How are you doing? I have been out on some sweet walks this weekend. This is a picture of the view from Wendover Woods looking towards Coombe Hill, the highest point in the Chilterns:
Are you counting down to Christmas yet? It's starting to go Christmas crazy in this house, I can smell the orange peel and cinnamon.
I wanted to talk about Column Field security in Dataverse in this blog post. Imagine this use case. We have a Model-Driven app for managing Nursery staff, children, rooms etc. We want to limit the read/write and create of some values in columns to managers within the nursery only.
Well, column field security is your bad boy here !
First, look for the fields that you want to manage through column field security. Below, is a screenshot of a Parent record inside the Nursery solution. At the moment, with the correct security role applied, anyone can see any of the address information. This should only be visible to the manager of the nursery.
Let's head over to the Parent table inside the Nursery solution and for each of the columns we want to secure under column field security, we need to open the column up, expand the Advance Options and then click the check box for Enable column security and then click save. In this example, I am going to do it for Address Line 1, Line 2, County and Postcode.
I now need to head over to the Power Platform Admin centre (https://aka.ms/ppac) or PPAC for short, and go to my Environment > Teams:
If we click See All, under the teams, we will see a list of existing Teams that have been configured for the environment.
To give us greater control over the members of this team that we are about to create, we can create an Azure Entra ID Security group, and membership of this group can then be linked to the team.
Head over to Microsoft Entra (new name for Azure Active Directory) in the Azure Portal (https://portal.azure.com)
Click on Groups > New Group and give your group a name. I like to prefix my security groups with SG:
Click Create to create the security group.
Let's head back to PPAC, and create a new team:
It's important to note, that Teams are environment specific. If you are building this functionality and moving your solution between environments, you would need to create the teams in each target environment.
Click Next to create the team, you will be asked to assign it a security role that has been previously created.
Now go back to your solution in Dataverse, and click on New > Security > Column security Profile. In our example, I have called it Nursery Managers, save the record and then click on Teams in the left-hand navigation area:
In the Look in drop down change that to All AAD Security Groups (looks like the Entra name change hasn't made it this far yet), I have then searched for NurseryManagers, and I can select that item and then click Add.
Click Save and close.
Return back to your solution and you will now see a Column Security profile has been created. Open this part of the solution and click on the Column security profile we just created.
This takes you back into the classic editor, and we can now click on Field permissions and find our fields that we enabled for column field security - Address Line 1, Address Line 2, County and Post code. Here we can double click on each of these and restrict as we see necessary:
Now, when someone is put in the Entra Security group we created above, they will get the access permissions we have set on these columns.
In the Model Driven app, we can now see the key next to each of the fields we have setup for column security.
As I am a System Admin, I can see all of the data. People who are not in the team would not see this data. Only Nursery Managers would be able to read, write and delete data in these columns.
Thanks for reading, if you have any questions, please drop them in the comments.
Have a great day !