Security Best Practices in Dataverse
Solutions
- Create separate environments for dev, UAT, and production
- Restrict access to environments through security groups
- Manage permissions through Azure Active Directory groups
- Extend existing security roles
- Use the rule of Least Privilege when creating security roles
- Limit the number of System Administrators
- Use Teams to assign same roles to group of users
Creating separate environments for dev, UAT, and production enables you to resolve bugs and test new features before deploying to end users. In addition, resource administration is easier as all the resources are bound to the location of the Dataverse environment. You can also create environments based on geographical locations, although you must consider GDPR, as the database will be provisioned in the region you specify during creation.
By default, security group is not selected, which means any user in the tenant can access the environment. To restrict access to environments and strengthen security, select a security group.
Security roles can also be associated with an Azure Active Directory group. To simplify permissions and data access, create Azure Active Directory groups and associate roles.
Instead of creating a new security role from scratch, you can copy an existing role and update the privileges and access levels per the new role requirements.
When creating security roles, use the rule of least privilege, i.e., grant only minimum level of privileges required to any security role. Provide access to the minimum amount of business data required for the task. Assign users the appropriate role for their job with minimum required access. Create a basic user role with the least permissions that all users must have.
Strictly limit the number of people assigned the System Administrator role. Don’t grant system admin or any other similar role with high level of privileges to too many users or service accounts especially on production environment.
If many users require the same access, it’s a good idea to create a team of users and assign the required security role to the team only instead of assigning it to all team members. Use teams to create cross-functional groups so that specific objects can be shared with the team.
References
- Copy a security role - Power Platform - Microsoft – Microsoft, last updated February 15, 2022
- Create and manage environments in Dataverse - Microsoft – Microsoft, last updated 2022