Guardians of the Records: Casting Spells for Secure Sharing in Dataverse

Bala Madhusoodhanan - Sep 30 - - Dev Community

Intro:

In Dataverse, managing record permissions is crucial for maintaining data security and integrity. Similar to file system permissions, Dataverse uses a structured approach to define who can access and modify records.

𝐎𝐰𝐧𝐞𝐫𝐬𝐑𝐒𝐩:
Every record in Dataverse is assigned three types of ownership:
πŸ”Ή Owner πŸ‘€ : The owner is the user who created the record or to whom the record has been assigned. Owners have full control over their records.
πŸ”Ή Team πŸ‘₯ : A team can consist of multiple users. All members of the team have the same permissions to access and manage the record. Teams are useful for collaborative environments.
πŸ”Ή Organization 🌐: This refers to all users within the organization. Permissions can be set at the organization level to allow broader access to records.

𝐏𝐞𝐫𝐦𝐒𝐬𝐬𝐒𝐨𝐧𝐬
Dataverse permissions are defined through security roles, which determine what actions users can perform on records
πŸ”Ή Create: Allows users to create new records.

πŸ”Ή Read: Allows users to view records.

πŸ”Ή Write: Allows users to modify the content of records.

πŸ”Ή Delete: Allows users to remove records.

πŸ”Ή Append: Allows users to associate the current record with another record.

πŸ”Ή Append To: Allows users to associate another record with the current record.

πŸ”Ή Assign: Allows users to change the owner of a record.

πŸ”Ή Share: Allows users to share records with other users or teams, specifying the level of access (read, write, delete).

Access Mask rightes in the platform is as below
Image description

When a user shares a record in Dataverse and grants specific permissions like Read, Write, and Append, the access rights are recorded using a combination of bitwise values. Each permission corresponds to a specific bit value, and the combination of these values determines the overall access rights.

Image description

Dataverse uses the PrincipalObjectAccess table to store sharing information. When a record is shared, an entry is created in this table with the following key fields:

PrincipalId: The ID of the user or team with whom the record is shared (User B in this case).
ObjectId: The ID of the record being shared.
AccessRightsMask: The combined bit value representing the granted permissions (7 in this case).

Detailed Access Mask Rights Value are as below:

Read Write Append AppendTo Share Value of Access Mask Rights
Yes Yes Yes Yes Yes 262167
Yes Yes Yes Yes No 23
Yes Yes Yes No Yes 262151
Yes Yes Yes No No 7
Yes Yes No Yes Yes 262163
Yes Yes No Yes No 19
Yes Yes No No Yes 262147
Yes Yes No No No 3
Yes No Yes Yes Yes 262165
Yes No Yes Yes No 21
Yes No Yes No Yes 262149
Yes No Yes No No 5
Yes No No Yes Yes 262161
Yes No No Yes No 17
Yes No No No Yes 262145
Yes No No No No 1

𝐁𝐞𝐬𝐭 𝐏𝐫𝐚𝐜𝐭𝐒𝐜𝐞𝐬
When configuring permissions in Dataverse, consider the following best practices:

πŸ”Ή Least Privilege: Grant users the minimum permissions necessary to perform their tasks. This reduces the risk of unauthorized access and data breaches.

πŸ”Ή Training: Educate users on the importance of data security and proper use of permissions to foster a culture of responsibility.

πŸ”Ή Regular Audits: Periodically review and update security roles and sharing settings to ensure they align with current business needs and compliance requirements.

Further Read:

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .