Merge remote-tracking branch 'origin/main' into matp-3434990

Mattp123 · Mattp123 · commit 27e7f1d23109 · 2023-06-06T13:29:47.000-07:00
diff --git a/powerapps-docs/developer/data-platform/security-sharing-assigning.md b/powerapps-docs/developer/data-platform/security-sharing-assigning.md
@@ -1,7 +1,7 @@
 ---
 title: "Sharing and assigning (Microsoft Dataverse) | Microsoft Docs" # Intent and product brand in a unique string of 43-59 chars including spaces
 description: "Learn about the security that applies to sharing and assigning records." # 115-145 characters including spaces. This abstract displays in the search result.
-ms.date: 08/22/2022
+ms.date: 06/06/2023
 ms.reviewer: pehecke
 ms.topic: article
 author: paulliew # GitHub ID
@@ -14,12 +14,12 @@ search.audienceType:
 
 [!INCLUDE[cc-terminology](includes/cc-terminology.md)]
 
-In this article we will look at the security access when sharing and assigning records.
+In this article, we'll look at security access when sharing and assigning records.
 
 ## Sharing records
 
 Sharing lets users give other users or teams access to specific customer
-information. This is useful for sharing information with users in roles that
+information. Sharing records is useful for sharing information with users in roles that
 have only the **Basic** access level. For example, in an organization that gives
 salespeople **Basic** read and write access to accounts, a salesperson can share an
 opportunity with another salesperson so that they can both track the progress of
@@ -33,26 +33,181 @@ specific access rights, and they might also be on a team in which the same
 record is shared with different access rights. In this case, the access rights
 that this user has on the record are the union of all the rights.
 
-When you share a record with another user using the `GrantAccess` message (<xref:Microsoft.Dynamics.CRM.GrantAccess> action, <xref:Microsoft.Crm.Sdk.Messages.GrantAccessRequest> class), or modify access using the `ModifyAccess` message (<xref:Microsoft.Dynamics.CRM.ModifyAccess> action, <xref:Microsoft.Crm.Sdk.Messages.ModifyAccessRequest> class), you must indicate what access rights you want to
-grant to the other user. Access rights on a shared record can be different for
-each user with whom the record is shared. However, you cannot give a user any
-rights that they would not have for that type of table, based on the role
-assigned to that user. For example, if a user does not have **Read** privileges on
-accounts and you share an account with that user, the user will be unable to see
+When you share a record with another user using the `GrantAccess` message, you must indicate what access rights you want to
+grant to the other user. To modify the access of a shared record, use the `ModifyAccess` message. Access rights on a shared record can be different for each user with whom the record is shared. However, you can't give a user any
+rights that they wouldn't have for that type of table, based on the role
+assigned to that user. For example, if a user doesn't have **Read** privileges on
+accounts and you share an account with that user, the user is unable to see
 that account.
 
