a Recommender System on AWS
Building a Recommender System on AWSAmazon Web Services
 
Getting Started & Driving Success With Power Platform At Scale
Getting Started & Driving Success With Power Platform At ScaleGetting Started & Driving Success With Power Platform At Scale
Getting Started & Driving Success With Power Platform At ScaleRichard Harbridge
 
Deep Dive on the Microsoft Dynamics AX Platform
Deep Dive on the Microsoft Dynamics AX PlatformDeep Dive on the Microsoft Dynamics AX Platform
Deep Dive on the Microsoft Dynamics AX PlatformJuan Fabian
 
Building a DevOps organization
Building a DevOps organizationBuilding a DevOps organization
Building a DevOps organizationZinnov
 
Microsoft PowerApps
Microsoft PowerAppsMicrosoft PowerApps
Microsoft PowerAppsRene Modery
 
Azure Serverless with Functions, Logic Apps, and Event Grid
Azure Serverless with Functions, Logic Apps, and Event Grid  Azure Serverless with Functions, Logic Apps, and Event Grid
Azure Serverless with Functions, Logic Apps, and Event Grid WinWire Technologies Inc
 
Azure Web Apps - Introduction
Azure Web Apps - IntroductionAzure Web Apps - Introduction
Azure Web Apps - IntroductionChristopher Gomez
 
ServiceNow Table Management.pptx
ServiceNow Table Management.pptxServiceNow Table Management.pptx
ServiceNow Table Management.pptxshahebazshaikh19
 
The Microsoft Well Architected Framework For Data Analytics
The Microsoft Well Architected Framework For Data AnalyticsThe Microsoft Well Architected Framework For Data Analytics
The Microsoft Well Architected Framework For Data AnalyticsStephanie Locke
 
Microsoft power platform
Microsoft power platformMicrosoft power platform
Microsoft power platformJenkins NS
 
Microsoft 365 Automation
Microsoft 365 AutomationMicrosoft 365 Automation
Microsoft 365 AutomationRobert Crane
 
Deep Dive on Amazon Elastic Container Service (ECS) and Fargate
Deep Dive on Amazon Elastic Container Service (ECS) and FargateDeep Dive on Amazon Elastic Container Service (ECS) and Fargate
Deep Dive on Amazon Elastic Container Service (ECS) and FargateAmazon Web Services
 
Module 2: AWS Infrastructure – Compute, Storage and Networking - AWSome Day O...
Module 2: AWS Infrastructure – Compute, Storage and Networking - AWSome Day O...Module 2: AWS Infrastructure – Compute, Storage and Networking - AWSome Day O...
Module 2: AWS Infrastructure – Compute, Storage and Networking - AWSome Day O...Amazon Web Services
 

What's hot (20)

Power apps presentation
Power apps presentationPower apps presentation
Power apps presentation
 
Centralized IAM Governance using CloudFormation StackSets and AWS Organizatio...
Centralized IAM Governance using CloudFormation StackSets and AWS Organizatio...Centralized IAM Governance using CloudFormation StackSets and AWS Organizatio...
Centralized IAM Governance using CloudFormation StackSets and AWS Organizatio...
 
Powerapps & Flow
Powerapps & FlowPowerapps & Flow
Powerapps & Flow
 
Building a Recommender System on AWS
Building a Recommender System on AWSBuilding a Recommender System on AWS
Building a Recommender System on AWS
 
Getting Started & Driving Success With Power Platform At Scale
Getting Started & Driving Success With Power Platform At ScaleGetting Started & Driving Success With Power Platform At Scale
Getting Started & Driving Success With Power Platform At Scale
 
Database migration
Database migrationDatabase migration
Database migration
 
Deep Dive on the Microsoft Dynamics AX Platform
Deep Dive on the Microsoft Dynamics AX PlatformDeep Dive on the Microsoft Dynamics AX Platform
Deep Dive on the Microsoft Dynamics AX Platform
 
Building a DevOps organization
Building a DevOps organizationBuilding a DevOps organization
Building a DevOps organization
 
