search

microsoft / coe-starter-kit

Other
754 stars 225 forks source link

[CoE Starter Kit - FEATURE] CoE apps to respect Environment Admin permissions #4974

Open GU-VITA opened 1 year ago

GU-VITA commented 1 year ago

Describe the issue

As an environment admin, I can update the permissions of an app or a flow located in a PP environment my account is not setup in. Both apps will display exceptions up top, but I can still click on "Manage Users" and assign a role to the user.

I have confirmed the same behavior in all COE environments we own (DEV/TST/PROD).

The same issue is happening when selecting the "Orphaned" tab on both apps.

Expected Behavior

  1. The "Environment" tab should display environments the current user has System Admin role.
  2. The "Orphaned" tab should only display apps/flows from the environments the current user has System Admin role.
  3. The COE Dataverse should capture all environment admins (eg System Admin) in a separate entity: 1 to many relationship
  4. PBI solution should have a report to display all users permissions per environment, including a filter on Environment/User/Role

What solution are you experiencing the issue with?

Core

What solution version are you using?

Dec 2022 and Feb 2023

What app or flow are you having the issue with?

Set App Permissions and Set Flow Permissions

Steps To Reproduce

  1. Connect to Set App Permissions as single environment admin
  2. Home tab shows all environments instead of 1
  3. Orphaned tab shows all orphaned apps across all environments. Should only show orphaned app in 1 environment
  4. Selecting Manage Users display an exception, but additional users can still be assigned a role

Anything else?

No response

AB#1060

manuelap-msft commented 1 year ago

Hello,

that's expected behaviour today, the CoE kit is set up with a Power Platform admin account which has access to all environments in the tenant, and then gathers all tenant inventory centrally to display in the various apps and flows. We currently don't have knowledge of individual environment admins and thus do not offer security trimming. The CoE kit today only works for centrally managing the platform.

We can add exploring your suggestions to our feature backlog, but they would be quite complicated changes to the kit and we may not be able to prioritize these.

Manuela

GU-VITA commented 1 year ago

Manuela,

This actually means the core solution "Power Platform Admin SR" role can only be granted to Power Platform Service Administrators and not Environment Administrators.
We are the governance entity for the Commonwealth of Virginia. We have a single tenant for all state agencies. Each agency has a set of Power Platform environments with dedicated environment admins. We have 60 agencies and 400 Power Platform environments. What would be the recommended way for an agency environment admin to use some of the COE apps to manage their apps and flows? I do not understand why the COE Dataverse does not have a separate entity to capture environment admins so security trimming could be easily implemented against all COE apps. I believe this is a critical area of improvement that needs to be added to the COE.

manuelap-msft commented 1 year ago

Hello,

that's correct, if the CoE kit is installed in one central environment the target persona is for a Power Platform service admin to manage it. Some customers who are very decentralized set up the CoE kit in multiple environments and install it with the Environment Admin persona, so then only data that environment admin has access to is gathered.

Please also understand that the CoE kit is a reference implementation, there's no one size fits all to Power Platform governance, and the CoE kit only aims to provide some templates on how a tooling approach could work. Some of our customers work with partners to extend and customize the kit to fit their needs, which may be the best approach for you.

Manuela

GU-VITA commented 1 year ago

Manuela,

Thank you for the feedback but since the COE is getting updated every 3 months, it would be challenging to keep of the all these distributed environments in Sync. Customization might be difficult to maintain across updates.

My question remains the same: adding an Environment Admins entity to the CORE solution will allow the COE to scale out to any organization security model.

From: Manuela Pichler @.> Sent: Tuesday, March 14, 2023 11:44 AM To: microsoft/coe-starter-kit @.> Cc: Urena, Gilles (VITA) @.>; Author @.> Subject: Re: [microsoft/coe-starter-kit] [CoE Starter Kit - FEATURE] CoE apps to respect Environment Admin permissions (Issue #4974)

Hello,

that's correct, if the CoE kit is installed in one central environment the target persona is for a Power Platform service admin to manage it. Some customers who are very decentralized set up the CoE kit in multiple environments and install it with the Environment Admin persona, so then only data that environment admin has access to is gathered.

Please also understand that the CoE kit is a reference implementation, there's no one size fits all to Power Platform governance, and the CoE kit only aims to provide some templates on how a tooling approach could work. Some of our customers work with partners to extend and customize the kit to fit their needs, which may be the best approach for you.

Manuela

— Reply to this email directly, view it on GitHubhttps://github.com/microsoft/coe-starter-kit/issues/4974#issuecomment-1468348934, or unsubscribehttps://github.com/notifications/unsubscribe-auth/A4QVTPTUC2FKMZLW46TQ3UDW4CG5HANCNFSM6AAAAAAVZWFSJE. You are receiving this because you authored the thread.Message ID: @.***>

manuelap-msft commented 1 year ago

We'll add this to our feature backlog for exploration. Thanks for the feedback.

GU-VITA commented 1 year ago

Great. Thansk

From: Manuela Pichler @.> Sent: Tuesday, March 14, 2023 12:09 PM To: microsoft/coe-starter-kit @.> Cc: Urena, Gilles (VITA) @.>; Author @.> Subject: Re: [microsoft/coe-starter-kit] [CoE Starter Kit - FEATURE] CoE apps to respect Environment Admin permissions (Issue #4974)

We'll add this to our feature backlog for exploration. Thanks for the feedback.

— Reply to this email directly, view it on GitHubhttps://github.com/microsoft/coe-starter-kit/issues/4974#issuecomment-1468392141, or unsubscribehttps://github.com/notifications/unsubscribe-auth/A4QVTPRZCWNVC4LQPBFRME3W4CJYHANCNFSM6AAAAAAVZWFSJE. You are receiving this because you authored the thread.Message ID: @.***>