New environment has all users added by default and cannot remove users? - power-platform

I have created a new environment where I only want a sub set of people to be able to create apps and flows. However it seems like everybody is added by default and cannot be removed?

This is the expected functionality. When you create a Dataverse database in an environment all licensed users will be added. Users do not have any access to the database unless you assign them a security role.
Once a user is added to the Dataverse database that user record cannot be deleted. They can be inactivated, but not deleted.
You can control this behavior by defining a security group at the time of database creation. If you define a security group only the members of the security group will be added as users to the database.
When creating the database you can assign a security group:
From https://learn.microsoft.com/en-us/power-platform/admin/control-user-access:
When users are added to the security group, they are added to the Dataverse environment.
When users are removed from the group, they are disabled in the Dataverse environment.
When a security group is associated with an existing environment with users, all users in the environment that are not members of the group will be disabled.
If a Dataverse environment does not have an associated security group, all users with a Dataverse license (customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), Power Automate, Power Apps, etc.) or per app plan will be created as users and enabled in the environment.
If a security group is associated with an environment, only users with Dataverse licenses or per app plan that are members of the environment security group will be created as users in the Dataverse environment.
When you assign a security group to an environment, that environment will not show up in home.dynamics.com for users not in the group.
If you do not assign a security group to an environment, the environment will show up in home.dynamics.com even for those who have not been assigned a security role in that Dataverse environment.
If you do not specify a security group, all users who have a Dataverse license (customer engagement apps (such as Dynamics 365 Sales and Customer Service)) or per app plan will be added to the new environment.
New: Security groups cannot be assigned to default and developer environment types. If you've already assigned a security group to your default or developer environment, we recommend removing it since the default environment is intended to be shared with all users in the tenant and the developer environment is intended for use by only the owner of the environment.
Dataverse environments support associating the following group types: Security and Microsoft 365. Associating other group types is not supported.

Related

AzureAD Priviledged Access Management (Group Management) from ServiceNow - Cannot assign time-bound (temporary) group assignment

Trying to use API to temporarily assign Users to Groups in Azure AD Azure AD - Privileged Identity Management (PIM) from ServiceNow using ServiceNow - Azure AD Spoke.
I can create group assignment in AzureAD as 'Permanent' but I cannot set it to temporary ('eligible').
My groups' types in AzureAd provisioned form ServiceNow
As per PIM docs, this is what I want:
-> Assign time-bound access to resources using start and end dates
I tried to reproduce the same in my environment:
The Azure AD Privileged Identity Management (PIM) service ,the eligible role can be activated when the role is needed to work, and its permissions expire once done.
Eligible is when use can decide to end it when needed , where as Active assignment is when the start and end dates are given prior to starting.
Both of them has the permanent option to enable role assignment that never ends.
In your case .It might have the permanent check box enabled by default:
The administrator can change this if need:
Then unselect the permanent check box , to give only temporary access:
Then the temporary access is given with the selected end date and time.
Same goes to active assignments:
Reference: What is Privileged Identity Management? - Azure AD - Microsoft Entra | Microsoft Learn

Create a new users group for inno setup [duplicate]

This question already has an answer here:
Inno Setup - How to give one specific user rights to a folder
(1 answer)
Closed 2 years ago.
I need to create a new usersgroup, because it is not included in the ones already created :
authusers Authenticated Users group
creatorowner Creator Owner
everyone Everyone group
guests Guests group
networkservice Network service account
service Local service account
system Local system account
users Users group
The usergroup that I need is IUSR, how can I grant all rights to this group ?
Inno Setup does not have any built-in functionality for creating users groups (nor accounts). Neither it allows settings permissions specifically for a certain group or account.
So for both, you need to invoke respective command-line tools.
For creating a user group, use net localgroup.
For setting permissions, use cacls or icalcs.
See Inno Setup - How to give one specific user rights to a folder