Microsoft PowerApps
Microsoft PowerAppsMicrosoft PowerApps
Microsoft PowerApps
 
Azure Serverless with Functions, Logic Apps, and Event Grid
Azure Serverless with Functions, Logic Apps, and Event Grid  Azure Serverless with Functions, Logic Apps, and Event Grid
Azure Serverless with Functions, Logic Apps, and Event Grid
 
Azure Web Apps - Introduction
Azure Web Apps - IntroductionAzure Web Apps - Introduction
Azure Web Apps - Introduction
 
ServiceNow Table Management.pptx
ServiceNow Table Management.pptxServiceNow Table Management.pptx
ServiceNow Table Management.pptx
 
The Microsoft Well Architected Framework For Data Analytics
The Microsoft Well Architected Framework For Data AnalyticsThe Microsoft Well Architected Framework For Data Analytics
The Microsoft Well Architected Framework For Data Analytics
 
Architectural design
Architectural designArchitectural design
Architectural design
 
Microsoft power platform
Microsoft power platformMicrosoft power platform
Microsoft power platform
 
Microsoft 365 Automation
Microsoft 365 AutomationMicrosoft 365 Automation
Microsoft 365 Automation
 
Deep Dive on Amazon Elastic Container Service (ECS) and Fargate
Deep Dive on Amazon Elastic Container Service (ECS) and FargateDeep Dive on Amazon Elastic Container Service (ECS) and Fargate
Deep Dive on Amazon Elastic Container Service (ECS) and Fargate
 
Intro to power apps
Intro to power appsIntro to power apps
Intro to power apps
 
Module 2: AWS Infrastructure – Compute, Storage and Networking - AWSome Day O...
Module 2: AWS Infrastructure – Compute, Storage and Networking - AWSome Day O...Module 2: AWS Infrastructure – Compute, Storage and Networking - AWSome Day O...
Module 2: AWS Infrastructure – Compute, Storage and Networking - AWSome Day O...
 
Azure Resource Manager (ARM) Templates
Azure Resource Manager (ARM) TemplatesAzure Resource Manager (ARM) Templates
Azure Resource Manager (ARM) Templates
 

Similar to Manage security in Model-app Power App with Common data service

IRJET- A Research Paper on Block Design-based Key Agreement for Group Dat...
IRJET-  	  A Research Paper on Block Design-based Key Agreement for Group Dat...IRJET-  	  A Research Paper on Block Design-based Key Agreement for Group Dat...
IRJET- A Research Paper on Block Design-based Key Agreement for Group Dat...IRJET Journal
 
Secure Your Cloud Environment with Azure Active Directory (AD)
Secure Your Cloud Environment with Azure Active Directory (AD)Secure Your Cloud Environment with Azure Active Directory (AD)
Secure Your Cloud Environment with Azure Active Directory (AD)WinWire Technologies Inc
 
IRJET- Improving Data Storage Security and Performance in Cloud Environment
IRJET- Improving Data Storage Security and Performance in Cloud EnvironmentIRJET- Improving Data Storage Security and Performance in Cloud Environment
IRJET- Improving Data Storage Security and Performance in Cloud EnvironmentIRJET Journal
 
Online backup and recovery using amazon s3
Online backup and recovery using amazon s3Online backup and recovery using amazon s3
Online backup and recovery using amazon s3eSAT Publishing House
 
Automating Security Management in PBCS!
Automating Security Management in PBCS!Automating Security Management in PBCS!
Automating Security Management in PBCS!Dayalan Punniyamoorthy
 
Security settings in dynamics 365 customer engagement (crm)
Security settings in dynamics 365 customer engagement (crm)Security settings in dynamics 365 customer engagement (crm)
Security settings in dynamics 365 customer engagement (crm)Magnifez Technologies
 
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...Cyxtera Technologies
 
The 3 Recommendations for Cloud Security
The 3 Recommendations for Cloud SecurityThe 3 Recommendations for Cloud Security
The 3 Recommendations for Cloud SecurityVAST
 
MSFT Cloud Architecture Information Protection
MSFT Cloud Architecture Information ProtectionMSFT Cloud Architecture Information Protection
MSFT Cloud Architecture Information ProtectionKesavan Munuswamy
 