-### Sharing and inheritance
+### GrantAccess example
+
+These examples show the use of the `GrantAccess` message to share a record with another principal.
+
+#### [SDK for .NET](#tab/sdk)
+
+The following `ShareRecord` static method shows how to use the [PrincipalAccess Class](xref:Microsoft.Crm.Sdk.Messages.PrincipalAccess) to specify a reference to a principal (user, team, or organization) with a set of [AccessRights](xref:Microsoft.Crm.Sdk.Messages.AccessRights) that contain the rights that to be granted to the principal.
+
+```csharp
+/// <summary>
+/// Shares a record with a principal
+/// </summary>
+/// <param name="service">Authenticated client implementing the IOrganizationService interface</param>
+/// <param name="principal">The user, team, or organization to share the record with.</param>
+/// <param name="access">The access rights to grant</param>
+/// <param name="record">The record to share</param>
+static void ShareRecord(
+   IOrganizationService service,
+   EntityReference principal,
+   AccessRights access,
+   EntityReference record)
+{
+
+   PrincipalAccess principalAccess = new()
+   {
+         AccessMask = access,
+         Principal = principal
+   };
+
+   GrantAccessRequest request = new()
+   {
+         PrincipalAccess = principalAccess,
+         Target = record
+   };
+
+   service.Execute(request);
+}
+```
+
+#### [Web API](#tab/webapi)
+
+The following example shows the use of the [GrantAccess Action](xref:Microsoft.Dynamics.CRM.GrantAccess) using the [PrincipalAccess ComplexType](xref:Microsoft.Dynamics.CRM.PrincipalAccess) to specify the principal (user, team, or organization) and level of access to grant using the values in the [AccessRights EnumType](xref:Microsoft.Dynamics.CRM.AccessRights).
+
+**Request**
+
+```http
+POST [Organization Uri]/api/data/v9.2/GrantAccess
+OData-MaxVersion: 4.0
+OData-Version: 4.0
+If-None-Match: null
+Accept: application/json
+Content-Type: application/json; charset=utf-8
+Content-Length: 361
+
+{
+  "Target": {
+    "accountid": "e41ac31a-dcdf-ed11-a7c7-000d3a993550",
+    "@odata.type": "Microsoft.Dynamics.CRM.account"
+  },
+  "PrincipalAccess": {
+    "AccessMask": "WriteAccess, DeleteAccess",
+    "Principal": {
+      "systemuserid": "7761da90-2383-e911-a962-000d3a13c05d",
+      "@odata.type": "Microsoft.Dynamics.CRM.systemuser"
+    }
+  }
+}
+```
+
+**Response**
+
+```http
+HTTP/1.1 204 NoContent
+OData-Version: 4.0
+```
+
+---
+
+### ModifyAccess example
+
+These examples show the use of the `ModifyAccess` message to change the access granted to a principal for a shared record.
+
+#### [SDK for .NET](#tab/sdk)
+
+The following `ModifyShare` static method shows how to use the [PrincipalAccess Class](xref:Microsoft.Crm.Sdk.Messages.PrincipalAccess) to specify a reference to a principal (user, team, or organization) with a set of [AccessRights](xref:Microsoft.Crm.Sdk.Messages.AccessRights) that contain the rights that will be modified for the principal.
+
+```csharp
+/// <summary>
+/// Modifies the access to a shared record.
+/// </summary>
+/// <param name="service">Authenticated client implementing the IOrganizationService interface</param>
+/// <param name="principal">The user, team, or organization to modify rights to the shared.</param>
+/// <param name="access">The access rights to modify</param>
+/// <param name="record">The shared record</param>
+static void ModifyShare(
+   IOrganizationService service,
+   EntityReference principal,
+   AccessRights access,
+   EntityReference record)
+{
+   PrincipalAccess principalAccess = new()
+   {
+         AccessMask = access,
+         Principal = principal
+   };
+
+   ModifyAccessRequest request = new()
+   {
+
+         PrincipalAccess = principalAccess,
+         Target = record
+   };
+
+   service.Execute(request);
+}
+```
+
+#### [Web API](#tab/webapi)
+
+The following example shows the use of the [ModifyAccess Action](xref:Microsoft.Dynamics.CRM.ModifyAccess) using the [PrincipalAccess ComplexType](xref:Microsoft.Dynamics.CRM.PrincipalAccess) to specify the principal (user, team, or organization) and level of access to modify using the values in the [AccessRights EnumType](xref:Microsoft.Dynamics.CRM.AccessRights).
+
+**Request**
+
+```http
+POST [Organization Uri]/api/data/v9.2/ModifyAccess
+OData-MaxVersion: 4.0
+OData-Version: 4.0
+If-None-Match: null
+Accept: application/json
+Content-Type: application/json; charset=utf-8
+Content-Length: 388
+
+{
+  "Target": {
+    "accountid": "e41ac31a-dcdf-ed11-a7c7-000d3a993550",
+    "@odata.type": "Microsoft.Dynamics.CRM.account"
+  },
+  "PrincipalAccess": {
+    "AccessMask": "WriteAccess, DeleteAccess, ShareAccess, AssignAccess",
+    "Principal": {
+      "systemuserid": "7761da90-2383-e911-a962-000d3a13c05d",
+      "@odata.type": "Microsoft.Dynamics.CRM.systemuser"
+    }
+  }
+}
+```
+
+**Response**
+
+```http
+HTTP/1.1 204 NoContent
+OData-Version: 4.0
+```
+
+---
+
+## Sharing and inheritance
 
 If a record is created and the parent record has certain sharing properties, the
 new record inherits those properties. For example, Joe and Mike are working on a
 high priority lead. Joe creates a new lead and two activities, shares the lead
 with Mike, and selects cascade sharing. Mike makes a telephone call and sends an
 email regarding the new lead. Joe sees that Mike has contacted the company two
-times, so Joe does not make another call.
+times, so Joe doesn't make another call.
 
 Sharing is maintained on individual records. A record inherits the sharing
 properties from its parent and maintains its own sharing properties. Therefore,
-a record can have two sets of sharing properties — one that it has on its own, and
+a record can have two sets of sharing properties—one that it has on its own, and
 one that it inherits from its parent.
 
 Removing the share of a parent record removes the sharing properties of objects
@@ -64,24 +219,91 @@ from the parent record.
 ## Assigning records
 
 Anyone with **Assign** access rights on a record can assign that record to
-another user. When a record is assigned, the new user or team becomes the owner
-of the record and its related records. The original user or team loses ownership
+another user. To assign a record, change the `ownerid` lookup value to refer to a new principal.
+
+> [!NOTE]
+> The SDK has an [AssignRequest class](xref:Microsoft.Crm.Sdk.Messages.AssignRequest) that is deprecated. More information: [Legacy update messages](org-service/entity-operations-update-delete.md#legacy-update-messages)
+
+When a record is assigned, the new user, team or organization becomes the owner
+of the record and its related records. The original user, team or organization loses ownership
 of the record, but automatically shares it with the new owner.
 
 In Microsoft Dataverse, the system administrator can decide for an organization
 whether records should be shared with previous owners or not after the assign
 operation. If **Share reassigned records with original owner** is selected (see **System Settings** > **General**), then the previous owner
 shares the record with all access rights after the assign operation. Otherwise,
-the previous owner does not share the record and may not have access to the
+the previous owner doesn't share the record and may not have access to the
 record, depending on their privileges. The Organization table's
 [ShareToPreviousOwnerOnAssign](reference/entities/organization.md#sharetopreviousowneronassign-choicesoptions) column controls this setting.
 
