Karthik Mahendrakumar Power Platform Specialist

Please make the Solution visible only to the solution creator in Power Apps makes the solution more secure.

When a new App or Flow is added to the solution, it becomes visible to everyone (makers) who has (System Customizer and Environment Maker roles).

The Flow run history is exposed to all the makers for 28 days period which is causing GDPR concerns over the visibility of Personal Data in the flow run and this is raising a few other concerns.

Also, a solution can be deleted by anyone. This is causing more issues and fears to Maker about his solution. Please can solution deletion be made only possible to Admins and Makers and make solutions more secure?

We are trying to achieve an efficient ALM process.

Introduction: The Power Platform is a dynamic environment for building and deploying applications and workflows. To further enhance security, streamline solution management, and facilitate an efficient Application Lifecycle Management (ALM) process, we propose a series of improvements. These enhancements aim to provide finer control over solution visibility, deletion, editing permissions, and flow run history access within Power Apps.

Proposed Power Platform Improvements on the Solutions:

• Selective Solution Visibility: Currently, when a new App or Flow is added to a solution, it becomes visible to all users with System Customizer and Environment Maker roles. To bolster solution security, we suggest introducing a feature that allows the solution creator to restrict solution visibility. By default, only the solution creator should have visibility to the solution. This ensures that sensitive applications and flows remain accessible only to authorized individuals, enhancing overall data security.

• Granular Solution Deletion and Editing Permissions: To address concerns regarding solution integrity and accidental alterations, we recommend refining solution deletion and editing permissions. By limiting solution deletion and editing rights to administrators and solution creators, the Power Platform ensures that only authorized personnel can modify or remove solutions. This change enhances accountability and safeguards against unauthorized actions that could compromise solutions.

• Enhanced Flow Run History Privacy in Solution: Recognizing the GDPR concerns related to flow run history visibility, we propose limiting access to flow run history data. Rather than exposing flow run history to all makers for a fixed 28-day period, the Power Platform should implement role-based access controls. This approach restricts flow run history visibility to solution creators, administrators, and designated personnel. This measure significantly reduces the risk of personal data exposure and aligns with data privacy regulations.

Conclusion: The proposed enhancements to the Power Platform address critical security and solution management concerns, aligning with the objective of achieving a robust ALM process. By allowing selective solution visibility, refining solution deletion and editing permissions, and safeguarding flow run history data, the Power Platform reinforces security measures and data privacy. Furthermore, to facilitate a more efficient ALM process, Power Platform could introduce features that enhance Solution Security and ensure that solution creators can work more efficiently, driving innovation while maintaining the integrity of their solutions.

When we create a new Unmanaged Solution in Power Apps, it becomes visible to every Maker (System Customizer and Environment Maker roles)

When we create or add the existing objects (App, flows, Bot, Reports) to the unmanaged solution, the objects become exposed and every Maker (System Customizer and Environment Maker roles) in that environment will automatically gain CRUD permissions to the Unmanaged Solution and its objects' (App, flows, Bot, Reports) as well.

Security Concerns

• This has created a need for increased security rights over the Unmanaged Solution and its objects' (App, flows, Bot, Reports).
• This is causing more issues and fears to Makers about their Unmanaged Solution and its objects' (App, flows, Bot, Reports).

Changes Needed

• Please make the Unmanaged Solution visibility, and its Read, Update, Delete (RUD) permissions restricted to only the Solution creator and Admins in Power Platform.
• Please make the CRUD permissions for the objects' (App, flows, Bot, Reports) inside Unmanaged Solution restricted to only the Solution creator and Admins in Power Platform.

This is to make the unmanaged solution more secure and achieve an efficient ALM process

Microsoft recently released a new feature to "Block unmanaged customizations (Preview)".

So when "Block unmanaged customizations (Preview)" is enabled, please allow the Owners and Admins with CRUD Permissions for Unmaged Solution and its Objects.

This will be a supportive improvement related to another idea below

https://experience.dynamics.com/ideas/idea/?ideaid=144f18a9-9edc-ee11-a73e-002248504629

Microsoft recently released a new feature to "Block unmanaged customizations (Preview)".

So when "Block unmanaged customizations (Preview)" is enabled, please allow the Owners and Admins with CRUD Permissions for Unmanaged Solution and its Objects.

This will be a supportive improvement related to another idea below

https://experience.dynamics.com/ideas/idea/?ideaid=144f18a9-9edc-ee11-a73e-002248504629