Is your organization interested in allowing makers to view their run history of desktop flows and other relevant activities in which they have a stake, while still restricting their access to production?
In this post we will show you how to customize security roles for Power Automate for desktop (RPA) and create a custom security role with minimum privileges to monitor production runs. Our post is filled with invaluable tips and tricks for keeping your data safe and protecting your company. So, whether you’re new to Power Automate for desktop or a seasoned pro, this is the ultimate guide for any administrator prioritizing data safety. Let’s get started!
Security roles are a key aspect of Power Platform that help maintain data security and privacy. These roles control access to restricted data and functions and are customized based on the company’s security requirements. With security roles, admins can define permissions for their staff and have better control over what data they can access. This helps prevent data leaks and unauthorized data access.
In Microsoft Dataverse, the role-based security model is used to secure access to the database. This allows environment-wide access to all resources or to configure access to specific apps and data in the environment. Security roles determine a user’s access to the environment’s resources. This access is determined by a combination of access levels and permissions included in a specific security role. This controls the user’s view of apps, flows and data, as well as their interactions with that data.
Within the Power Platform, every environment comes with a set of predetermined security roles. These roles are designed around common user tasks and provide access levels that are aligned with the best practice of providing the minimum amount of business data needed to properly use the app. This helps maintain your data’s security while allowing users to execute their necessary job responsibilities.
More information: Configure user security in an environment – Power Platform
Least Privilege Principle
The principle of least privilege is an important consideration when assigning permissions to users in a security role. This principle specifies that when assigning permissions to users in a security role, they should only be granted access to the data and functionality that is necessary to perform their job duties. Custom security roles can be created to ensure that users only have access to the tools and data they need to do their job, and nothing more. This helps ensure compliance with regulations and prevent data breaches.
Customization of Security Roles for Power Automate for desktop (RPA)
The least privilege model is a best-practice security principle that emphasizes the importance of users only being granted the permissions necessary to complete their authorized tasks or roles. In this post we will cover custom role “RPA Reviewer”, for Power Automate for desktop (RPA)
RPA Reviewer: Read only access for Power Automate for desktop (RPA) artifacts.
Creating RPA Reviewer Custom Security Role
In many organizations, it is typical for makers not to be granted access to production environments. However, to be able to view the workflow run history and other data relevant to daily operational activities, makers need access to this data. By creating a custom security role called “RPA Reviewer,” platform administrators can allow these makers read-only access to important automation information that resides within a production environment.
While establishing the minimum privileges, we need to define what actions RPA Reviewer role can perform within the production environment.
- In Power Automate portal,
- View desktop flows created by the user
- View desktop flow runs
- View desktop flow activity
- In Power Automate for desktop
- View-only desktop flow in designer
Let’s look at what permissions and privileges can be enabled to support the above requirements for this role:
|Process||Read, Write||User Level|
|Flow session||Read||User Level|
|Flow machine||Read||User Level|
|Flow machine group||Read||User Level|
|Flow machine image||Read||User Level|
|Flow machine network||Read||User Level|
|Workflow Binary||Read||User Level|
To implement this custom role in an environment, download the solution and import the security role to support the needs around having a read-only role for production environments.
Solution with Custom Security Role – RPA Reviewer
Download solution: PADCustomRoleReviewer_1_0_0_1
Below is a snapshot of the custom security role after importing the solution.
Note: The current approach is to import a solution to use this custom role.
Disclaimer: While the essential features utilized in creating the custom role are completely supported, the provided solution itself serves as an example implementation of these features and does not include any support. Our customers and community members have the freedom to utilize and modify this solution to establish custom roles within their organizations.
In conclusion, creating custom security roles is an integral part of maintaining data security and privacy in the Power Platform. Adhering to the principle of least privilege ensures that users only have access to the resources required to fulfill their job responsibilities, minimizing the risk of data breaches, and maintaining compliance with regulations. Custom security roles tailored to user roles and responsibilities not only provide a secure environment for users but also enhance their productivity and efficiency. By following the steps provided in this guide, admins can confidently customize security roles for Power Automate for desktop (RPA), empowering their makers in development and production environments.