設定資料庫安全性Configure database security

Common Data Service 使用以角色為基礎的安全性模型來協助保護對資料庫的存取。The Common Data Service uses a role-based security model to help secure access to the database. 本主題說明如何建立協助保護應用程式所需的安全性構件。This topic explains how to create the security artifacts that you must have to help secure an app. 使用者角色會控制執行階段對資料的存取,且與管理環境管理員與環境製作者的環境角色不同。The user roles control run-time access to data and are separate from the Environment roles that govern environment administrators and environment makers. 如需環境概觀,請參閱環境概觀For an overview of environments, see Environments overview.

您一定要了解應用程式的使用者對這些實體需要何種等級的存取權。It's important that you understand what level of access to these entities users of the app require. Common Data Service 支援實體上的建立、讀取、更新及刪除 (CRUD) 權限。The Common Data Service supports create, read, update, and delete (CRUD) permissions on entities.

  • 建立 – 使用者可以在實體中建立新的項目。Create – A user can create new entries in the entity.
  • 讀取 – 使用者可以在實體中檢視與搜尋現有的項目。Read – A user can view and search existing entries in the entity.
  • 更新 – 使用者可以在實體中更新或編輯現有的項目。Update – A user can update or edit an existing entry in the entity.
  • 刪除 – 使用者可以在實體中刪除或移除現有的項目。Delete – A user can delete or remove an existing entry in the entity.

最常使用的兩個權限等級是唯讀存取權和完整存取權。The two permission levels that are most often used are read-only access and full access. Common Data Service 包括這兩種權限等級中所有實體的權限集合。The Common Data Service includes permission sets at these two permission levels for all its entities. 檢視權限集合可提供實體的讀取存取權。View permission sets provide read access to an entity. 維護權限集合可提供實體的完整存取權。Maintain permission sets provide full access to an entity.

安全性模型可將這些權限的任何組合指派給使用者角色。The security model enables any combination of these permissions to be assigned to a user role. 角色會將在整個新增至角色的權限集合中授與的各種權限加以組合。Roles combine the various permissions that are granted across the permission sets that are added to them. 因此,角色的成員可以存取所有資料,而這些資料就是角色中所含的權限集合授與他們存取權的資料。Therefore, the members of a role can access all the data that the permission sets that are included in the role give them access to. 如需 Common Data Service 安全性模型的詳細資訊,請參閱安全性模型For more information about the Common Data Service security model, see Security model.

識別實體Identify the entities

若要為應用程式設定正確的存取控制項,您必須知道應用程式所使用的實體。To configure the correct access controls for an app, you must know what entities the app uses. 若要查看應用程式所使用的實體清單,請遵循下列步驟。To see a list of the entities that an app uses, follow these steps.

  1. 在 Microsoft PowerApps Studio 中開啟應用程式。Open the app in Microsoft PowerApps Studio.
  2. 在 [內容] 索引標籤上,按一下或點選 [資料來源]。On the Content tab, click or tap Data sources. 資料來源清單會出現在右窗格中。The list of data sources appears in the right pane.

設定安全性Configure security

當您建立新的實體時,也必須建立新的權限集合或編輯現有權限集合,以提供實體資料的存取權。When you create a new entity, you must also create a new permission set or edit an existing permission set to provide access to the entity's data. 當您建立應用程式時,建議一併建立一個權限集合,以提供執行應用程式所需之所有實體的存取權。When you create an app, we recommend that you also create a permission set that provides access to all the entities that are required in order to run the app. 安全性是在系統管理中心管理的。Security is managed in the admin center.

  1. 開啟系統管理中心Open the admin center.
  2. 按一下或點選包含您資料庫的環境。Click or tap the environment that contains your database.
  3. 按一下或點選 [安全性]。Click or tap Security. 您接著可以使用 [權限集合] 和 [使用者角色] 索引標籤,在您的資料庫上設定安全性。You can then use the Permission sets and User roles tabs to configure security on your database.

建立權限集合Create a permission set

若要允許存取新的應用程式,您必須先建立新的權限集合。To enable access to a new app, you must first create a new permission set.

  1. 按一下或點選 [權限集合]。Click or tap Permission sets.
  2. 按一下或點選 [新增權限集合] 以建立權限集合。Click or tap New permission set to create a permission set.
  3. 輸入權限集合的名稱和描述,然後點選或按一下 [建立]。Enter a name and description for the permission set, and then tap or click Create. 新的權限集合會出現在權限集合清單中。The new permission set appears in the list of permission sets.
  4. 按一下或點選您剛才建立的權限集合。Click or tap the permission set that you just created.
  5. 按一下或點選 [實體] 索引標籤。[實體] 索引標籤包含您資料庫中所有實體的清單。Click or tap the Entities tab. The Entities tab contains a list of all the entities in your database. 針對應用程式中使用的每個實體,選取要允許之權限的核取方塊。For each entity that is used in your app, select the check box for the permission to allow.
  6. 按一下或點選 [儲存]。Click or tap Save.

建立原則 (Technical Preview)Create a policy (Technical Preview)

若要啟用或限制對實體中記錄的存取,您必須先建立一個原則。To enable or restrict access to the records in an entity, you must first create a policy.

