top of page
Zoeken

Having an eye on your data (leaks)

  • Foto van schrijver: Frank Vanhamel
    Frank Vanhamel
  • 31 okt 2021
  • 3 minuten om te lezen

Bijgewerkt op: 13 dec 2021

In today's 'CitizenDevelopment' era data security is key. When starting with PowerApps and PowerAutomate in your Digital Journey you should think about having a clear 'Data strategy'.

Welcome to this blog post where we will further dive into the possibilities made available in PowerApps in order to prevent such 'Data Leaks'. Data security and preventing others to steal important organizational data should be controlled and managed.


“Try to find a good balance between providing enough flexibility for Citizen Developers to develop low or no-code applications and having this controlled by a well considered governance approach.”

Data Loss 'what?' Prevention (DLP's)?

Following 'Data Loss Prevention (DLP)' definition can be read on the Microsoft docs: "To protect data in your organization, you can use Power Apps to create and enforce policies that define the consumer connectors that specific business data can be shared with. These policies are called data loss prevention (DLP) policies. DLP policies ensure that data is managed in a uniform manner across your organization, and they prevent important business data from being accidentally published to connectors such as social media sites." (source).


Wow great definition, let's take a closer look having this applied!


First navigate to the 'PowerApps Admin center' by using following path or URL: Power Platform admin center (microsoft.com)

Data Loss Prevention or DLP's can be defined within the PowerPlatform admin center (see print screen below). Click on the purple 'New policy' button in order to create a new policy.

In a first step give your new Data Policy a name. Let's create a new policy and apply it at tenant level. This can be used when you want to impose a data security policy at a global level. Subsidiaries residing in other PowerApps environment are impacted by this global policy applied.

In a following step you will see 3 different groups or containers. Data connections are being 'tagged' belonging to one of the those groups. Below the 3 different types:

  • Business group

  • Non-Business group

  • Blocked group

Connectors or data belonging to an organization level should be linked to the 'Business group' container. Connectors of a more personal sphere should be put into the 'Non-Business' group. By default all connectors are being put into the non-business group.


Imagine now that at a global level we want to restrict possible data connection combinations to the following set: Dataverse, Desktop flows, Salesforce (yes it's open source ;)). This can be done by selecting these connectors and moving them to the 'Business group'.

Repeat the same steps for the Dataverse and Desktop flows connection. Result is that the 3 connections reside in the 'Business' container.

Ok let's apply this DLP policy at a tenant level. Therefore select the 'All environment' option in the range section.

To finish this setup click on the 'Create policy' button at the end of the wizard. In this DLP section you can see that our policy at tenant level is activated.

Ok how is this DLP policy influencing Citizen Developers when building apps or automations?

When creating net PowerApps or PowerAutomate flows with different set of connections, a policy error will arise.


The DLP comes into action and disallows the combination of Dataverse and SharePoint. Giving following error: 'This operation violates admin data policy 'DLP tenant', which restricts the use of business connector 'shared_commondataserviceforapps' with non-business connector 'shared_sharepointonline'.

In other words the combination set between Dataverse and Sharepoint Online is not allowed by the DLP being applied.

Summarizing, think about how 'Data Loss Prevention' or DLP policies can be part of your organizational security approach when adopting PowerApps applications and/or PowerAutomate workflows. But also keep in mind to provide enough flexibility to Citizen Developers in order to explore the 'Power of the Platfotm'.

A different data security strategy can be applied per environment, making for example the PowerApps production environment more stricter than let's say a PowerApps development environment.


As mentioned in my previous blog post ('Boosting you Data Security within Portals'), data security should be one of the dimensions within your PowerPlatform Governanace approach. Having a clear view on the different company connection combinations and preventing possible data leaks.


Good luck in applying this!


By Frank Vanhamel

Microsoft PowerApps Evangelist


 
 
 

Comments

©2022 by Frank Vanhamel - Copyright

bottom of page