Scary, dangerous, creepy tools 😱😬

…am I hacking your system?

There are a bunch of completely awesome and can’t-live-without tools. Most are created by the community, like me.

These tools can break your system. Completely.

“Are these tools even legal??”

Too often, I’ve heard CTOs and others say that these tools should be stopped! Either by thoroughly educating all users not to use them or simply by blocking these crazy tools on their computers.

From our perspective, as consultants, my colleague Johan at CRMK said during our Summer Party a few days ago that he and other colleagues just try to hush up questions about these available tools. How would we answer our customers when we had to give our official advice?

I will try to explain it to everyone, not just Johan. I have heard too many people being scared about tools. Relax, folks, and read on…

Potentially disaster tools

Here are just a few examples of tools that could break the system, show too much data, run it at someone else, etc.

Drilling into data

It’s common to believe that normal users can only access data tables that are included in the application, either Model Driven Apps or Canvas Apps. But that’s simply not true – not by hacking login, not by going into the apps from another angle.

FetchXML Builder by Jonas Rapp and SQL 4 CDS by Mark Carrington

These tools can read any and all information in the database, including tables we don’t even know exist. They can also see things users should not be able to see, using advanced relationships that literally don’t exist. But you can do that.

Changing user settings

Users can usually be edited by their own settings. There is nothing strange about that. But what if you could change settings for someone else? That could be a bad, right?

User Settings Utility by MscrmTools

This tool can open even more features than what we can find in the UI. We can also bulk edit settings, for any users. That could really be a disaster!

Being God of the user interface

Hacky people can disable the logic in the browser, usually by stopping or changing JavaScript. There are other ways to do it, but yes, you need to know a bit about code to do it. What could you do? Make the required field not required if we don’t know the last name of a contact; skip validation of the social security number if we don’t have all the digits; show fields that I’m not allowed to see…

Level up for Dynamics 365/Power Apps by Natraj Yegnaraman

Now we don’t need to know JavaScript… The Level Up can do almost anything with just a click.

God Mode

This is probably the feature that people are scared about. With one click, all fields will be shown, no fields will now be required, and no more read-only fields. That feature CAN’T be legal, right?!

All Fields

The developers design which fields will be shown on the form in the model-driven app. This feature just shows everything: the data for all available fields. Wow.

Impersonate

I know this is a crime, to impersonate, at least if you do it to a police officer. Okay, so this IS illegal. Correct?

Incorrect. This feature was actually created by Microsoft, we can do it. But be careful, please.

Changing data in any column

We know that we can only edit values available in the form. How would we edit columns we can’t even see?

Bulk Data Updater by Jonas Rapp

I’ve created another tool that can get information, just like FetchXML Builder, but also update data in any and all columns. Okay, this is pretty scary if I’m the CTO.

Modifying Environment Variables

Environment Variables can design how the system works. Only your imagination is the limit of how they can be used. Note that in normal cases, you can not see them anywhere in the system; they are only used by code-first and low-code.

Environment Variables Manager by MscrmTools

This tool allows me to read all Environment Variables, seeing both the default value and the local value. And guess what — we can edit the values too.

Can they break your system?

Hackers

Companies now and then recruit really good hackers to try to Hack The System. When they find loopholes in the security, the developers adjust and improve the systems.

In our technology area, Power Platform / Dynamics 365, we don’t need to find hackers — the tools mentioned above and many many more will, for free, focus on areas where you think the client side can be related to security.

Litmus Test

From my perspective, these tools can do more than what is delivered by Microsoft and third parties is a litmus test. When I or any random user can find more information than they should be able to — that IS a great litmus test!

Solve The Problem

If users access more than they should, the answer is in one word, the most important:

Security Role

Well, that’s two words. But this is the primary topic that you really need to know and understand.

Security Roles are not just a simple matrix; they have more dimensions. Words related to this technology: users, tables, business units, teams, access mask, organization, combination roles, sharing, apply, apply to, owner, assign…

If you don’t know everything about this, go study at Microsoft Learn Training: Get started with security roles in Dataverse.

Client-side is not related to any secure technology

Don’t mix up the Security Role with anything related to client-side logic.

What can be implemented on the client side? Business Rules, Business Processes, JavaScript, and TypeScript. (Is there anything else? Please help me add to this list.) These technologies can be omitted, quite easily. See above…

If you have any important information regarding the data you are storing, always AWAYS implement validation, completing, etc., on the server side. I know, I know, server-side can be hacked, too, probably, but that’s so much more harder, and it IS more secure.

Low-code on the server-side

Soon, we will be able to implement low-code on the server side by using Low-code Plugins written with Power Fx. It has been in a preview for a long time, and now and then, they change it a bit, but it will get General Availability soon (or at the fullness of time…)