You can have the nicest apps, the slickest pipelines, and the best solution strategy in the business—but if everyone’s got full admin rights and no one’s checking who did what, you’re not running ALM. You’re just winging it.
Nevermore Technology realised early that security and compliance need to be baked into ALM from day one, not bolted on after someone accidentally deletes a table in production.
So here’s how they manage it—without grinding innovation to a halt or making the governance team cry.
Every person who touches Power Platform at Nevermore is assigned a role. Not just a job title—an ALM access role.
Examples include:
Nobody—and we mean nobody—gets System Admin unless they are literally administering the system. Not even the Head of Digital Transformation. (Especially not them, if we’re honest.)
Each of Nevermore’s 20 environments (Dev, Test, Pre-Prod, Prod x 5) is secured differently:
These are where people can play. Makers have full access inside their solution boundaries. Unmanaged solutions only. Shared tables are locked.
Limited access. No editing apps. Only specific users can launch flows or approve pipeline steps.
Highly restricted. Only deployment accounts and test coordinators can access apps.
Read-only for almost everyone. Only ALM deployment accounts can deploy solutions. Every action is audited.
It’s not just at the environment level. Nevermore implements role-based forms, views, and business rules inside the model-driven apps themselves.
They use security roles, field-level security, and custom business logic to ensure people only see what they should—across all 15 model-driven apps and 50+ canvas apps.
More on that here:
Security roles in Dataverse
The Power Platform Admin Centre can be a dangerous place. That’s why Nevermore:
Nevermore integrates ALM activities with Microsoft Purview / Unified Audit Logs. That way, every solution import, app publish, or connector change is recorded.
They also send critical deployment alerts to a Teams channel with the who/what/when details, because “transparency” doesn’t mean “optional.”
Power Platform makes it easy to invite external users. Nevermore makes it slightly less easy, on purpose.
They allow guest access only in:
Every guest is tagged, documented, and automatically removed after 30 days unless renewed. Azure AD (sorry, Entra ID) handles access reviews.
Nevermore aligns their Power Platform usage with the company’s internal compliance framework:
This doesn’t just tick boxes—it builds trust with IT, risk, and legal teams, which means fewer blockers, not more.
Nevermore’s security and compliance approach means:
And most importantly: makers can still make, without compromising the business.
In our second-to-last post, we’ll reflect on what’s worked, what’s changed, and what Nevermore would do differently if they were starting again.
Spoiler: they didn’t get it right first time. And that’s okay.