Security is hard, almost as hard as Microsoft docs
The Reg article's link to security roles "Security roles and privileges", https://learn.microsoft.com/en-us/power-platform/admin/security-roles-privileges , doesn't have any information on the Power Pages roles discussed, "anonymous users" and "authenticated users". That link is for Power Platform, and Power Platform is apparently not the same as Power Pages.
From The Reg article: `The problem is that many companies treat the "authenticated user" role as belonging to someone inside the organization and grant permissions accordingly – even for outsiders who register for their websites.`
I wonder where they got that idea? I found a link for Dynamics 365 "Secure your Power Pages", which does discuss those two roles, https://learn.microsoft.com/en-us/dynamics365/guidance/implementation-guide/security-strategy-product-portals , wherein we can read the next gem of a first paragraph. It doesn't explicitly state that authenticated users are internal, but mightily implies it.
From Microsoft: `Power Pages let internal and external users access Dataverse data through external-facing websites. You can expose your data to anyone—that is, to anonymous users—or only to authenticated users. For example, you can create a landing page or a home page that anyone can see, or a page that's only for users in your organization. To secure your Power Pages sites, you need to use authentication and authorization.`
Maybe that's not the link most low code users would find? I found a link for Power Pages "Power Pages security",
https://learn.microsoft.com/en-us/power-pages/security/power-pages-security ,
From Microsoft: `Authenticated users **can be** (emphasis added) assigned web roles that provide specific access to information on the site. ... Web roles allow users to perform special actions or access protected content and data on the site. Web roles link to users, table permissions, and page permissions. Because users can be assigned multiple web roles, they can get cumulative access to site resources.`
In the unix www, "anonymous users" and "authenticated users" means roughly the same as how Microsoft intends it. "Authenticated users" doesn't mean all records, it means access is controlled by work **already done**, by a different admin, when the account was previously created. That's a missing step in Microsoft's implementation, and expecting low code users and managers to understand the implications of umask 000 is a bit much (pun intended), when their primary goal is simply to "make it work".
Anyhow, I didn't see any mention of Web roles in The Reg article? A quick scan of "Power Pages security" with the "what will my users think of this" cap on and I conclude: They will run away screaming! From bitter experience with SharePoint, business users and access controls don't mix. This is where I set up a meeting with my boss and they "decide" to let me set perms on the default Web role, assign the employees to a new team Web role, and create a process for my boss to switch people between the roles. Or would do, but wiser heads have prevailed and there are specially trained (thus oxymoronic) low code teams who implement all the details on behalf of the business teams.