Unlocking Governance: How This Product Manager Transformed Security for Citizen Developers
Loading Video...
Preparing the interview
Complete interview transcript & analysis below
Enhanced transcript with interviewer insights
INTERVIEWER
This is one of my absolute favorite questions for product managers, so brace yourself. Uh, what is the most complex system, application, process, or user interaction model you have ever had to personally design?
CANDIDATE
Uh, yeah, absolutely. Um, so, in my, my, my current role is that, uh, I own the governance policy space for, uh, this Microsoft product called Power Platform, and Power
INTERVIEWER
Platform, hold on a second, time out, time out. You own Power Platform governance.
CANDIDATE
Yeah, governance policy space. Got it. OK I do, yeah, I do.
INTERVIEWER
Me, me, me, me and power flow, uh, we have disagreements about how that's implemented, but that's, we can have that discussion later.
CANDIDATE
Oh, really? Yeah, like anything about data loss prevention, I'm here to answer your questions. Uh, so yeah, I, I own, um, governance policies for our platform, and, uh, I, I'll assume you don't know. Much about our platform because most interviews may not. Um, so Pla is a low code, no code, uh, suite of products. So we have products like, uh, Power Apps which allows, um, any, any citizen developer, any business user to, to spin up an app, uh, without having any code experience, coding experience. And similarly, we have products that allow citizen developers to build AI chatbots and RPA automations, you name it. And so my role is to provide security professionals with uh controls which, uh, with which they can uh prevent data exfiltration. And um those controls naturally, they get enforced on, on the app or the automation that the developer is building, OK? So, uh, that's, that's, that's how policy works um in a nutshell. And so there are a few different components, uh, that comes as part of this. Um, I, I think it would be helpful for me to draw something out. So I'm going to draw it on a piece of paper, and then I'm going to, uh, take a photo and send it to you if that's, if that's.
INTERVIEWER
Yeah, sure, you can send it in the, uh, the chat here.
CANDIDATE
OK, great. So, As I said, there is um I'll, I'll start with the UI, OK? I'll, I'll start with the UI flow, and then I'll go into like the API layer and the database that supports, um, so we have, uh, an admin center for security professionals. To go in and create policies, OK? The policy can say that, uh, hey, I want, uh, like we have a connector ecosystem within our platform. Connector is basically a UI wrapper on top of a public service API, like, for example, Facebook, um, or, uh, or any Microsoft product. And what connectors do is, um, they give application developers the ability to use multiple data sources together within, uh, within an app or a, uh, or an automation without having. To code the API call, they can just use like a UI button and drop down to call these actions. And so, uh, one of the policies could be to block a specific connector. Like they may want to block, uh, Facebook connector, for example, or they may want to say that, hey, I want to allow my developers and my organization to use the Facebook connector, but not with my business connectors. So those are some different policies that, uh, an admin can create, OK? So they go into admin center and they create a policy. And what happens is that policy gets enforced in two scenarios. One scenario is when a developer is building an app, and remember, this is a citizen developer, he's not coding, he's just using like drag and drop widgets, and then he, uh, he tries to use a blocked connector, um. And what happens is, um, he gets an error message that says that you're violating your organization's data loss prevention policies, OK? So this is the developer within like, let's say Power Ups. Now, another scenario that can happen is that a policy is edited, and now an existing app or an existing automation. Is now not compliant with um the company's policies anymore, OK? So what that means is that the, the developer has already built an app, but now when a user tries to launch it, uh, it shouldn't launch anymore because now it violates with the company's DLP policies. Does that make sense? It's, it's a complicated space. I want to make
INTERVIEWER
sure. I understand.
CANDIDATE
OK, great. So that's the UI. Now what we need for this. Is, um, so there are a few different, um, Uh, uh, so, so, so when we go into the, uh, API layer, what we need is basically a policy evaluation library, OK? So this is UI. OK, I'm just going to hold it like this instead of taking a photo if you can see it. I don't know if it's, uh, inverting it on the camera. Yeah, that's fine. Yeah. OK, so there are a few components that interact with each other to, to make this happen. Now there is a policy SDK. Which is basically an evaluation library. And what it does is it takes all the connectors and different metadata of like what's used within an app. Um, it evaluates it against a set of policies that are created by a security professional within that organization, and then it, uh, it gives out three things. A is the app or automation in violation. B is, uh, what are the policies that are being violated. And see what are the connectors, what are the connected actions, and what are the endpoints, yada yada, that are violated, OK? So you need a policy evaluation library which takes in Connector metadata. And also like what are the connect, like, not just connector IDs but more granular, like what are the connector actions, endpoints, so on and so forth, OK. And it gives out, is there a DLP violation? Yes, no? And then what are the policies that are violated, so that it can be surfaced in the error message, as well as what are uh the connector actions or connectors, etc. that are violated. OK? Makes sense so far? Yup. Now, like I said, um, the enforcement happens, um, in, in two scenarios, right? So, uh, the policy evaluation library has to speak to two different components. For the scenario of an existing app going into, uh, while, actually, I'll talk, I'll, I'll start with the scenario of a new app going into, uh, violation. Um When a new app, when a connector is added in that new app, OK, um, and, and this is on the client side. Uh, the client has to, uh, get, uh, so. Sorry, just one second. Uh, yeah, so the client has to pass on, as I mentioned, two information, OK? Uh, so if you can see this, this is the policy evaluation library, and the client has to pass on the connector method connect connector information that the app is using. It also has to pass what are the policies within the organization to the policy evaluation library, because the policy evaluation library does not have that. Uh, data in its layer, OK? So it has to get it from somewhere. And so, uh, the client actually speaks to the policy data store. And it sends to the uh policy evaluation library both. Um, the policy information for that customer, as well as, uh, Uh, the connectors that