ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam PL-600 All Questions

View all questions & answers for the PL-600 exam
Go to Exam

Exam PL-600 topic 2 question 33 discussion

Actual exam question from Microsoft's PL-600
Question #: 33
Topic #: 2
[All PL-600 Questions]

HOTSPOT -
You are working with a customer to plan a go-live deployment to their production environment. The solution includes several apps and environment variables. The superuser team manages the production environment that is secured by using a specific environment Azure AD security group.
The following issues have been identified:
✑ The superuser team cannot access make.powerapps.com to open and set the environment variables.
Users are added to the environment Azure AD security group and are not able to access the model-driven app.

✑ Users are added to the environment Azure AD security group and are not able to access the canvas app.
You need to resolve the issues.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: System Customizer -
System Customizer - Has full permission to customize the environment. However, users with this role can only view records for environment entities that they create.
Box 2: Assign the Basic User role.
Can run an app within the environment and perform common tasks for the records that they own.
Note: A user's ability to see and use apps is controlled by sharing the application with the user. Sharing of canvas apps is done directly with a user or Azure AD group but is still subject to Dataverse security roles. Sharing of model-driven apps is done via Dataverse security roles.
Box 3: Add users to an Azure AD Security Group.
Sharing of canvas apps is done directly with a user or Azure AD group but is still subject to Dataverse security roles.
Incorrect:
* Office Collaborator role
Has Read permission to tables where a record from these tables was shared with the organization. Does not have access to any other core and custom table records. This role is assigned to the Office Collaborators owner team and not to an individual user.
Reference:
https://docs.microsoft.com/en-us/power-apps/maker/data-platform/environmentvariables https://docs.microsoft.com/en-us/power-platform/admin/wp-security https://docs.microsoft.com/en-us/power-platform/admin/database-security
by avow at Sept. 11, 2022, 1:21 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
avow
Highly Voted 2 years, 9 months ago
For the third one, the answer is a security role. Because system customizer does not have read permissions the answer must be Service Reader. https://docs.microsoft.com/en-us/power-apps/maker/canvas-apps/share-app
upvoted 8 times
...
petertwilliams
Highly Voted 2 years, 8 months ago
Answers are correct. For the 3rd box, the users are added to the "environment" security group (which is necessary). They then should/could be added to another security group that is share with the app.
upvoted 6 times
...
Hamed64
Most Recent 1 week, 1 day ago
Answers should be "Customizer Role", "Basic Role" and "add users to the superuser team". Explanation: In Power Platform, environment access is controlled by Azure AD security groups, but app access is controlled by security roles and team membership. Even if users are in the Azure AD security group that grants access to the environment, they won’t automatically have access to apps unless they are: Assigned the correct security role, or Added to a team (like the superuser team) that has the necessary permissions. Why the other options are incorrect for canvas app access issue: a. Assign the system customizer role Too broad and powerful for general users; not best practice for app access. b. Assign the service reader role This role is for reading service-related data, not for app access. d. Add users to an Azure AD security group They are already in the group, but that alone doesn’t grant app access.
upvoted 1 times
...
loftuscheek
3 months ago
provided answers are correct : customizer basic AAD
upvoted 1 times
...
jgg
10 months ago
Provided answers are correct: 1. System Customizer 2. Basic User 3. AAD Security Group For the third it says "add users to an azure ad security group". So it could be a separate AAD Group with a related team and inherited security role.
upvoted 2 times
...
MrEz
1 year, 3 months ago
third D: Reason it says "environment Azure AD security group" and it suggest "Azure AD security group" so maybe there are 2 Azure AD security groups? Service reader is so wrong!
upvoted 3 times
...
Sslavko
1 year, 9 months ago
i am not sure this is correct - in the text above it say - "Users are added to the environment azure ad security Group and are not able to access the canvas app" So they are already in a Security Group - so they just need a security role for the canvas app.
upvoted 2 times
...
Acrious
1 year, 11 months ago
For number 3, being added to an environment securiy group does NOT mean they can access a canvas app. They need to be either added themselves or added to a security group that is then add. So the answer are correct
upvoted 3 times
...
Cloudz_1
2 years ago
The pre-established 'Service Reader' security role can no longer be assigned directly to a user. The 'Service Reader' role is endowed with full read permission for all entities, including custom entities. This role is primarily employed by the service and necessitates read access to all entities. However, it cannot be assigned directly to a user or team. The 'Service Reader' role might have been the correct answer in the past, but under current conditions, it no longer is. Despite these changes, there is still a workaround to assign the 'Service Reader' role to a user or team. This can be achieved by creating a duplicate of the 'Service Reader' role and assigning this custom role to the user or team. Given that the 'Service Reader' role cannot be directly assigned to a user or team anymore, I would choose answer D. For more information, you can visit: https://learn.microsoft.com/en-us/power-platform/admin/database-security#predefined-security-roles
upvoted 1 times
...
Coder1
2 years, 1 month ago
third answer appears to be correct " Specify each user by name, or specify a security group in Azure Active Directory (Azure AD). " https://learn.microsoft.com/en-us/power-apps/maker/canvas-apps/share-app
upvoted 1 times
...
dlnuser
2 years, 1 month ago
Agree that 3rd one cannot be "Add users to an Azure AD Security Group" as the question mentions this step is already done. In a real-world scenario, I'd check that 1) the Azure AD Security Group is actually configured for access to the Power Platform environment of the Canvas app, and that 2) users have the appropriate security roles, so I'd say "Assign the Service Reader role" is a more likely answer. The proposed answer would be a 3rd step if both 1) and 2) are done and the issue persists.
upvoted 1 times
...
Skada
2 years, 2 months ago
Answer is 1, 1, 2
upvoted 2 times
...
ArezouDynamics
2 years, 8 months ago
The given answers are correct!
upvoted 1 times
aok95
2 years, 3 months ago
In the blurb it mentions that Users are already added to the AD Security Group. So the step is redundant
upvoted 1 times
...
...
mister_exam
2 years, 9 months ago
The third one should be C; add the users to the superuser security role.
upvoted 1 times
AlRe
2 years, 9 months ago
You should not assign this privileged role to a "regular" user. To access a canvas app it needs to be shared with you. Either with a direct share or (better) by adding you to an AD security group and sharing the app with that group.
upvoted 3 times
TheBinMan
2 years, 9 months ago
I agree with AIRe, a canvas app is shared to a Azure user or AD security group. I disagree with mister_exam, the term superuser secuirty role is to vague. I mean what even is a superuser secuirty role.
upvoted 1 times
...
...
...
avow
2 years, 9 months ago
The third one cannot be correct because these users are already part of the Azure AD group.
upvoted 3 times
rogrod
2 years, 8 months ago
I agree. Third one must be: Service reader role. https://learn.microsoft.com/en-us/power-platform-release-plan/2020wave2/data-platform/new-service-reader-service-writer-security-roles#feature-details
upvoted 5 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel