PL400 : create or update security roles and field-level security profiles (Configure Microsoft Dataverse Security)

The security model is the key factor in Dataverse security that provides remarkable and extensible advantages in a competitive market. In the business world, data acts like fuel and data protection is a more formidable challenge than mining data in the current markets. It is important to build a security model that ensures proper use and access to valuable assets. One of the key features of Dataverse is its rich security model which can adapt to multiple business usage scenarios. This security model only comes into play if the environment contains a Dataverse database. Security Roles are fundamental unit  of data security in Dataverse.


The fundamental concept in role-based security is that roles have privileges that define a set of actions that can be performed within the organization.
In the security pyramid of Dataverse, Security Roles come as base security which protect the data as well as give the right access permission to authenticated users. Each security role consists of record-level privileges and task-based privileges.

Record-level privileges define what actions a user with access to the record can perform

Task-based privileges give privileges to the user to perform specific tasks

What is Privilege ?

Definition of a specific type of data access or action that can be granted to a security principal (user or team) and given through security roles.

Record-Level Privileges:

A security role is a combination of privileges and access levels. Record-level privilege refers to a user's permission with respect to a record in a Dataverse. Privilege defines the action (what can the user do?) and the access level refers to the degree of privileges.


Whereas, the privilege name is self explanatory and the access level gives the user the scope to take action. One quarter indicates user ownership is only on own records, two quarters indicates depth of scope meaning user can see all records which he/she belongs to business unit, three quarter urges that user can view same business unit with child business unit, four quarter or all selected indicates that these records are available for all users.

Task-based privileges:

Security roles have various task-based privileges that users can perform. In general, these privileges are turned on or off and are not based on business unit or other organizational considerations.


Team member’s privilege inheritance

User and Team privileges

User privileges: User is granted these privileges directly when a security role is assigned to the user. User can create and has access to records created/owned by the user when Basic access level for Create and Read were given.

Team privileges: User is granted these privileges as member of the team. For team members who do not have user privileges of their own, they can only create records with the team as the owner and they have access to records owned by the Team when Basic access level for Create and Read were given.

A security role can be set to provide a team member with direct Basic-level access user privileges. A team member can create records that they own and records that have the team as owner when the Basic access level for Create is given. When the Basic access level for Read is given, team member can access records that are owned by both that team member and by the team.


Important points :

  • Each role must be assigned to a specific business unit.
  • Roles created in a business unit are automatically inherited by each of its child business units.
  • Moving a User to a new business unit will remove all the security roles associated with their account
  • Inherited security roles can not be changed
  • Multiple business units may each contain a role that has the same name, but the access levels for each privilege and record type may be completely different.
  • We can create a copy of an existing security role.
  • We can also set this privilege inheritance property for all out of the box security roles except the System Administrator.

Field-level Security:

Field-level security restricts access to a region of high business impact to specific users and teams. Field-level security is available for default fields on most out-of-box entities, custom fields, and custom fields on custom entities. Field-level security is managed by a security profile.

The scope of field-level security is organization-wide and applies to all data access requests including the following:

  • Data Access requests from within a client application (Web browser, mobile client or Microsoft Dynamics 365 for Outlook).
  • Web Service calls using the Microsoft Dataverse web services (for use in plugins, custom workflow activities and custom code).
  • Reporting (using Filtered views).

The following steps describe how to restrict access to a field:

  • Enable field-level security for an attribute
  • Create a field-level security profile
  • Associate users or teams to a profile
  • Add specific field permissions for a specific attribute in a profile, such as Create, Update, or Read


A Security profile can be configured to grant user or team members the following permission at the field level:

  • Read: Read-only access to the field's data.
  • Create: Users or teams in this profile can add data to this field when creating a record.
  • Update: Users or teams in this profile can update the field's data after it has been created.

All users with the System Administrator role are automatically added to a built-in field security profile called System Administrator.

Environment 's Security Roles and Dataverse 's Security Role :

Each environment has zero or one instance of Microsoft Dataverse database and each environment has two in built Security Role.

  • Environment Admin 
  • Environment Maker.

Environment Admin:

Under the environment, Environment Admin is powerful role which can  can perform all administrative tasks on the environment, including - add or remove users or groups, provision the Dataverse database, view and manage all resources, and set data loss prevention policies. After creating the database in the environment, we can use the System Administrator role instead of the Environment Admin Role.  System Administrator has full permission to customize or administer the environment, including creating, modifying, and assigning security roles and can view all data in the environment. 



Environment Maker:

User can create new resources associated with an environment, including apps, connections, custom APIs, gateways, and flows using Microsoft Power Automate. however, this role does not have any privileges to access data in an environment. They can share the app with individual users, security groups or all users in the organization


System Customizer:

The system optimizer has full permission to customize the environment. however, users with this role can only view records for the environment entities they have created.


Delegate:

Allows code to be impersonated, or run as another user. Usually used in conjunction with another security role to allow access to the record. Use impersonation to execute business logic on behalf of another Microsoft Dataverse user in order to provide the desired feature or service using the appropriate role and object-based security of that impersonated user.

Basic User:

The user can run an app within the environment and perform normal tasks for his own record. This only applies to non-custom entities.

Important links:

Team member’s privilege inheritance


Comments

Post a Comment

Popular posts from this blog

Powering Up Your Analytics: Exploring Power Query in Power BI

Image
Data is a valuable asset that has a profound impact on almost every aspect of modern life. Its proper collection, analysis and application can promote innovation, improve efficiency and solve complex challenges in various sectors. In data processing, ETL is a comprehensive process that includes data extraction, transformation, and loading, while Power Query is a specific tool that facilitates the "extract" and "transformation" aspects of ETL, allowing data to be collected and analyzed. Permission is granted to process. And reporting. is ready. It becomes easy to do this. Microsoft's ecosystem of products. Power Query is a data transformation and data preparation engine. Power Query is available in Microsoft Excel and Power BI. Power Query provides a user-friendly and intuitive interface for data professionals and analysts to access and manipulate data from various sources without the need for extensive coding or scripting. It allows users to connect to a wide ra
Read more

Power App Component Overview : Canvas App vs Model-Driven App

Image
The Power Platform is a suite of low-code/No-code tools and technologies developed by Microsoft and Power App is integral component of Power Platform. Power App is platform that enables users to build custom web and mobile applications with a visual interface and minimal coding. The platform support various data sources, including Microsoft 365, Azure Service, and many other, enabling users to integrate and interact with their existing data and systems. In Microsoft's Power Apps, there are two main types of apps that we can create: Canvas Apps: Canvas apps provide a blank canvas where you can design highly customizable applications with a drag-and-drop interface.  Model-Driven Apps: Model-driven apps are built on top of the Dataverse, which provides a set of pre-built data entities and business logic. There are few key technical difference between Canvas App and Model Driven App: During the usability analysis, these high-level technical differences need to be considered. The choi
Read more

Exam PL-400: Microsoft Power Platform Developer

 Create a technical design (10-15%) Validate requirements and design technical architecture design and validate the technical architecture for a solution design authentication and authorization strategy determine whether you can meet requirements with out-of-the-box functionality determine when to use Logic Apps versus Power Automate flows determine when to use serverless computing, plug-ins, or Power Automate determine when to build a virtual entity data source provider and when to use connectors Design solution components design a data model design Power Apps reusable components design custom connectors design server-side components Describe Microsoft Power Platform extensibility points describe Power Virtual Agents extensibility points including Bot Framework skills and Power Automate flows describe Power BI extensibility points including Power BI APIs, custom visuals, and embedding Power BI apps in websites and other applications describe Power Apps portal extensibility points incl
Read more