are being used in that app or automation. So let's call this component that is sending everything as the studio because the studio is where, uh, the developer is developing. The system. Um, and then, uh, when there is a violation, the, like, you know, the policy evaluation library then speaks back to the studio, and, uh, it, it, it tells the studio that there is a violation, and I, I told you what the three components of that, uh, of what the pool uh policy evaluation library sends back. Now, the other part, as I mentioned, is When an existing app is violated, right? So this is during an app launch, that is when the end user who's using the app, not the developer, should get an error. And so for that, there is another component. Called, it, it's called Power Ups RP. It's basically a management plan, which, uh, like every time an app is launched, an app is saved, or any such action is made, uh, Power Apps RP is the, uh, it, it, it's like a collection of web rules that are called. And so here Power Apps RP, uh, service makes a call to, um, the policy evaluation library. Uh, actually, in this case, what happens is, since Power Apps RP is not, it's not at the client's side, it can, it can keep a cache of the, uh, existing policies. So it doesn't have to, um, uh, and it can also keep a cache of whether the policy is, whether a given policy is violated or not. Uh, for, for an app that is already built. So, it's not something that is calculated as the user launches the app, but that information is already in the cache as to what are the, uh, you know, policies and if a policy is violated or not, so that it is, that information is ready as a user chooses to launch an app. Does that make sense? Mhm. OK. So Power Apps RP has a cash. Uh, there is an asynchronous, I think we have like a 10 minute or a 5-minute job that runs every now and then to collect the latest policy rules, um, and, and, and evaluate it. And every time a user launches an app, uh, it, it checks for, uh, whether there's a DLP violation and throws a DLP violation error. So that's, that's how data loss prevention, uh, works in a nutshell. Uh, do you have any questions for me?
INTERVIEWER
So which of these were you specifically responsible for designing?
CANDIDATE
The policy, so, so the policy evaluation library, uh, and the way it works with different, uh, interacts with different layers and specifically within the policy evaluation library, um, how would admins create, uh, you know, different rules and, uh, uh. Yeah. How would, how would admins create different policies? Because we have various features within the power platform admin center where an admin can go and create policies. So, uh, yeah.
INTERVIEWER
OK, I'm gonna go, normally I script out my questions because it makes it easier for me to take notes, but I'm gonna go off script and I'm gonna ask you a product-based question based on my knowledge of how your, your platform works because it is an area of high frustration for me. So I'm curious now. For you to answer as a product manager accepting input from a customer. That's, that's kind of the point here, since you own the, the governance and policy, OK? So, the, uh, the Excel connector allows for the connection to, uh, from, from a power flow, uh, layout or whatever, whatever they call it a flow to connect out to an Excel document and get data or do whatever, right, interact with that, that document. Um, and if you try to, uh, do multiple actions against that Excel file, it is using the same connector, though each connection is instantiated as a different connection. As such, given the complexity of the flow that I had designed, which had. Parallel paths that were code that would never ever ever execute within the same flow because they were parallel paths, right? They were, uh, you know, and if then that it just it couldn't go in both both paths. Unfortunately, all of those connections added up over time, right, to the point where there was something like 48 connections to a single file, which apparently the Excel connector does not like. Please don't do that, it's going to break me, right? But from a From a governance point of view, right, do you view it as your responsibility to also highlight to the customer where they might be doing things that are gonna create performance bottlenecks or performance problems that, uh, need to be surfaced because this, this specific bug, and I actually. Got a call from the engineering team because of something I posted online because they wanted to understand what I was doing and then I spent an hour and a half with your engineering team walking them through what was going on and they realized, oh, oops, right? But, but what is, where is the responsibility for Because you know, you, you have a low code environment. This is kind of a rambling question. You have a low code environment, so you have non-developer customers who are trying to do things. When things break or they don't work and they don't work with good error messages, which is what happened here, it is unclear what's happening. So, where do you view your job as the, the, the purveyor of governance ending and the designer of the connector being responsible for it doesn't work as intended.
CANDIDATE
Yeah, absolutely. So, uh, within governance, we have a few different areas. Like I said, I own the policy area, which means that we allow ads to create, like, you know, policies, data loss prevention. So, the intent is to prevent data exfiltration, um, uh, either intended or unintended data exfiltration from within an organization's boundary. Um, so this particular example that you quoted, um, It, it sounds like more of, like, you know, within an app or a flow, like what, what are the best practices of how a developer should, uh, like, you know, what would the, like if we had a center of excellence, what would be the best practice guidance, um, in terms of, uh, how to build a hygienic app or a flow, right? So that is something that's not under my purview, uh, but as far as Policy implementation is concerned and how that policy is enforced on uh on the power automate side or on the power app side, and the error message that should surface, that is definitely something that like I actually write the functional spec for how the error message should surface on the app in flow side,
INTERVIEWER
but only for the error messages that pertain to misuse of the connector, not the connector behaving in a way that is. Unintended.
CANDIDATE
Correct, correct. Misuse of the connector as defined by a security professional.
INTERVIEWER
Got it. OK.
Expert Assessment
Interviewer assessment - would be used in a hiring meeting
Candidate unquestionably has ability to Dive Deep. The depth of the discussion in this answer block was level appropriate and addressed major points. The candidate did not exhibit high level ability to communicate complex topics effectively as the answer was overly long and did not get to the point fast enough. This is a job maturity issue and should not detract from the capabilities of the candidate in this regard.