9. Configure field security
In this video we’re going to have a look at one of our tables. So we’ve got the expense table and we’ve got the expense value and we’ve got other things. Now suppose the expense value, not everybody needed to see it, but at the moment everybody who’s got access to the table can see every single column, every single field. So this is true whether it is looking at the data view in tables or looking for instance at a particular expense. So if I click on one of these expenses or double click, you can see, I can see $234. So how can I hide this for everybody who doesn’t need to see it? Well, there are a couple of ways. First of all, we need to get to the table so we can get to the table data table.
If it’s within a solution, then you go through the solution and you go say to my unmanaged solution and there is the table. So however you get to the table, you need to select whatever the column or field that you don’t want to be shown to. Everybody go to the advanced options and we’ve got here enable column security so that shows where the data in the column is secured at a higher level than the table. In other words, if everybody A-B-C and D can see the table, maybe this column should only be shown back to A, maybe B, C and D shouldn’t see it.
So what I’m going to do is I’m going to select that and I’m going to say done and save the table. Now there is another way of doing it, the classic way, and that is to go into the settings and advanced settings and the customizations, customize the system, go to entities, which is the old name for table, go down to the table. So I’m going to go to the account table and I’m going to have a look at the fields. So that’s the old name for the column. And I’m going to say, okay, this particular field, the city field, I’m going to edit that and I’m going to say field security enable.
So now I need to save and close and then I need to publish. So it doesn’t actually work until I have published the customizations, just like I needed to save the table. Now just one word, the system admin has access to all of the data. And given that, I would probably be able to see it because I’m a system admin. So let’s go into here and you can see that I can still see the expense value. So what I’m going to do now is log in as somebody else and let’s see what they can see. So here I am as another user. Now this user does not have the system admin rights.
So let’s go to the table. It does have sufficient rights to be able to view data and go to data. And if I change this to all columns, we can see that when we get to the expense value, it’s completely blank. If, however, I do this as a sysadmin, then if I go to all columns again, exactly the same view, I can see the expense value as well as the expense value base, which is reliant on the expense value.
Now let’s see what happens if I go to my model driven app and you can see that there is now a key next to the expense value. So that key shows that that particular column has been secured, but I want access to it. So now we have to create a field security profile. So to do that, we go back to the advanced settings and we go back to our security and we have a look at here the field security profiles. So you can see we’ve got a field security profile for the system administrator. I’m going to create a new one which says want to view expense value? And I’m going to click Save not Save and close save and Clause would close the dialog box. I just want to click Save.
So I can now go into users or teams. So here I’m in Users and there’s an ad button there. Incidentally, I couldn’t see the Ad button in Google Chrome. So if you’re having the problems like that, you might want to change your browser, just go to different browser. So I’m now going to add myself, my other self, who isn’t a system admin. So Philip Burton, I’m going to select and add. So now that user is part of this field security profile, and I’m also going to add myself. So that is Power platform plan. So I’ll add myself as well. So now that’s been done, I can go back in, make sure the two users are here. Now, I’ve created this field security profile, but I haven’t said what I actually want to allow these two users to do. So I’m going to say I want these two users to be able to look at the expense value. Then we can click on Edit, or I could just double click on one particular field and I can say, can users view this column? Can they change the information in this column?
And can they add information to this field when the record or raw is created? So you can select yes and no for this. So now that this has been created, I’m going to log back into my not system administrator role. First of all, I need to save and close, and it’s always worth going in. Just make sure that we’ve updated these two. Yeses. So let’s log in. So now I’m logged in, you can see that I can now see the expense value, whereas before I just saw blank. So in this video we’ve had a look at how to add field level security. First of all, we need to say which particular columns we want to secure. So we got a data tables or we got a solutions name, a solution and the relevant table. We go to the specific column and we click on enable column security. Then we need to create a field security profile and we can do that by going to security field security profiles. We can add a new profile, add teams or users, and then say what we want to do with the particular permissions.
Do you want to be able to allow users to read, update and create? Now, just a couple of things. A key symbol is shown next to the field on forms to show that it’s been secured. And field level security cannot be used for system or record or raw tracking attributes. So these are things like owner ID, process ID, stage ID, account ID, contact ID basically anything that system with an ID at the end or dates created on entity image timestamp modified on on hold time overridden created on or who did it. Created by modified by Awning Team awning user or what status it is state chord and status code. Field level security cannot be used for those system or record tracking attributes, but for other system attributes or for your own custom columns. You can secure those particular columns.
10. Manage data security
In this video, I’d like to talk about data security. So why do we need data security? Well, let’s suppose I’m a disgruntled employee. What I’m going to do is I’m going to go and create a power automate flow. I’m going to connect the dataverse to Twitter, and I’m going to tweet out all of our financial information. Okay, that does not sound good. So DLP Data Loss Prevention policies, they help prevent company data from being accidentally made public, so they could prevent the accidental sharing of sensitive information, like connecting the database to Twitter, for instance. So to set this up, first of all, we go to the Admin Center. So here we are in the power platform admin center data policies.
So we can set up a new policy if I’m an environment admin or a tenant admin for an environment or a tenant. The tenant, meaning good organization environment admin can do this for a single environment. If you’re a tenant admin, you can choose which environments to add these policies to. So what I’m going to do is I’m going to click on new policy. By the way, they’re all for things called the Power Platform Center of Excellent Starter Kit, which can also help. You can explore policies and the data loss prevention Editor. With that, you can see if a change to data loss prevention can break existing app.
And also, I should point out, if you really go deeply into the administrative side, you might want to check out the Microsoft Power Platform Center of Excellence Starter Kit, which can help with DLP policies. You can see if a particular change would break existing apps, and you can see things about flaws. For instance, if you got a flaw that violates a DLP policy, it can be saved, but it just can’t be turned on. So let’s create a new DLP policy. So this is my policy, and when I go into connectors, you can see that there are three different type of connectors. So there are business, non business, and blocked. So I’m going to search for Twitter and I’m going to click on Twitter and I’m going to move Twitter from the nonbusiness, which is the default, into business. So what?
Well, you cannot connect a business connector with a nonbusiness connector. Business data can only be connected with other business connectors. Non business can only be connected with non business. And there may be some things that you really don’t want and you’re going to block them. So blocked cannot be used as a connector. Now, I should point out there are a few restrictions.
For example, let’s block the database. No, we can’t. Power Platform notifications approvals can’t be blocked, and Microsoft Enterprise Plan standard connectors such as Excel, Online, Outlook, and SharePoint can also not be blocked. Okay, so once you have got your policy, we can click on Next. So I’ll just unselect that, go to Next. And here you can see because I am a system admin, which means I’m also a tenant admin. I can say, well, I want this to happen for one particular environment and I’m going to add that to the policy.
So that’s what I’ve done. I have put one connector into business, one interblock. Now, you could have multiple policies. It does make things a lot more difficult. I would really suggest you don’t. So we have all of these different connectors. Non business is the default. Now, if you don’t want that, you can change the default group by going up here to the top right hand side. So why might this be of use? Well, maybe you create new connectors, not part of the PL 100 certification, but suppose you did. Where do you want them to go?
Do you want them to go into business, non business or blocked? So make sure you’ve got what you need. I should point out this is fairly advanced, that Http. So these are web triggers, web actions. They can be added to DLP policies as well, even though technically they’re not connectors. You can also see whether individual connectors are blockable as well. So this is DLP data loss prevention policies. You get to hear by going to the admin center and then to the data policies. However, you should make sure that the right people have got access to the particular table.
