The Dangerous Gap Between Connector Access and Data Authorisation

A permitted connector does not mean the user or flow should access every operation and record behind it.

1 minute readBy Lucas North

DLP may permit a connector and a connection may authenticate successfully while the resulting access remains excessive. Three green checks can still produce the wrong security outcome.

Authorisation belongs in the target service. Use delegated identity where user context matters and narrowly scoped service identity for background work. Validate resource access at the API or Dataverse layer, not through hidden controls in the app.

Review operations as well as connectors. Reading a customer summary and deleting an account can travel through the same connector.

Platform permission, authentication and data authorisation are separate decisions owned at different layers. Collapsing them is how a convenient integration acquires access nobody intended to grant.

Written by

Lucas North

I build enterprise software and write about the decisions, constraints and failure modes that rarely fit into a product announcement.

More about me →