Securing AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriOWASP Delhi
 
Extending Role Security in Analysis Services for SQL Server
Extending Role Security in Analysis Services for SQL ServerExtending Role Security in Analysis Services for SQL Server
Extending Role Security in Analysis Services for SQL ServerKesavan Munuswamy
 
Dataverse Permissions Demystified - PowerAddicts BE 11-2022.pptx
Dataverse Permissions Demystified - PowerAddicts BE 11-2022.pptxDataverse Permissions Demystified - PowerAddicts BE 11-2022.pptx
Dataverse Permissions Demystified - PowerAddicts BE 11-2022.pptxRebekka Aalbers-de Jong
 
Application Security in the Cloud - Best Practices
Application Security in the Cloud - Best PracticesApplication Security in the Cloud - Best Practices
Application Security in the Cloud - Best PracticesRightScale
 
A robust and verifiable threshold multi authority access control system in pu...
A robust and verifiable threshold multi authority access control system in pu...A robust and verifiable threshold multi authority access control system in pu...
A robust and verifiable threshold multi authority access control system in pu...IJARIIT
 
Flaw less coding and authentication of user data using multiple clouds
Flaw less coding and authentication of user data using multiple cloudsFlaw less coding and authentication of user data using multiple clouds
Flaw less coding and authentication of user data using multiple cloudsIRJET Journal
 
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS EnvironmentOperational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS EnvironmentCryptzone
 

Similar to Manage security in Model-app Power App with Common data service (20)

IRJET- A Research Paper on Block Design-based Key Agreement for Group Dat...
IRJET-  	  A Research Paper on Block Design-based Key Agreement for Group Dat...IRJET-  	  A Research Paper on Block Design-based Key Agreement for Group Dat...
IRJET- A Research Paper on Block Design-based Key Agreement for Group Dat...
 
Secure Your Cloud Environment with Azure Active Directory (AD)
Secure Your Cloud Environment with Azure Active Directory (AD)Secure Your Cloud Environment with Azure Active Directory (AD)
Secure Your Cloud Environment with Azure Active Directory (AD)
 
IRJET- Improving Data Storage Security and Performance in Cloud Environment
IRJET- Improving Data Storage Security and Performance in Cloud EnvironmentIRJET- Improving Data Storage Security and Performance in Cloud Environment
IRJET- Improving Data Storage Security and Performance in Cloud Environment
 
Online backup and recovery using amazon s3
Online backup and recovery using amazon s3Online backup and recovery using amazon s3
Online backup and recovery using amazon s3
 
Automating Security Management in PBCS!
Automating Security Management in PBCS!Automating Security Management in PBCS!
Automating Security Management in PBCS!
 
Security settings in dynamics 365 customer engagement (crm)
Security settings in dynamics 365 customer engagement (crm)Security settings in dynamics 365 customer engagement (crm)
Security settings in dynamics 365 customer engagement (crm)
 
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
 
The 3 Recommendations for Cloud Security
The 3 Recommendations for Cloud SecurityThe 3 Recommendations for Cloud Security
The 3 Recommendations for Cloud Security
 
MSFT Cloud Architecture Information Protection
MSFT Cloud Architecture Information ProtectionMSFT Cloud Architecture Information Protection
MSFT Cloud Architecture Information Protection
 
cloud1_aggy.pdf
cloud1_aggy.pdfcloud1_aggy.pdf
cloud1_aggy.pdf
 
Mona final review
Mona final reviewMona final review
Mona final review
 
oracle
oracleoracle
oracle
 
Securing AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit Giri
 
Extending Role Security in Analysis Services for SQL Server
Extending Role Security in Analysis Services for SQL ServerExtending Role Security in Analysis Services for SQL Server
Extending Role Security in Analysis Services for SQL Server
 
Dataverse Permissions Demystified - PowerAddicts BE 11-2022.pptx
Dataverse Permissions Demystified - PowerAddicts BE 11-2022.pptxDataverse Permissions Demystified - PowerAddicts BE 11-2022.pptx
Dataverse Permissions Demystified - PowerAddicts BE 11-2022.pptx
 
Application Security in the Cloud - Best Practices
Application Security in the Cloud - Best PracticesApplication Security in the Cloud - Best Practices
Application Security in the Cloud - Best Practices
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
 
A robust and verifiable threshold multi authority access control system in pu...
A robust and verifiable threshold multi authority access control system in pu...A robust and verifiable threshold multi authority access control system in pu...
A robust and verifiable threshold multi authority access control system in pu...
 
