As mentioned, our client already had 10,000+ makers and a collection of 30,000 assets deployed globally at the start of the CoE implementation. With an active Power Platform community of this size and complexity, we needed to take a hard look at all of the solutions in production. Which ones are being used? Which ones were orphaned? What sources are they connecting to and who is consuming them? Are we using any premium connectors? Is there external sharing?
As an organization committed to enabling its makers while maintaining a high degree of security and compliance with standards such as SOX, GDPR, HIPPA, and others, it was clear that a complete inventory of the assets was needed and that it was necessary to include the maker community in the process. The Inventory & Attestation App was conceived as a way to a) inventory all of the existing Power Platform apps, flows, and bots in production and b) query the makers on components used and other criteria relating to compliance, and c) quarantine any non-compliant solutions until they can be remediated. With requirements from our client, the Compass365 team built the Inventory & Attestation App using Power Platform and fed the information into the CoE.
The Inventory & Attestation Power App
As previously stated, the Power Platform CoE Starter kit is a fantastic base set of tools that gives organizations significant flexibility in how they approach governance and compliance. Company X knew how many apps and flows (assets) existed in their tenant. They just didn’t know what the assets did, what they connected to, or what the makers’ intentions were. The company needed to know more than the Starter Kit offered. They needed each asset owner to attest to various governance and compliance factors. Attestation would lead to risk and compliance scores for each asset. These scores would be used to determine if further action would be taken on the particular asset.
To achieve this goal, we needed to start with the asset data aggregated in the CoE Starter Kit. Early on in this journey, we were wary of modifying any components of the CoE in case any future updates of the CoE would break the solution. Therefore, we created a limited mirror of asset data that was created through a series of Power Automate flows that read CoE data and updated our limited mirror. We then created a robust notification engine to inform users of the requirement to attest to a status, pending quarantine of assets, and other activities based on the status of assets in the limited mirror dataset.
Once makers receive a notification to attest to one or more assets, they are directed to an Inventory & Attestation App. Makers then answer questions about their owned assets. Automation then assigns risk and compliance scores based on the Maker’s responses.
A second app built for Power Platform Administrators allows users to take quarantine or restore actions on assets based on status or scoring.
Additional components identified
In addition to the Inventory and Attestation App, we identified the following components to build/modify:
- ALM Accelerator implementation
- Environment request app
- Service Now Integration
As of today, the foundational CoE is in place from an IT operations and support perspective, but there’s much more to come. Join us for the third and final blog in this blog series, Power Platform Center of Excellence – A Real World Governance Journey Part 3: Sustainment – Nurture Makers and Support Operations.