  1. 按一下或點選 [原則]。Click or tap Policies.
  2. 按一下或點選 [新增原則]。Click or tap New policy.
  3. 輸入原則的名稱和描述。Enter a name and description for the policy.
  4. 選取要建立之原則的類型。Select the type of policy to create. 如果您正在建立挑選清單原則,請輸入要使用的挑選清單。If you're creating a picklist policy, enter the picklist to use.
  5. 選取要使用的運算子。Select the operator to use.
  6. 選取要檢查之原則的值。Select the value for the policy to check against.
  7. 按一下或點選 [建立]。Click or tap Create.

指派原則 (Technical Preview)Assign a policy (Technical Preview)

若要套用原則,您必須將它指派給權限集合中的資料實體。To apply a policy, you must assign it to a data entity in a permission set.

  1. 按一下或點選 [權限集合]。Click or tap Permission Sets.
  2. 按一下或點選要指派原則的權限集合。Click or tap the permission set to assign a policy under.
  3. 按一下或點選要指派原則之實體的 [編輯] 按鈕。Click or tap the Edit button for the entity to assign a policy to.
  4. 展開 [原則指派] 區段。Expand the Policy assignment section.
  5. 選取要套用原則的資料作業 ([建立]、[讀取]、[更新] 或 [刪除])。Select the data operations to apply a policy to (Create, Read, Update, or Delete).
  6. 選取將為原則基礎的實體欄位。Select the entity field that the policy will be based on.
  7. 選取要指派的原則。Select the policy to assign.
  8. 按一下或點選 [指派]。Click or tap Assign.
  9. 按一下或點選 [儲存]。Click or tap Save.

建立與指派角色Create and assign a role

在權限集合中包含正確的權限後,您可以建立一個可指派給使用者的角色。After the correct permissions are included in a permission set, you can create a role that can be assigned to users.

  1. 按一下或點選 [使用者角色]。Click or tap User roles.
  2. 按一下或點選 [新增角色]。Click or tap New role.
  3. 輸入角色的名稱和描述,然後按一下或點選 [建立]。Enter a name and description for the role, and then click or tap Create. 新的角色會出現在 [使用者角色] 清單中。The new role appears in the User roles list.
  4. 按一下或點選您剛才建立的角色。Click or tap the role that you just created.
  5. 按一下或點選 [權限集合] 索引標籤。Click or tap the Permission sets tab.
  6. 輸入您先前建立之權限集合的名稱。Enter the name of the permission set that you created earlier. 在您輸入時出現的下拉式清單中,按一下或點選要新增至角色的權限集合。In the drop-down list that appears as you type, click or tap the permission set to add it to the role. 針對您想要之角色的每個其他權限集合,重複這個步驟。Repeat this step for every other permission set that you want for the role.
  7. 按一下或點選該角色的 [使用者] 索引標籤。Click or tap the Users tab for the role.
  8. 輸入要新增至角色之使用者或群組的名稱或電子郵件地址。Enter the names or email addresses of the users or groups to add to the role. 在您輸入時出現的下拉式清單中,按一下或點選使用者。In the drop-down list that appears as you type, click or tap the user. 將指派角色的使用者和群組隨即新增至清單中。Users and groups that the role will be assigned to are added to the list.
  9. 按一下或點選 [儲存]。Click or tap Save.

此角色中的使用者或群組現在可以存取資料,而這些資料就是與該角色相關聯的任何權限集合授與他們存取權的資料。The users or groups in this role can now access the data that any permission set that is associated with the role gives them access to. 若要使用您資料庫中的資料,使用者必須擁有安全性角色,以及擁有使用該資料之 PowerApps 應用程式的存取權。To use the data in your database, a user must have a security role and access to a PowerApps app that uses the data.

編輯權限集合與角色Edit permission sets and roles

若要在建立角色和權限集合之後對其進行編輯,請按一下 [編輯] 按鈕。To edit roles and permission sets after they have been created, click the Edit button.

若要刪除角色或權限集合,請使用 [刪除] 按鈕。To delete a role or permission set, use the Delete button.

立即可用的安全性角色Out-of-box security roles

有兩個立即可用的安全性角色:Two security roles are provided out of the box:

  • 資料庫擁有者 – 資料庫擁有者角色適用於擁有管理函式的使用者。Database Owner – The Database Owner role is intended for users who have an administrative function. 環境的建立者會自動指派給此角色。The creator of the environment is automatically assigned to this role. 此角色中的使用者一律擁有資料庫中所有實體的完整存取權。Users in this role always have full access to all entities in the database. 他們甚至擁有所新增實體的完整存取權。They even have full access to new entities that are added. 此角色中的使用者也可以建立和編輯資料庫中的實體結構描述。Users in this role can also create and edit entity schemas in the database. 您不需要將權限集合新增至此角色。You don't have to add permission sets to this role. 您只需要將使用者指派給它。You just have to assign users to it.
  • 組織使用者 – 組織使用者角色是指派給所有使用者的預設角色。Organization User – The Organization User role is the default role that is assigned to all users. 此角色的用途是將包含公用資料之實體的存取權授與所有使用者。The purpose of this role is to give all users access to the entities that contain public data. 如果在限制模式中共用應用程式,則此角色中應該包含應用程式所使用的實體。If an app is shared in restricted mode, the entities that the app uses should be contained in this role. 此角色已指派給組織中的每個人,因此您不需要進行指派。You don't have to assign this role, because it's already assigned to everyone in your organization. 您只需要新增您想要授與整個組織的權限集合。You just have to add the permission sets that you want to give to your whole organization.