Security in Common Data Service
This section provides information on how Common Data Service, the underlying data platform for PowerApps, handles security from user authentication to authorization that allows users to perform actions with data and services. Conceptually, security in Common Data Service is there to ensure users can do the work they need to do with the least amount of friction, while still protecting the data and services. Security in Common Data Service can be implemented as a simple security model with broad access all the way to highly complex security models where users have specific record and field level access.
The following is a high-level overview of how security model is implemented in Common Data Service.
- Users are authenticated by Azure Active Directory (Azure AD).
- Licensing is the first control-gate to allowing access to PowerApps components.
- Ability to create applications and flows is controlled by security roles in the context of environments.
- A user’s ability to see and use apps is controlled by sharing the application with the user. Sharing of canvas apps is done directly with the user or Azure AD group. Sharing of model-drive apps is done via Common Data Service security roles.
- Environments act as security boundaries allowing different security needs to be implemented in each environment.
- Flows and Canvas apps use connectors, the specific connections credentials and associated service entitlements determine permissions when apps use the connectors.
- Environments with Common Data Service add support for more advanced security models that are specific to controlling access to data and services in the Common Data Service instance.