 > [!NOTE]
-> The [Appointment table](reference/entities/appointment.md) has special logic which is used when an appointment is assigned to another user. If the current owner is still a participant such as the organizer or an attendee, the appointment record is shared with this user when the appointment is reassigned. This behavior occurs even if the **Share reassigned records with original owner** setting is disabled. Because the appointment may be shared with the previous owner, the user assigning the meeting requires both the **Assign** and **Share** access rights on the record.
+> The [Appointment table](reference/entities/appointment.md) has special logic when an appointment is assigned to another user. If the current owner is still a participant, such as the organizer or an attendee, the appointment record is shared with this user when the appointment is reassigned. This behavior occurs even if the **Share reassigned records with original owner** setting is disabled. Because the appointment may be shared with the previous owner, the user assigning the meeting requires both the **Assign** and **Share** access rights on the record.
 
 ## Revoking access
 
-As the owner of a record, you can revoke (remove) user access to your shared record. To do so, use the `RevokeAccess` message (<xref:Microsoft.Dynamics.CRM.RevokeAccess> action, <xref:Microsoft.Crm.Sdk.Messages.RevokeAccessRequest> class).
+The owner of the record can use the `RevokeAccess` message to revoke (remove) user access to the shared record.
+
+### [SDK for .NET](#tab/sdk)
+
+The following `RevokeShare` static method shows how to remove sharing access for a user to a record using the [RevokeAccessRequest Class](xref:Microsoft.Crm.Sdk.Messages.RevokeAccessRequest).
+
+```csharp
+/// <summary>
+/// Revokes access to a shared record.
+/// </summary>
+/// <param name="service">Authenticated client implementing the IOrganizationService interface</param>
+/// <param name="principal">The user, team, or organization to revoke rights to the shared record.</param>
+/// <param name="record">The shared record</param>
+static void RevokeShare(
+   IOrganizationService service,
+   EntityReference principal,
+   EntityReference record)
+{
+   RevokeAccessRequest request = new()
+   {
+         Revokee = principal,
+         Target = record
+   };
+
+   service.Execute(request);
+}
+```
+
+### [Web API](#tab/webapi)
+
+The following example shows how to use the [RevokeAccess Action](xref:Microsoft.Dynamics.CRM.RevokeAccess) to remove sharing access for a user to a record. In this example, a user is the `Revokee`, and an account record is the `Target`.
+
+**Request**
+
+```http
+POST [Organization Uri]/api/data/v9.2/RevokeAccess
+OData-MaxVersion: 4.0
+OData-Version: 4.0
+If-None-Match: null
+Accept: application/json
+Content-Type: application/json; charset=utf-8
+Content-Length: 274
+
+{
+  "Target": {
+    "accountid": "e41ac31a-dcdf-ed11-a7c7-000d3a993550",
+    "@odata.type": "Microsoft.Dynamics.CRM.account"
+  },
+  "Revokee": {
+    "systemuserid": "7761da90-2383-e911-a962-000d3a13c05d",
+    "@odata.type": "Microsoft.Dynamics.CRM.systemuser"
+  }
+}
+```
+
+**Response**
+
+```http
+HTTP/1.1 204 NoContent
+OData-Version: 4.0
+```
+
+---
 
 More information: [Shared access](/power-platform/admin/how-record-access-determined#shared-access.md)
 
diff --git a/powerapps-docs/maker/data-platform/azure-synapse-link-synapse.md b/powerapps-docs/maker/data-platform/azure-synapse-link-synapse.md
@@ -2,7 +2,7 @@
 title: "Create an Azure Synapse Link for Dataverse with your Azure Synapse Workspace | MicrosoftDocs"
 description: "Learn how to export table data to Azure Synapse Analytics in Power Apps"
 ms.custom: ""
-ms.date: 02/23/2023
+ms.date: 06/06/2023
 ms.reviewer: "Mattp123"
 ms.suite: ""
 ms.tgt_pltfrm: ""
@@ -134,7 +134,8 @@ After creating an Azure Synapse Link, two versions of the table data will be syn
 - Snapshot data: Provides a read-only copy of near real-time data that is updated at regular intervals (in this case every hour).  
 
 > [!NOTE]
-> For empty table data and metadata table, only near real-time data is created.
+> For empty table data and metadata tables, only near real-time data is created.
+> To create read-only snapshot data, ensure that the **Permitted scope for copy operations** setting is configured to **From any storage account**. More information: [Configure the permitted scope for copy operations]( /azure/storage/common/security-restrict-copy-operations?tabs=portal#configure-the-permitted-scope-for-copy-operations-preview)
 
 1. Select the desired Azure Synapse Link, and then select the **Go to Azure Synapse Analytics workspace** from the top panel.
 1. Expand **Lake Databases** from the left panel, select **dataverse**-*environmentName*-*organizationUniqueName*, and then expand **Tables**.
