top of page

Configuring column level security in a Dataverse table

Hey all,


How are you doing? I have been out on some sweet walks this weekend. This is a picture of the view from Wendover Woods looking towards Coombe Hill, the highest point in the Chilterns:



A view from Wendover Woods looking west


Are you counting down to Christmas yet? It's starting to go Christmas crazy in this house, I can smell the orange peel and cinnamon.


I wanted to talk about Column Field security in Dataverse in this blog post. Imagine this use case. We have a Model-Driven app for managing Nursery staff, children, rooms etc. We want to limit the read/write and create of some values in columns to managers within the nursery only.


Well, column field security is your bad boy here !


First, look for the fields that you want to manage through column field security. Below, is a screenshot of a Parent record inside the Nursery solution. At the moment, with the correct security role applied, anyone can see any of the address information. This should only be visible to the manager of the nursery.



Columns we wish to secure in the model-driven app

Let's head over to the Parent table inside the Nursery solution and for each of the columns we want to secure under column field security, we need to open the column up, expand the Advance Options and then click the check box for Enable column security and then click save. In this example, I am going to do it for Address Line 1, Line 2, County and Postcode.




Enabling column security per column in Dataverse table advanced options

I now need to head over to the Power Platform Admin centre (https://aka.ms/ppac) or PPAC for short, and go to my Environment > Teams:



Creating a team in a Dataverse Power Platform environment

If we click See All, under the teams, we will see a list of existing Teams that have been configured for the environment.


To give us greater control over the members of this team that we are about to create, we can create an Azure Entra ID Security group, and membership of this group can then be linked to the team.


Head over to Microsoft Entra (new name for Azure Active Directory) in the Azure Portal (https://portal.azure.com)


Click on Groups > New Group and give your group a name. I like to prefix my security groups with SG:



Creating a Microsoft Entra security group in the Azure Portal

Click Create to create the security group.


Let's head back to PPAC, and create a new team:



Creating a Team in the Dataverse environment and linking to the Entra ID security group


It's important to note, that Teams are environment specific. If you are building this functionality and moving your solution between environments, you would need to create the teams in each target environment.


Click Next to create the team, you will be asked to assign it a security role that has been previously created.


Now go back to your solution in Dataverse, and click on New > Security > Column security Profile. In our example, I have called it Nursery Managers, save the record and then click on Teams in the left-hand navigation area:



Configuring column security profile

In the Look in drop down change that to All AAD Security Groups (looks like the Entra name change hasn't made it this far yet), I have then searched for NurseryManagers, and I can select that item and then click Add.


Click Save and close.


Return back to your solution and you will now see a Column Security profile has been created. Open this part of the solution and click on the Column security profile we just created.


This takes you back into the classic editor, and we can now click on Field permissions and find our fields that we enabled for column field security - Address Line 1, Address Line 2, County and Post code. Here we can double click on each of these and restrict as we see necessary:



Setting Read, Write, Delete privileges per column

Now, when someone is put in the Entra Security group we created above, they will get the access permissions we have set on these columns.



Model Driven app Parent record showing keys for columsn that are secured with the security profile


In the Model Driven app, we can now see the key next to each of the fields we have setup for column security.


As I am a System Admin, I can see all of the data. People who are not in the team would not see this data. Only Nursery Managers would be able to read, write and delete data in these columns.


Thanks for reading, if you have any questions, please drop them in the comments.


Have a great day !

96 views0 comments

Recent Posts

See All

Comments


bottom of page