Flaw less coding and authentication of user data using multiple clouds
Flaw less coding and authentication of user data using multiple cloudsFlaw less coding and authentication of user data using multiple clouds
Flaw less coding and authentication of user data using multiple clouds
 
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS EnvironmentOperational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS Environment
 

More from Learning SharePoint

Microsoft 365 Audit Log Reports - M365 Learning Document
Microsoft 365 Audit Log Reports - M365 Learning DocumentMicrosoft 365 Audit Log Reports - M365 Learning Document
Microsoft 365 Audit Log Reports - M365 Learning DocumentLearning SharePoint
 
Power BI Governance - Access Management, Recommendations and Best Practices
Power BI Governance - Access Management, Recommendations and Best PracticesPower BI Governance - Access Management, Recommendations and Best Practices
Power BI Governance - Access Management, Recommendations and Best PracticesLearning SharePoint
 
Power Automate (MS Flow) basics, Behind the Scenes, Errors and Troubleshooting
Power Automate (MS Flow) basics, Behind the Scenes, Errors and TroubleshootingPower Automate (MS Flow) basics, Behind the Scenes, Errors and Troubleshooting
Power Automate (MS Flow) basics, Behind the Scenes, Errors and TroubleshootingLearning SharePoint
 
Office 365 Q & A about Microsoft Teams Access,OneDrive, O365 Groups, Shared C...
Office 365 Q & A about Microsoft Teams Access,OneDrive, O365 Groups, Shared C...Office 365 Q & A about Microsoft Teams Access,OneDrive, O365 Groups, Shared C...
Office 365 Q & A about Microsoft Teams Access,OneDrive, O365 Groups, Shared C...Learning SharePoint
 
Ms flow basics, troubleshooting and operational errors
Ms flow basics, troubleshooting and operational errorsMs flow basics, troubleshooting and operational errors
Ms flow basics, troubleshooting and operational errorsLearning SharePoint
 
Share point 2013 deployment document
Share point 2013 deployment documentShare point 2013 deployment document
Share point 2013 deployment documentLearning SharePoint
 
SharePoint 2013 Site Administration Guide
SharePoint 2013 Site Administration GuideSharePoint 2013 Site Administration Guide
SharePoint 2013 Site Administration GuideLearning SharePoint
 
OneDrive For Business - What's new for IT Administrators and End-users
OneDrive For Business - What's new for IT Administrators and End-usersOneDrive For Business - What's new for IT Administrators and End-users
OneDrive For Business - What's new for IT Administrators and End-usersLearning SharePoint
 
Hosting SharePoint 2016 farm in azure
Hosting SharePoint 2016 farm in azureHosting SharePoint 2016 farm in azure
Hosting SharePoint 2016 farm in azureLearning SharePoint
 
Advanced SharePoint Server Concepts
Advanced SharePoint Server ConceptsAdvanced SharePoint Server Concepts
Advanced SharePoint Server ConceptsLearning SharePoint
 
Monitoring and Maintaining SharePoint 2013 Server
Monitoring and Maintaining SharePoint 2013 ServerMonitoring and Maintaining SharePoint 2013 Server
Monitoring and Maintaining SharePoint 2013 ServerLearning SharePoint
 
Advanced SharePoint 2013 Site Administration
Advanced SharePoint 2013 Site AdministrationAdvanced SharePoint 2013 Site Administration
Advanced SharePoint 2013 Site AdministrationLearning SharePoint
 
SharePoint 2013 Site Administration
SharePoint 2013 Site AdministrationSharePoint 2013 Site Administration
SharePoint 2013 Site AdministrationLearning SharePoint
 
