PL-100 Microsoft Power Platform App Maker – Configure Dataverse security and Secure a solution

1. 46. Configure security roles

Hello. And in this section we’re going to have a look at security. And we’re going to start with security roles. So let’s have a look at security. So in the powerups portal, I will click on the gear at the top right and go to advanced settings. And then from there I’ll go to system security. So this allows me to work with users, security roles, teams and business units.

Let’s start off with the security roles. So, here are a list of mostly built in security roles. So let’s have a look at the predefined security roles. Now there are two which can be used without a database database. So they’re the environment maker and there’s also an environment admin. So the environment maker, he can create new resources in an environment. So he can create apps, connections, custom APIs gateways and flaws custom APIs that use in programming. He can also distribute apps to other users.

He has no right, however, to access the data. So if you have a look at this, you can see most of these items are this nonselected. So he can read connection roles, he can read email templates, language mail merge templates, and he can use user entity instance data and UI settings for users. So really he hasn’t got much, but he basically can create new stuff. You can see this if we go to the customization. He has a lot of reading abilities and some writing abilities as well. Now that’s the environment maker creating new resources, the environment admin, he can provision a database database. He can view and manage all resources created in an environment.

He can set data loss prevention policies called DLP policies, and he can add or remove users from the environment admin or maker roles. So those are two security roles which can be used without a database database. Now, when you create a database database in your environment, there are some additional ones, the biggest one being the system administrator.

So the system administrator has full permissions to customize and administer the environment, including creating, modifying and assigning security roles. So once a database database has been provisioned, all environment admin users will be assigned this system administrator role and they can view all of the data. So that’s the system administrator, the big one. With a database database, the system customizer has got the abilities to customize the environment.

So they can add new tables, but they only have access to their own records. We then have a basic user. So basic users are allowed to run apps and to read, create and write and delete their own records, so not other people’s records. And then there’s delegate. Delegate means you can impersonate another user. So by itself you got very little additional privileges. So let’s just have a look at the differences between the environment and the system security roles. So the environment roles are for environments with or without a database database. But the system roles are only for those environments. With a dataverse database, the environment roles have no access to data. The system admin has access to all data, the customizer only to its own data.

They can all create cloud flows, but with varying degrees. And the system admin and system customizer can do things relating to the database database, like for instance tables, model driven apps, solution frameworks and so on. So that’s the difference between this environment maker admin and the system admin customizer roles. Now, if you wanted to create your own custom security role, you can do so by clicking on new here. So we enter a role.

So this is my new role. And you can select what degree people have got access to. So you can locate tables and add permissions, they read, write, delete, create. You’ve also got append which gives ownership of a record to another share. So this allows you to give access of a record or row to another append, allows you to attach an activity note, an activity or a note to a record. And append to allows you to have a record attached to an activity or a note.

One final thing about these custom security roles you can also have a different inheritance. You can have team privileges only. So you inherit the ability to create or view records with your team, not individuals. The team would then be the owner of those records. If you have user access, then you’d be able, for instance, to create your own records. So these are the security roles. So I’m just going to leave that there. And you get access to this by going to the Gear advanced settings and go into Settings Security and security roles.

2. 46. Add users, and assign them security roles

Well now we’ve got these security roles, we need to use them, we need to apply them to users for instance. So if I click on users and just a reminder how I got here was by going to the gear and advanced settings and then security. So I can do this by going to users. Now this gives me a list of the users. Now I can’t actually add new users here, you add them in the Mac Soft Office 365 Admin portal. So let’s find an existing user. So Jane user for instance, which I have created elsewhere and this gives me information about the user. But if I click on this arrow, I can also go to the security roles.

So this user has got system administrator, so I can manage roles and I can add additional roles such as basic user if I so wish, so that’s users, but in addition to users I can also have teams. So teams are groups of users. So let’s add a new team. So this is my new team. Now, notice I can’t actually add team members just yet, I need to have an administrator. So that’s going to be me power platform plan and then I’m going to save it. And as soon as I save it, then I can add team members. So I will add a new team member which will also be me and another team member who will be Jane. So now I’ve got my team, I don’t have to click save.

If I just close this and go back into it, you can see I’ve still got the same users. I can now go to this arrow and I can go to security roles and I can give the team roles as well. Now, in addition to the team, we’ve also got business units. So business units, we have the organization at the top, then business units which can have teams, which can have users, so I can add a new business unit. So I will call this my business unit. I can’t click on any of these until I click save. So the parent business unit is the organization and then I can look at users and then teams and all the rest of it. But we don’t have to go into any more detail for this course. That level of security is more for PL 200.

So just know that we have got users, teams and business units and I can assign roles to each of them. So if I click on security roles there I can assign whatever roles I want. But now we’ve got the concept of business roles. You can see now if I go back into security and into security roles and look at any of the permissions that we’ve got, all of these different permissions, we’ve got organization, so all roles or records, we’ve got none of them, we’ve got user, but then we’ve also got business unit.

So if I’m assigned a business unit, then not only will I have user records, in other words, access to my own records, records that are shared with me and records in which I’m a team member, but also business unit records. So unit plus access to information throughout the business unit. So this is generally for managers. You can see that there is another one. So these are business units shared, called parent child business units. So these are usually for higher level managers. So you get user business unit plus all subordinate business units. So in other words, business units within business units. So that’s why it’s usually for higher level managers.

