10 years ago, this past Thursday I authored an article on the ‘mis-use’ of security roles and the inherent danger when this happens.
How to Avoid Human Induced Catastrophe in CRM on Technet.
Simply put while we don’t call it CRM any longer (at least officially) the problem is still with us. But now it is haunting us from a different perspective.
Recently, as part of a larger project I came across how this is being manifested.
We are in the process of moving clients from Team Member licenses to Power Apps per apps licenses.
Something didn’t look right in the sharing process. Digging in a little I discovered that several users that previously had Team Member licenses were getting all the Model Driven Apps shared with them. Drilling down further the cause became obvious – they had the System Administrator and/or System Customizer security roles assigned to them.
This is going to create two significant new issues:
- License violation – Power Apps per App licensed users have more limited security privilege’s than the all encompassing system wide do everything System Admins.
- License consumption – Instead of following your strategy for the tactical process of sharing just the Model Driven App(s) with users that specifically need access to those apps, they will have access to all the apps in the environment. Consequently, consuming a per app license for each app. It will run you out of app licenses before you know it (once this is enforced).
And finally, it is just plain bad practice to grant this level of rights to a ‘light’ user that most likely has not had any System Admin training and
should must have an Enterprise Dynamics license of some flavor along with the training to be legit.
Bonus – Need to check which users have access to which apps? Use this URL but replace ‘YOURENVIRONMENT’ with your the environment name. https://YOURENVIRONMENT.crm.dynamics.com/WebResources/msdyn_AppaccessChecker.html