10
J

System customizer roles for Power Platform default environment - Data leak risk

Jason Leong on 10/11/2024 9:23:00 AM

Hi Microsoft,


Recently we working on an issue and encountered the following potential security risk and it is co-related with Project for the web.


Project for the web stored it's data in Dataverse table name "Project" in default environment.

when comes to Power Platform administration and permission, System customizer role by default gain access to ALL Dataverse tables, including "Project".


System Customizer will be required when :

  • Need to create custom table.


who will be potential users to assigned with System customizer:

  • Developer
  • External users who work on project.


This would means, when they are assigned with System Customizer role, automatically they will gain access to Project table and read all data.


Create a custom security role to limit the permission to "Project" table is an option, but only limited to person who aware of it. For those not aware, it is a data leak risk.


Can Microsoft re-evaluate system customizer permission?



Category: Dataverse
STATUS DETAILS
New