When we build apps with Dataverse, it’s not enough to just decide who gets access. We also need to control what data each person can actually see. Two key governance practices that help achieve this are:
Row Level Security (RLS): Decides which records a user can see. For example, an employee only sees their own record, a manager sees their department's records and HR sees everyone's.
Object Level Security (OLS): Decides which tables or fields a user can see. For example, only HR should see the 'Salary'-column, while for everyone else it's completely hidden.
By combining the two, we make sure people only see the data that’s relevant to them. It keeps sensitive information safe and avoids unnecessary exposure.
Concepts in Dataverse
RLS: Controls which records (rows) a user can see.
Implemented via Security Roles and Hierarchical Security.
OLS: Controls which tables (entities) and columns (fields) a user can see.
Implemented via Table permissions and Field-Level Security Profiles.
Scenario
You’re building an HR app in Power Apps using Dataverse with the following tables:
Employees (EmployeeID, Name, Department, Salary, Manager, etc)
Departments (DepartmentID, DepartmentName, ManagerID, etc)
Rules:
Regular employees should see only their own record.
Managers should see employees in their department.
HR staff should see all employees + Salary field.
Non-HR users should never see Salary at all.
Setting up Row Level Security (RLS)
Go to Power Platform Admin Center > Select the environment > User + permissions > Security roles
Create 3 roles: Employee Role, Manager Role and HR Role
Permissions
None = No access
User = Access only to records the user owns
Business Unit = Access to records in the same BU
Parent: Child BU = Access to their BU + child BUs
Organization = Full access
Select the 'Employees'-table and set 'Read'-permission to 'User' and save. This means the user can only see rows they own.
For the Manager Role set 'Read'-permission to Business Unit and save. Managers will see records in their own business unit.
For HR Role set 'Read'-permission to Organization (full access).
Give broader rights (Create, Write, Delete, etc) if HR should manage all employee records.
Assign roles to users
Go back to 'Settings' in the admin center and under User + Permissions select 'Users'
Select a user and select 'Manage security roles'. Now sdd the role that match their job (Employee, Manager, HR). Hit save.
Result
- Regular employees only see their own record.
- Managers see employees in their BU.
- HR sees all employees.
Setting up Object Level Security (OLS)
We want to hide Salary from everyone except HR.
Go back to settings and select 'Column security profiles'
Add a New Profile:
Add users or teams:
Enable Field security
Go to the 'Employee'-table > select 'Salary'-column > set Field security/Enable column security = Enabled
Now, only users in a Field Security Profile can see/edit it.
Meaning, for everyone else (not in the 'HR Sensitive Data Access'-profile) they automatically get No access. Salary will be hidden from forms, views and apps.
Result
- HR Role + HR Sensitive Data Access profile = full visibility of Salary.
- Everyone else = cannot even see the column, it’s completely hidden in Dataverse, model-driven apps, and API queries.
Best Practices
Plan roles up front: Align with business rules before implementing.
Use security groups: Easier than managing individuals.
Test: Use 'View as role' or test accounts.
Least privilege principle: Give only the minimum data visibility needed.
Document roles: For governance, always keep a map of roles and it's permissions.
Top comments (0)