Column Security and Masking rules in Dataverse

Column Security in Dataverse

Column Security in Dataverse allows administrators to control who can view, update, or create data at a column level. It is useful when you want to protect sensitive information such as salary, email, bank details, and personal ID fields.

🔍 Why Use Column Security?

  • Protects sensitive data from unauthorized users.
  • Gives granular control - separate read, update, and create permissions.
  • Works with all security roles, teams, and business units.
  • Ensures compliance by restricting visibility to authorized users only.

⚙️ How It Works

  • You enable security on a specific column inside a table.
  • Then create a Column Security Profile.
  • Add users or teams to the profile.
  • Grant permissions like Read, Update, Create.

⚠️ Limitations of Column Security

  • Must be enabled per-column manually (not global).
  • Increases administrative management in large implementations.
  • Does not hide columns in views or forms - only values are restricted.
  • Audit logs still track access but show masked values for restricted users.
  • Fore more info click the below link
  • Column-level security - Power Platform | Microsoft Learn

Masking Rules in Dataverse (Managed Environments Only)

Masking Rules allow you to automatically hide sensitive information using a regular expression. You can mask data in secured columns for users who only have Read (masked) permission. This feature is part of Managed Environments.

🔍 Why Use Masking Rules?

  • Automatically hides data such as emails, phone numbers, and IDs.
  • Helps organizations maintain GDPR, HIPAA, and security compliance.
  • Works with regex for flexible masking patterns.
  • Easy to apply on existing secured columns.

⚙️ How Masking Rules Work

  • Create a masking rule inside a solution.
  • while giving name give like xxx_name.
  • Define a valid regular expression for matching sensitive text.
  • Choose the character to replace matched content (e.g., *, #, X).
  • Apply the masking rule to a secured column.
  • Users with “Read masked” permissions will see masked values.
  • For more information click on the below link.
  • https://learn.microsoft.com/en-us/power-platform/admin/create-manage-masking-rules

📌 Example: Mask Email Username



Regex to mask everything before @:

^[^@]+(?=@)

Result:

abc@gmail.com → ******@gmail.com

⚠️ Limitations of Masking Rules

  • Only supported in Managed Environments.
  • Cannot be created or used in Default, Trial, or normal Developer environments.
  • Work only on secured columns.
  • Masking applies only to the displayed values, not stored values.
  • Complex regex may impact performance in rich-text fields.
  • Audit logs always store masked values for restricted users.

Attribute Masking Rule in Dataverse

An Attribute Masking Rule represents the link between a secured column and a Secured Masking Rule. It defines where a masking rule is applied. You normally do not create this directly; it is created by Dataverse when you configure masking on a column.

🔗 How Attribute Masking Rules Are Created

  • First, you create a Secured Masking Rule in a solution (regex + masking character).
  • Then you go to a column, turn on Column Security, and open Advanced options.
  • In the Masking rule dropdown, you select the Secured Masking Rule.
  • When you save the column, Dataverse automatically creates an Attribute Masking Rule in the background.

🧠 What Attribute Masking Rule Actually Does

  • Maps a specific column (attribute) to a specific Secured Masking Rule.
  • Ensures that whenever this column is displayed for users with masked access, the selected rule is applied.
  • Is stored as a separate component in the solution so that masking configuration moves correctly between environments.

📌 Key Points to Remember

  • You don’t usually create Attribute Masking Rules manually; they are generated when you assign a masking rule to a secured column.
  • Secured Masking Rule = how to mask (regex + mask character).
  • Attribute Masking Rule = where to mask (which column uses that rule).
  • Both appear in the solution export so that masking behavior is fully portable across environments.

Column Security vs Masking Rules - Key Differences

Feature Column Security Masking Rules
Visibility Control Allows/denies reading, updating, creating values Shows masked version of data
Regex Based Masking ❌ No ✔ Yes
Environment Requirement Supported everywhere Managed Only
Best For Security & access control Privacy & data masking

Conclusion

Column Security and Masking Rules provide powerful, flexible options for protecting sensitive data in Dataverse. While column security is available in all environments, masking rules are exclusive to Managed Environments. Combining both gives you complete control over data visibility and compliance.

Comments

Post a Comment

Popular posts from this blog

Part 1: Creating Code Apps in Power Apps - A step-by-step guide (with real errors I faced & how I fixed them)

Image
Intro In this post I’ll walk you through how I set up a code-based app for Power Apps (React/Vite front-end + Power Platform CLI for packaging/deployment), the exact errors I ran into, and how I solved them. If you want a hands-on, copy-paste able guide that covers Node versions, pac auth, environment issues, and packaging tips, this is for you. Prerequisites Microsoft 365 account with access to a Power Platform environment Node.js ( 20.19+  recommended LTS) VS Code Install power platform tools extension in VS Code. Steps: Step 1 : Open Visual Studio Code and launch the integrated terminal. Step 2: In the terminal, run the following commands one by one.   mkdir D:\CodeApps - Force cd D:\CodeApps npm create vite @latest myfirstapp -- -- template react - ts cd D:\CodeApps\myfirstapp npm install Initially, I ran the command: npm create vite@latest MyFirstApp -- --template react-ts This gave the error: Invalid package.json name The issue was caused because package...
Read more

Calling Microsoft Graph API from Power Automate Using Azure App Services – Step-by-Step Guide

Image
Step 1: You should have an Azure subscription, or if you have access to the Microsoft Entra Admin Center, you can create an app from there. This app can then be used in Power Automate to connect to Microsoft Graph API. Step 2: Click on "New registration" , provide a name for your app, assign the required API permissions (such as Microsoft Graph permissions), and then click "Register" to complete the app registration process. Step 3: After registration, you'll be redirected to the app's overview page. From there, navigate to the API permissions tab and click "Add a permission" to assign the necessary Microsoft Graph API permissions. Step 4: Select Microsoft Graph as the API, and based on your requirements, choose the appropriate permissions. In my case, I selected Application permissions , which do not require user sign-in and are suitable for background services or automation. Step 5: Select the required Microsoft Graph API permissions. Yo...
Read more

Step-by-Step Guide: Power Automate Custom Connector Using Graph API from Azure App Service

Image
Step 1: Open Power Automate, navigate to the Custom Connectors tab, and select Create from blank as shown in the image below. custom connector(click image for better resolution) Step 2: In the General tab, upload an icon (less than 1MB), add a description, select the correct scheme (in my case, HTTPS ), and provide the host name. For example, if your API URL is https://graph.microsoft.com/v1.0/users/{email} , the host name will be the highlighted part — graph.microsoft.com . Step 3: Go to the Security tab. Here, you need to select the authentication method. Choose OAuth 2.0 as the authentication type, as shown in the image below. Step 4: Select the Identity Provider as Azure Active Directory . Check the box Enable Service Principal Support . This option allows you to create a connection using a Client ID and Client Secret instead of using the user's own authentication. Next, provide the Client ID , Client Secret , Tenant ID , and other required details as shown in t...
Read more