So in this video, we’ve had a look at some of the security concepts. We’ve had a look at users teams, which can include users, and business units which can include other business units as well as teams and users. Just one more thing. Teams can also own records. This is why users can have access to team records. Also Azure Active Directory groups, they can have teams and they can also own records. And both owner teams and Azure Active Directory Group teams can also have security roles assigned to the teams. They have full access rights to the records.

And Azure Active Directory Group types, by the way, are Security and office. So you can even have divisions within the Azure Active Directory. However, as this is not an Active Directory course, we don’t need to dwell much further on that. So we have users teams, which can include Azure Active Directory Group teams and business units, which can also have their own business units. There’s just one more thing I do want to talk about.

When we’re looking at Power Automate, you may have noticed my referencing. Let me know by a mobile notification when I receive an email from my manager. But how do I know who my manager is? Or how does Power platform does? Well, it does this through here, the user information. So you can see over here, the manager. So if I want to insert a manager, I can do so here. And that’s how the computer will know.

3. 46. Adding users to environments

In this video we’re going to look at how we can add users to an environment and we can do that starting it in the power apps by going to the gear settings, but not going to advance settings this time we’re going to the Admin Center admin power platform, Microsoft. com, so we can go to any particular environment. So I’ll go to my per user environment and then on the righthand side you can see we can access security roles, teams, users and apps. However, I generally go elsewhere, I go to the settings and in the settings we’ve got users and permissions and you can see we have got even more options. So if I go to the users here you can see all of the users which are in this particular environment.

If I click on any particular user then we go back to where we were last video, but we can also have a look at the security roles as well. Additionally, I can click on somebody and go to Manage security roles and we can see here on the right hand side we’ve got basic user and system administrator. So here I can click on additional things I want and go to save. Now, I should say even though I usually go this way, I don’t actually have all of the things I can do. Look at the top, there’s no add user. So to do that I go back to the environment and that gets me access to this. If I click on users this time, then I can also add users so I can add another user here.

So let’s add somebody else and click Add. Now Susan couldn’t be added because she doesn’t actually have an active license, so I could assign one to her elsewhere in the Microsoft 365 Admin Center, for example, and that we’ve seen before when I was trying to get a free trial, that is admin Microsoft. com. So it’s not Admin PowerPlatform Microsoft. com, it’s just Admin Microsoft. com and I can go to my user and I can assign additional licenses if I still wish.

Now, when I add a user that way they are given the basic user, also sometimes known as a database user and they’re also being given the environment maker. So just as a reminder, environment maker allows you to add a database but it doesn’t actually allow you access to any data. So all you’ve got access to through the basic user is your own records and records that are shared with you.

So using this, the per user over here on the right hand side for instance, I can’t gain access to the business units so I generally go through settings but if not everything is there, then I also go through this side as well. So if you want to see a particular environment then you can go to Admin powplatform Microsoft, so go through the Admin Center and then you can go to a particular environment and then you can have a look at your users, your teams, your security roles, and much, much more.

4. 32, 33. Manage app security

Now in this video we’re going to talk about managing app security. So we’d previously seen how to manage floor security. You can go to Details and you can add owners and run only users. What about apps? Well, let’s have a look, first of all about Canvas apps. So let’s have a look at this particular app. And I’m going to click on Share. So you can share apps with individual users and with Azure Active Directory security groups. So you can enter names, email addresses, in fact you can enter everyone, so everyone can have access. So let me add Microsoft as well, my other user.

So individual users can become core owners. So they can use, edit and share the app, but they can’t delete or change the owner. Now you can’t add core owners to an entire organization and you can’t add core owner permissions to a security group for a solutionaware app. So an app that is in a solution, you also cannot share the app with a distribution group in your organization or a group outside of your organization. Now, when apps are shared, then you may also need to share things like the connectors. So here we’ve got a connector to Microsoft database, so people will need access to that.

So here you can see that this particular user has got some access to the database. May need more, may not. If I share with everybody, well, I cannot sign a security role with everybody. There may be some other connectors, like OneDrive for business, SQL Server with Azure Active Directory authentication, custom connectors and basically data which not all users have access to, such as a cloud Excel workbook. So those you will need to share separately. Now when sharing you will be asked for security roles as appropriate. There are some things that will be shared automatically.

Microsoft automate flaws and some connectors, such as SQL Server with SQL authentication or Windows authentication. It’s just the Azure Active Directory authentication which isn’t source shared. You can also send an email invitation to new users and co owners get a second link in that email for opening the app for editing. Additionally, you can send makers an email when they have just made their first floor or their first app, so that they can be sure they are in line with the organization’s rules. So that is canvas driven apps.

Now for model driven apps, so again, I’m going to the Share button, so I select the app and I select who I’m going to share it with, and then you give it a security role. So this is another way of going into the Managed Security roles box, the dialog box, so I can click on Manage Security Roles and then I can locate tables, add permissions. If you remember some of those permissions included read, create, delete, write, assign that’s ownership, share that’s access and append and append too, that’s activities and notes to a role. And you can select them with nonselected user business unit, parent child business units, and organization.

So we’ve covered that in a previous video. So you select what roles are going to have and then you can click Share. And here you can see Sharing model driven app was successful. So in this video we’ve had a look at how to manage app security. You just click on the dot, dot, dot next to the app and go to Share for model driven apps. Then you click on the app and then the user, and then grant whatever appropriate permission for canvas apps. Then you select who has got access to it and then whether they’re going to be a co owner so they can use Edit and share the app, but not delete or change the owner. And then you have to look at your data permissions.