SharePoint 2013 for Administrators and IT Pro's
SharePoint 2013 for Administrators and IT Pro'sSharePoint 2013 for Administrators and IT Pro's
SharePoint 2013 for Administrators and IT Pro'sLearning SharePoint
 

More from Learning SharePoint (18)

Microsoft 365 Audit Log Reports - M365 Learning Document
Microsoft 365 Audit Log Reports - M365 Learning DocumentMicrosoft 365 Audit Log Reports - M365 Learning Document
Microsoft 365 Audit Log Reports - M365 Learning Document
 
Power BI Governance - Access Management, Recommendations and Best Practices
Power BI Governance - Access Management, Recommendations and Best PracticesPower BI Governance - Access Management, Recommendations and Best Practices
Power BI Governance - Access Management, Recommendations and Best Practices
 
Power Automate (MS Flow) basics, Behind the Scenes, Errors and Troubleshooting
Power Automate (MS Flow) basics, Behind the Scenes, Errors and TroubleshootingPower Automate (MS Flow) basics, Behind the Scenes, Errors and Troubleshooting
Power Automate (MS Flow) basics, Behind the Scenes, Errors and Troubleshooting
 
Office 365 Q & A about Microsoft Teams Access,OneDrive, O365 Groups, Shared C...
Office 365 Q & A about Microsoft Teams Access,OneDrive, O365 Groups, Shared C...Office 365 Q & A about Microsoft Teams Access,OneDrive, O365 Groups, Shared C...
Office 365 Q & A about Microsoft Teams Access,OneDrive, O365 Groups, Shared C...
 
Ms flow basics, troubleshooting and operational errors
Ms flow basics, troubleshooting and operational errorsMs flow basics, troubleshooting and operational errors
Ms flow basics, troubleshooting and operational errors
 
Share point 2013 deployment document
Share point 2013 deployment documentShare point 2013 deployment document
Share point 2013 deployment document
 
SharePoint 2013 Site Administration Guide
SharePoint 2013 Site Administration GuideSharePoint 2013 Site Administration Guide
SharePoint 2013 Site Administration Guide
 
OneDrive For Business - What's new for IT Administrators and End-users
OneDrive For Business - What's new for IT Administrators and End-usersOneDrive For Business - What's new for IT Administrators and End-users
OneDrive For Business - What's new for IT Administrators and End-users
 
Hosting SharePoint 2016 farm in azure
Hosting SharePoint 2016 farm in azureHosting SharePoint 2016 farm in azure
Hosting SharePoint 2016 farm in azure
 
Cloud holiday shopping guide
Cloud holiday shopping guideCloud holiday shopping guide
Cloud holiday shopping guide
 
SharePoint Tools Concepts
SharePoint Tools ConceptsSharePoint Tools Concepts
SharePoint Tools Concepts
 
Advanced SharePoint Server Concepts
Advanced SharePoint Server ConceptsAdvanced SharePoint Server Concepts
Advanced SharePoint Server Concepts
 
Monitoring and Maintaining SharePoint 2013 Server
Monitoring and Maintaining SharePoint 2013 ServerMonitoring and Maintaining SharePoint 2013 Server
Monitoring and Maintaining SharePoint 2013 Server
 
Advanced SharePoint 2013 Site Administration
Advanced SharePoint 2013 Site AdministrationAdvanced SharePoint 2013 Site Administration
Advanced SharePoint 2013 Site Administration
 
SharePoint 2013 Site Administration
SharePoint 2013 Site AdministrationSharePoint 2013 Site Administration
SharePoint 2013 Site Administration
 
Core SharePoint 2013 Concepts
Core SharePoint 2013 ConceptsCore SharePoint 2013 Concepts
Core SharePoint 2013 Concepts
 
SharePoint 2013 for Administrators and IT Pro's
SharePoint 2013 for Administrators and IT Pro'sSharePoint 2013 for Administrators and IT Pro's
SharePoint 2013 for Administrators and IT Pro's
 