Implementing security via SQL Server roles or Windows groups

I'm looking for the best way to secure access to the data stored into an SQL Server database (accessed via stored-procedures).
Company's users are split into 3 entities with associated Windows security groups: G_SUBSIDIARY1, G_SUBSIDIARY2, and G_HOLDING.
Each application is associated with a Windows security group: G_APPLICATION1, G_APPLICATION2, G_APPLICATION3...
These security groups are mostly used to control access to shared folders dedicated to each entity and application.
The stored-procedures should filter data depending on who request them.
As an example to access data in table APPLICATION1_DATA you must be a member of group G_APPLICATION1.
And depending on your entity you will access a different subset of the data (discriminator is a column with the entity to which the data belongs).
To apply authorization I was thinking of relying only on Windows security groups and checking with the IS_MEMBER function if the current user (authenticated via Windows authentication) belongs to each: IS_MEMBER("COMPANY\G_APPLICATION1") and IS_MEMBER("COMPANY\G_SUBSIDIARY1").
The main advantages I see is that there is only one object to manage, and if later users are added or removed this is transparent on the database side.
But I wonder if there is any drawbacks with this method, and if on the contrary there would be some advantages to use SQL Server roles in addition to these security groups.
It would add some maintenance to keep them up-to-date but it might be worth it...

Azure DataSync with SQL Azure databases across subscriptions

I am trying to synchronise databases in two different subscriptions using Azure datasync on the new portal
https://learn.microsoft.com/en-us/azure/sql-database/sql-database-get-started-sql-data-sync
On the portal, I do not get the ability to choose subscription or connection string to connect to a Azure database on a different subscription (this is not on premise)
The options presented are either
a) Database from existing subscription + database server
b) on-premise database- with a sync agent to be downloaded
Can linking to another database via connection string be implemented via API's or is there any restriction or feature limitation around this?
Based on your comment, your issue is due to you having different logins for each subscription. In order to achieve what you want to do, you will need to cross add the various users to the subscriptions.
First, log into your Azure portal. Navigate to the subscription you are the admin for. Click on Access control (IAM) to manage the permissions for it.
Click the Add button which will bring up a dialog to add permissions. Simply select the role you wish to grant (I believe you will need contributor for this) and enter the email address of the user that you want to grant permissions to.

SharePoint FBA and Custom data - SharePoint 2010

Am I doing this right?
I have a client, they currently have a portal for their users, all their users are in an oracle database. They want to move to SharePoint 2010.
The user will log into the site via their username and password, which I will need to migrate from their existing database. The users also have account information, which I'll need to query FROM their existing database in Oracle (over a VPN tunnel from the web front end to their Oracle DB).
For the user authentication;
ASP.NET Membership -
I tried to configure my application to run under FBA. The aspnet_regsql.exe application created Users and Roles tables in my database (and a whole bunch of other ones). I need to add account_id, which is a foreign key to the client's database, and firstname, last name, which we'll store and need to surface on our application.
Where to I create the account_id and other fields that need to be associated to the user?
Is the ASPNET Profile table the same as the SharePoint Profile from the API? How do I populate this database to try?
Through IIS? Do I need to write a custom registration webpart, or can I somehow add custom columns to the profile and reprovision the ASP.NET user registration control in a visual webpart?
Thanks in advance for the help!
The ASPNet profile table is not the same as the SharePoint Profile. The SharePoint Profiles are assigned their own database thus much more robust where as theASPNET profile contains all of the propertynames/values for a single user in a single row, not really the best deal.
Your can use IIS to populate the users/roles, but you need to keep changing the Default Role and Membership providers. One way will let you add users and roles, but not let you log into SharePoint. The other vice versa. You can create the properties for the profile and assign them default values but I don't beleive you can set them on a user by user basis, I won't swear to that though. I found this tool on codeplex for FBA management but have not had time to test it yet.
I am also trying to figure out the FBA/user profile question. SharePoint is smart enough to create profiles for Windows accounts. I am hoping that once the providers for FBA are created it will pull the users name and basic info from the FBA provider and create SharePoint profiles as well so that I can use the UserProfileManager to access/store profile based information from the SharePoint profile database. It looks like you can configure the User Profile Service to sync with other sources, thats what I am going to investigate once I have some more free time.
try the new ASP.Net Identity System.
Introduction to ASP.NET Identity
and
Customizing User's Profile to add new fields in brand new database table here