PL-400 Microsoft Power Platform Developer

Configure Dataverse security roles and column-level security profiles

#PL-400 Microsoft Power Platform Developer

Dataverse, previously known as Common Data Service, uses security roles to ensure that only the right users have the right access to data. Each security role consists of permissions that define the level of access a user has to each entity in a Dataverse database.

To create a new security role:

  • Navigate to Power Apps > Dataverse > Security > Security Roles > New.
  • General tab > Enter the name > Save.

To configure permissions:

  • Open your new role > Business Management, Customization, or Custom Entities tab.
  • Set permissions as desired for each entity. Four access levels are available: Basic, Local, Deep, and Global.

Let’s illustrate with an example. Suppose we’d like to get a role that allows editing only on own created records, not on others. We set ‘Write’ permission to ‘Basic’ in User entity privilege, so the user with this role can only modify records that they own.

Table of Contents

II. Configuring Dataverse Column-level Security Profiles

While security roles govern access at the entity level, column-level security (CLS) profiles fine-tune this access further to individual columns within an entity. Use CLS profiles when you need some users to have access to an entity, but not certain sensitive columns within it.

To enable column-level security:

  • Navigate to Power Apps > Dataverse > Security > Enable Column-Level Security > choose the column > Yes > Save.

To create a new column-level security profile:

  • Navigate to Power Apps > Dataverse > Security > Column-Level Security Profiles > New.
  • General tab > Enter the name > Save.

To add columns to the security profile:

  • Open your profile > Columns tab > Add Columns.
  • Select the columns > OK > Save.

To add users or teams to the security profile:

  • Open your profile > Users or Teams tab > Add Users or Teams.
  • Select the users or teams > OK > Save.

For example, suppose we’ve a Salary column that only certain HR personnel should see. We could enable CLS for this column and then create a security profile that only permits HR personnel to read the Salary column.

To recap, we’ve covered how to configure Dataverse security roles and column-level security profiles. This knowledge will be key to mastering module ‘Create a Technical Design’ of the Microsoft Power Platform Developer PL-400 exam. By practicing these configurations step-by-step, you will gain a strong understanding and applied skills to pass the exam. I encourage you to study the depths of security roles and CLS profiles attributes and behaviors, building even more complex scenarios for practice.

Practice Test

True/False: The Dataverse security model supports both object-level and column-level security.

  • True
  • False

Answer: True

Explanation: The Dataverse security model does indeed support both object-level and column-level security, allowing customization on who can see and edit different data.

True/False: All users in a given environment have the same security roles in Microsoft Dataverse.

  • True
  • False

Answer: False

Explanation: Security roles in Microsoft Dataverse can be assigned per user or team basis, and they are not same for all users in a given environment.

True/False: Dataverse column-level security needs to be enabled by an admin before it can be used.

  • True
  • False

Answer: True

Explanation: Column-level security needs to be enabled by an admin, then an admin or a customizer can create profiles to define which users have access to specific fields.

Which of the following security settings can be configured in Dataverse?

  • a) Role-based security
  • b) Record-based security
  • c) Column-level security
  • d) All of the above

Answer: d) All of the above

Explanation: Dataverse provides a range of security settings, including Role-based security, Record-based security and Column-level security.

What does “privilege” mean in the context of Dataverse security roles?

  • a) the ability to access certain columns
  • b) the ability to perform a specific action
  • c) the ability to create new rows
  • d) the ability to read old rows

Answer: b) the ability to perform a specific action

Explanation: In the context of Dataverse security roles, a privilege is defined as the ability to perform a specific action.

Who can define a column-level security profile in Dataverse?

  • a) any user
  • b) an admin or customizer
  • c) an executive
  • d) a manager

Answer: b) an admin or customizer

Explanation: Only an admin or a customizer has the authority to define a column-level security profile in Dataverse.

True/False: Security roles in Dataverse are cumulative and do not adhere to the principle of least privilege.

  • True
  • False

Answer: False

Explanation: Security roles in Dataverse are cumulative, following the principle of least privilege. If a user is assigned to multiple security roles, they are given the least (most restrictive) privilege.

True/False: In Dataverse, you cannot customize the default security roles.

  • True
  • False

Answer: True

Explanation: In Dataverse the default security roles are designed for specific purposes and can’t be customized. You can create new custom roles according to your needs.

True/False: In order to see a column’s data in Dataverse, the user must have read access to the entity.

  • True
  • False

Answer: True

Explanation: Even with column-level security, the user must have read access to the entity first in order to see, update, or delete the column’s data.

True/False: In a column-level security profile, you must specify the fields, the entity, and the Dataverse operations protected by the profile.

  • True
  • False

Answer: True

Explanation: A column-level security profile protects specific operations on specific fields of a Dataverse entity. These operations include Read, Create, and Update data of the specified fields.