Office 365
Office 365Office 365
Office 365
 

Recently uploaded

UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewDianaGray10
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfFIDO Alliance
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...ScyllaDB
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandIES VE
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxjbellis
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!Memoori
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdfMuhammad Subhan
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentationyogeshlabana357357
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024Lorenzo Miniero
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...ScyllaDB
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsLeah Henrickson
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Skynet Technologies
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe中 央社
 
The Metaverse: Are We There Yet?
The  Metaverse:    Are   We  There  Yet?The  Metaverse:    Are   We  There  Yet?
The Metaverse: Are We There Yet?Mark Billinghurst
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTopCSSGallery
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Patrick Viafore
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch TuesdayIvanti
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGDSC PJATK
 

Recently uploaded (20)

UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & Ireland
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptx
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
The Metaverse: Are We There Yet?
The  Metaverse:    Are   We  There  Yet?The  Metaverse:    Are   We  There  Yet?
The Metaverse: Are We There Yet?
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development Companies
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 

Manage security in Model-app Power App with Common data service

  • 1. Power Apps Security with Common Data Service BY: ISHA KAPOOR | M365 ENTERPRISE CHAMPION | FORMER MVP M365LEARNING.COM
  • 2. Premium Content This document is a premium content offering– part of enterprise software strategy and M365 Power Solutions. YouTub e Twitter LinkedInVisit: http://m365learning.com/ for more info.
  • 3. Power Apps and Common Data Service (CDS) Common Data Service, the underlying data platform for Power Apps, handles security from user authentication to authorization that allows users to perform actions with data and services. Security in Common Data Service can be implemented as a simple security model with broad access all the way to highly complex security models where users have specific record and field level access. In this presentation, we’ll look different options that you can utilize to implement granular security for your Power Apps app connected with Common Data Service.
  • 4. Security in Common Data Service The following is a high-level overview of how security model is implemented in Common Data Service. • Users are authenticated by Azure Active Directory (Azure AD). • Licensing is the first control-gate to allowing access to Power Apps components. • Ability to create applications and flows is controlled by security roles in the context of environments. • A user's ability to see and use apps is controlled by sharing the application with the user. Sharing of canvas apps is done directly with a user or Azure AD group (or security group) but is still subject to Common Data Service security roles. Sharing of model-driven apps is done via Common Data Service security roles. • Environments with Common Data Service add support for more advanced security models that are specific to controlling access to data and services in the Common Data Service environment.
  • 5. Implement Security in Common Data Service SECURITY USING TEAMS – OWNER & ACCESS TEAMS RECORD-LEVEL SECURITY USING SHARING AAD SECURITY GROUPS AND AAD OFFICE GROUPS Options -
  • 6. Key Components of a user’s role in CDS Roles Teams BusinessUnits I. SECURITY USING TEAMS – OWNER & ACCESS TEAMS
  • 7. Business Unit Role-based security in CDS Inherited by: Assigned to: Role-based security: Roles Users Teams Users Common Data Service I. SECURITY USING TEAMS – OWNER & ACCESS TEAMS
  • 8. Teams Owner Teams Access Teams Types of Teams Business Units I. SECURITY USING TEAMS – OWNER & ACCESS TEAMS
  • 9. Owner Teams Owner teams are groups like SharePoint or Office 365 Groups with pre-assigned security roles and a set of Members. Admins can create Owner Teams and add Members directly to it. Security Roles can be assigned to an Owner Team from All Teams window in environment’s settings in Power Platform admin center.
  • 10. Access Teams Access teams are tied to one or more Access Templates that defines the privileges of users on records owned by these access teams. Access teams are created per CDS record, often dynamically with users added to them in response to end-user’s actions. Roles are inherited by users as per the template assigned to the Access team. Entity Access Template with Read rights. Access Template with Read, Write, Append to, Assign, Share rights. Access Team 1 Access Team 2 Access Team 3 Access Team 4
