Adxstudio (on-premises) and Microsoft Portals (online) offer a search feature using OData to query Microsoft Dynamics data. What few people don’t realize is their data might then be exposed in clear text to the world. Here’s how…
Entity lists can be enabled for OData. When this happens records from these data sets become public. Anyone with the home URL of your portal can view the records simply by visiting https://my.portal.com/_odata/TestData.
What’s worse – if they travel up one level to https://my.portal.com/_odata and subsequently to https://my.portal.com/_odata/$metadata, they’re now able to see the structure of all your entity lists – including field names.
How can you restrict access to your sensitive data?
Here are three steps, all with increasing levels of effort and restrictions:
- Only enable the OData Feed for entity lists you need
- Result: The data remain in clear text to the public, but only for enabled entities
- Enable entity permissions for the OData-enabled entity lists and create the necessary entity permission records (e.g. if you enabled the Account entity for OData, enable entity permissions and create an entity permission for the account entity)
- Result: Only authenticated users will see the data from this entity
- If you have a Adxstudio deployment, you have the additional option of modifying the source code to check if the current portal user is logged in before building the web service’s metadata
- Result: Only authenticated users will see any metadata for the portal
To add the check from step 3, you’ll need system administrator privileges and some programming experience.
- Open your portal solution in Visual Studio
- Navigate to Portals\Framework\Adxstudio.Xrm\Web\UI\EntityList\OData
- Open the file EntityListODataFeedDataAdapter.cs
- Look for the method GetEdmModel() and add the following code to the beginning your copy of GetEdmModel()
- Your code should look similar to this, except for the region tags
- Then rebuild your portal solution
- And deploy it to IIS
Other security measures might be helpful, but these are the fastest and simplest ways to defend your data.