Can the business unit of a user influence their Dataverse security privileges?

  • a) Yes
  • b) No

Answer: a) Yes

Explanation: Security roles in Dataverse are assigned based on the user’s business unit, this is part of the role-based security feature in Dataverse.

What is the main purpose of configuring security roles in Dataverse?

  • a) To ensure data integrity
  • b) To provide users with appropriate access
  • c) To enable automation
  • d) To enhance performance

Answer: b) To provide users with appropriate access

Explanation: The main purpose of configuring security roles in Dataverse is to define appropriate levels of access for different users, ensuring they can perform their job functions without unnecessary exposure to sensitive data.

True/False: Dataverse allows the configuration of entity-level permissions.

  • True
  • False

Answer: True

Explanation: Dataverse allows the configuration of entity-level permissions. This is also known as object-level security.

What are the levels of access in Dataverse security model?

  • a) Global
  • b) Deep
  • c) Local
  • d) Basic
  • e) None
  • f) All of the above

Answer: f) All of the above

Explanation: In Dataverse security model, there are five levels of access: Global, Deep, Local, Basic, and None.

True/False: Column-level security profiles in Microsoft Dataverse apply to API requests.

  • True
  • False

Answer: True

Explanation: Column-level Security Profiles apply to all application UI, SDK API requests, and OData interactions, delivering a consistent layer of data access control across the platform.

Interview Questions

What are Dataverse security roles in Microsoft Power Platform?

Dataverse security roles are sets of access permissions that are grouped together. With these roles, you can regulate access to entities by allowing different types of operations, like creating, reading, writing, deleting, sharing etc.

How can you create a new security role in the Dataverse?

To create a new security role in Dataverse, you navigate to the Power Platform admin center, select ‘Environments’, then ‘Settings’, then ‘Users + permissions’, then ‘Security roles’, and finally select ‘New’.

What is column-level security in Microsoft Power Platform?

Column-level security (CLS) in Microsoft Power Platform is a feature that allows administrators to control access to specific high-business impact columns in an entity to further protect the data from unauthorized access.

What are the two settings for column-level security profiles?

The two settings related to column-level security profiles are ‘Update’ and ‘Read’. ‘Update’ controls if the user can update the data in the field while ‘Read’ controls if the user can read the data in the field.

Can one user have multiple security roles in Dataverse?

Yes, one user can have multiple security roles assigned in Dataverse. The security model of the platform is role-based and cumulative, which means that a user will have all the privileges from all the security roles assigned to them.

How are entity permissions defined in the Dataverse security model?

Entity permissions in Microsoft Power Platform are defined on the basis of Create, Read, Write, Delete, Append, Append To, Assign, and Share rights.

Can you assign a column-level security profile to a team?

Yes, column-level security profiles can also be assigned to a team. Any member of the team would adopt the access rights as defined by the profile.

What the minimum privilege needed to share a record in Microsoft Dataverse?

The minimum privilege needed to share a record in Microsoft Dataverse is ‘Read’ access on the entity and ‘AppendTo’ access on the user or team entity.

Can system administrators bypass column-level security in Dataverse?

Yes, System Administrators and System Customizers in Microsoft Power Platform possess ‘Field Security Profile’ permission, which enables them to bypass column-level security.

How would you prevent a user from editing a field in an entity in Power Platform?

You can prevent a user from editing a field in an entity by creating a column-level security profile that denies the ‘Update’ privilege for that specific field and then assign this security profile to the user.

Can Dataverse security roles be exported and imported in Microsoft Power Platform?

Yes, Dataverse security roles can be exported and imported as part of a solution in Microsoft Power Platform.

What happens if a column in an entity is not covered by any column-level security profile?

If a column in an entity is not covered by any column-level security profile, then the column is accessible to all users who have entity-level ‘Read’ access.

How to delete the security role in the Dataverse?

To delete a security role in Dataverse, navigate to the Power Platform admin center, select ‘Environments’, then ‘Settings’, then ‘Users + permissions’, then ‘Security roles’, select the role you want to delete, and finally select ‘Delete’.

What are the implications of enabling a column for column-level security?

Once a column is enabled for column-level security, it can only be accessed by users who have been granted permissions through a column-level security profile.

How can you check if a user has a certain security role in Power Automate?

You can check if a user has a certain security role in Power Automate by using the ‘RetrieveUserRoles’ function, which retrieves all security roles of a user and then you can check if the desired role is listed.

Related Post

PL-400 Microsoft Power Platform Developer

Determine whether requirements can be met with out-of-the-box functionality

extutorials.com
PL-400 Microsoft Power Platform Developer

Configure commands and buttons using Power Fx

extutorials.com
PL-400 Microsoft Power Platform Developer

Determine when to use business rules or client scripting

extutorials.com

Leave a Reply

Your email address will not be published. Required fields are marked *