  • 11. Access Teams properties In Access Teams, the permissions are granted to the records via sharing. Rapidly changing team memberships Allows for >1,000 team memberships per user Individual record-based access Owner of the record allowed to define access to other users Can accommodate varying levels of group access types to records While Access teams provide access to a group of users, you must still associate individual users with security roles that grant the privileges they need to create, update, or delete user-owned records. These privileges cannot be applied by assigning security roles to a team and then adding the user to that team. I. SECURITY USING TEAMS – OWNER & ACCESS TEAMS
  • 12. Sharing an Individual CDS Record An Individual Record can be shared using the Share button in command bar of your model-app.  With the new Common Data Service (current environment) connector this can achieved using Microsoft Power Automate (or MS flow). Let’s look at an example of how to configure this using Power Automate. II. RECORD-LEVEL SECURITY USING SHARING Before you share a record, make sure that your users have at least a user level security role assigned on record’s entity.
  • 13. Common Data Service (Current Environment) With Power Automate (previously MS flow), you can use the premium connector Common Data Service (Current Environment) and Perform an unbound action which will let grant induvial users’ access to CDS record based on conditions.
  • 14. GrantAccess Use Grant access from Perform an unbound action options to grant access to induvial CDS records.
  • 15. PrincipalAccess • Use JSON to add PrincipalAccess • Add target with unique Id for entity. • Add systemuserid or teamid and add the appropriate id for user or team. • Add the AccessMask such as ReadAccess or WriteAccess II. RECORD-LEVEL SECURITY USING SHARING
  • 16. Things to Note  User permission roles are only granted within a single database and are individually tracked in each Common Data Service database.  All access is accumulative across all concepts in the scope of a Common Data Service database environment : ◦ the teams they are members of ◦ and the records that are shared with them  For sharing records, users must have at least a user level security role assigned to record entity. II. RECORD-LEVEL SECURITY USING SHARING
  • 17. Sharing with Azure AD or Office 365 Groups Sharing your model-app with Azure AD group or a Security group synced from your on-prem Active Directory is possible using AAD Security group option in PowerApps Teams. Groups supported are:  Azure AD group  On-prem synced security group  Office 365 Group All the above team types can be mapped with a security role which eliminates the need to individually assign a role to users that’ll be part of these teams. III. AAD SECURITY GROUPS AND AAD OFFICE GROUPS When you assign a role to a team, you do not need to assign users with a minimum level security role on record’s entity. See related M365 Learning Video @ https://youtu.be/Yf3JEjwYEM8
  • 18. Power Apps Group Team In power platform (with CDS) environment’s settings -> create a new Team under Teams. In the new Team select Team Type as AAD Security group to map it with your security groups from Azure AD. For Object Id move to the next slide. See related M365 Learning Video @ https://youtu.be/Yf3JEjwYEM8 III. AAD SECURITY GROUPS AND AAD OFFICE GROUPS
  • 19. Azure AD Security group Configure a Security group in Azure AD or use the security group synced from Active directory. Copy the Object Id and add to your group team created previously. See related M365 Learning Video @ https://youtu.be/Yf3JEjwYEM8
  • 20. Assign Role to your Team Navigate to dynamics legacy settings to assign Role to your new AAD Group Team. Once you add security role to the team, individual users need Not to have security role individually assigned to them. All access will be managed through team’s role. See related M365 Learning Video @ https://youtu.be/Yf3JEjwYEM8
  • 21. So, how is user access determined you asked? IT IS THE COMBINATION OF ALL THEIR SECURITY ROLES THE BUSINESS UNIT THEY ARE ASSOCIATED WITH THE TEAMS THEY ARE MEMBERS OF AND THE RECORDS THAT ARE SHARED WITH THEM.
  • 22. This document is a premium content offering– part of enterprise software strategy and M365 Power Solutions. YouTub e Twitter LinkedInVisit: http://m365learning.com/ for more info. THANK YOU!

Editor's Notes

  1. Security roles can be assigned to Teams in Business Units or to individual users. Teams can further be of type –Owner or Access.
  2. There are two types of teams, owning teams and access teams. Owning Teams can own records, which gives any team member direct access to that record. A more advanced concept of sharing is with Access Teams which provides auto creation of a team and sharing of record access with the team based on an Access Team Template (template of permissions) which is applied. Access teams can also be used without the templates, with just manual add/remove of it’s members. Access teams are more performant because they don’t allow owning records by the team or having security roles assigned to the team. Users get access because the record is shared with the team and the user is a member.