Views:

Applies to Product - Microsoft Dataverse
 

What’s happening?
Non-admin users have unauthorized access to the Web API service, allowing them to connect to various services and extract data without proper permissions.
 

Reason:
This arises from the configuration of security roles. When duplicating a security role and removing specific privileges, the expected restrictions are not enforced, leading to unauthorized access.
 

Resolution:
For Restricting Non-Admin Users' Access to Web API Service:

  1. Ensure that the security role assigned to the user does not include the necessary privileges for accessing the Web API service.
  2. Test the configuration by duplicating the Out-Of-Box (OOB) role and removing the specific privilege. Verify that the expected restrictions are enforced.
  3. If the issue persists, consult the relevant documentation or support channels for updates on the feature to restrict access.
General Steps:
  1. Review the security roles and privileges assigned to users to ensure compliance with internal security guidelines.
  2. Monitor updates from the development team regarding any fixes or enhancements related to these issues.