Introducing the Common Data Service Security Model (Previous Version)
As part of the general availability release of PowerApps and the Common Data Service (CDS), we have introduced the first set of security features on the Common Data Service. The Common Data Service comes with a set of standard entities, the Common Data Model. The Common Data Service also allows you to create your own custom entities to store your data. In order to keep your data secure, the Common Data Service also provides a security framework to control access to the data stored in these entities.
Databases can be added to an existing environment by an Environment Admin. Or be created along with a new environment by users with the PowerApps Plan 2. Actions at the environment level, like creating a database are controlled by Environment roles. To learn more about these topics, check out the PowerApps Environments Announcement.
The database provided with the CDS can be configured in two modes, Open mode and Restricted mode. When you first create your database you will asked to choose one of these modes. This selection can always be changed in the Administration Portal under the Database tab.
By default, "Give all users access" is selected. This selection will place your database in Open mode. When in Open mode, all users will be able to access all of the data stored in your database. There are no permissions checks performed when a user tries to access the data of an entity. Everyone will be able to share and use apps freely.
In contrast, selecting "Restrict access" will enforce a permission check when a user tries to access data from a given entity. While your database is in Restricted mode, users will be able to share apps, but can only access the entities that they have been provide access to via a User role. Database Owners have the ability to assign users to roles, and define the permissions for those roles.
User role are assigned to users or user groups within your organization to provide them access to a collection of entities. The entities that a role provides access to are determined by the permission sets that the role includes. User roles can be built using the out of the box permission sets that secure the standard entities provided in the Common Data Model, or custom permission sets that you have created. You can also create your own.
There are two special roles that are provided by the Common Data Service for your convenience. The Database Owner role provides access to all entities in your database, even as new custom entities are added. Additionally, only users who have the Database Owner role have the ability to change the entity schema. The Organization User role is assigned to all users in your organization automatically. This role does not provide any access out of the box. If you choose to share a PowerApp to your organization while in Restricted mode, everyone in the organization will need to be provided access to the entities that the PowerApp is using. The Organization User role is the place to do this. Once entities are included in this role everyone will have access to them, no additional role assignment is needed.
A user can be assigned multiple roles to allow access to different sets of entities. When running a PowerApp, the user’s access to data will be the combination of all roles they are assigned. As long as an entity is included in one of the roles, they will be able to access the data stored in that entity.
Permission sets are the basic building blocks of the Common Data Service security model. A permission set is comprised of a list of entities and the level of access granted for each entity. Create, read, update, and delete permissions can be granted to any entity included in the permission set.
All entities will be shown under a permission set, only those that have Create, Read, Update, or Delete check will be granted under the permission set. As custom entities are added to your database, they will also be reflected in this list. To grant access to a custom entity you must provide an access level under a permission set.
The Common Data Service contains a set of permission sets that are provided out of the box to secure the standard entities provided by the Common Data Model. Each entity will be covered by two permission sets. A View permission set that allows read-only access to the data within the entity and a Maintain permission set that allows read, create, update, and delete operations within the entity.
Further details on the concepts can be found in the CDS Security Model documentation.
For step by step instructions for creating custom security artifacts refer to the Configure Database Security article.