Security, Compliance & ALM – Why Nevermore Doesn’t Just Hand Out System Admin (Xmas Addition)

You can have the nicest apps, the slickest pipelines, and the best solution strategy in the business—but if everyone’s got full admin rights and no one’s checking who did what, you’re not running ALM. You’re just winging it.

Nevermore Technology realised early that security and compliance need to be baked into ALM from day one, not bolted on after someone accidentally deletes a table in production.

So here’s how they manage it—without grinding innovation to a halt or making the governance team cry.

The Core Principle: Roles Before Rights

Every person who touches Power Platform at Nevermore is assigned a role. Not just a job title—an ALM access role.

Examples include:

• Maker – Canvas App (Dev only)
• App Owner – Model-Driven
• ALM Deployment Manager
• Test Lead – Pre-Prod Access
• Data Steward – Read Only (Prod)

Nobody—and we mean nobody—gets System Admin unless they are literally administering the system. Not even the Head of Digital Transformation. (Especially not them, if we’re honest.)

Managing Access by Environment

Each of Nevermore’s 20 environments (Dev, Test, Pre-Prod, Prod x 5) is secured differently:

Dev Environments

These are where people can play. Makers have full access inside their solution boundaries. Unmanaged solutions only. Shared tables are locked.

Test Environments

Limited access. No editing apps. Only specific users can launch flows or approve pipeline steps.

Pre-Prod

Highly restricted. Only deployment accounts and test coordinators can access apps.

Production

Read-only for almost everyone. Only ALM deployment accounts can deploy solutions. Every action is audited.

Role-Based Security in Apps

It’s not just at the environment level. Nevermore implements role-based forms, views, and business rules inside the model-driven apps themselves.

• HR can only see employee data relevant to their region
• Finance can only view approved submissions, not pending
• Ops teams get access to custom dashboards, but not the tables behind them

They use security roles, field-level security, and custom business logic to ensure people only see what they should—across all 15 model-driven apps and 50+ canvas apps.

More on that here:
Security roles in Dataverse

Admin Centre Lockdown

The Power Platform Admin Centre can be a dangerous place. That’s why Nevermore:

• Limits environment creation to the ALM governance team
• Uses Tenant-level DLP policies to block risky connectors (e.g., Twitter, Dropbox, Sendgrid)
• Audits admin actions monthly
• Stores all environment lifecycle decisions in source control and documentation

ALM and Audit Logs

Nevermore integrates ALM activities with Microsoft Purview / Unified Audit Logs. That way, every solution import, app publish, or connector change is recorded.

They also send critical deployment alerts to a Teams channel with the who/what/when details, because “transparency” doesn’t mean “optional.”

Guest Access and External Users

Power Platform makes it easy to invite external users. Nevermore makes it slightly less easy, on purpose.

They allow guest access only in:

• Dev (for co-development)
• Test (for partner testing)

Every guest is tagged, documented, and automatically removed after 30 days unless renewed. Azure AD (sorry, Entra ID) handles access reviews.

Compliance: Not Just for Legal

Nevermore aligns their Power Platform usage with the company’s internal compliance framework:

• Data classification per table and app
• Change management logs for every deployment
• Annual ALM reviews to validate security configuration
• Retention policies to clean up unused apps and environments

This doesn’t just tick boxes—it builds trust with IT, risk, and legal teams, which means fewer blockers, not more.

TL;DR – Governance Is Freedom, Not Bureaucracy

Nevermore’s security and compliance approach means:

• Clear role definitions
• Controlled environment access
• Role-based app design
• Full audit traceability
• No surprises in Production

And most importantly: makers can still make, without compromising the business.

Coming Up: Blog 11 – Lessons Learned from Scaling Power Platform ALM

In our second-to-last post, we’ll reflect on what’s worked, what’s changed, and what Nevermore would do differently if they were starting again.

Spoiler: they didn’t get it right first time. And that’s okay.