Adventures with Dataverse: Playing with Security Roles

In a previous post, Adventures with Dataverse: Migrating Microsoft SQL Server Tables to Dataverse Tables – Matt Ruma, I walked through migrating a SQL Database to Microsoft Dataverse.

In this post, I want to look at adding security roles to control access to the Dataverse entities.

The first security role I will create is for the Sales team.

This security role should allow members read-only access to Customers and Addresses and read/write access to their own Sales Orders.

Let’s create the role!

Create security role

Navigate to the Power Platform Admin Center at https://admin.powerplatform.microsoft.com.

Click Environments.

Select the environment you want to create the Security Role in, in my case, it was AdventureWorks - Dev.

Figure 1 – Environment view in Admin Center

Click Security roles.

Click New role.

Set Role Name to AdventureWorks Sales.

Set Business unit to the Default business unit.

Click Save.

Figure 2 – Add new security role for AdventureWorks Sales

Model-driven apps require a set of minimum privileges to run. These minimum privileges are now captured in a security role called App Opener which is in all the environments.

See App Opener: Create custom security roles for your … – Power Platform Community (microsoft.com) for more information.

Before we add access to the custom entities, let’s add the security roles to the solution.

Navigate to the solution, click Objects.

Click Add Existing, then Security and then Security role.

Figure 3 – Add existing security role to solution

Select AdventureWorks Sales and then click Add.

Figure 4 – Select the security role

Just for kicks, I have a Demo User that I tried to access the Model-Driven App with, and not surprisingly, I received an error.

Figure 5 – Error message

Let’s share the Model-Driven App with our user, in my case, Demo User.

Share the app

Navigate to the Model-Driven App in the solution.

Click the ellipsis next to the Model-Driven App and select Share.

Figure 6 – Share Model-Driven App

I first need to assign the AdventureWorks Sales security role to the application by clicking on the Model-Dirven App and selecting the dropdown with the currently assigned roles, usually System Administrator and System Customizer.

Figure 7 – Assign security role to the application

I then search for the Demo User to share it with them, assign them the AdventureWorks Sales security role and click Share.

Figure 8 – Find user and assign security role

Note, if you don’t assign the user a security role the application will not be shared with them, even though you clicked Share.

When I tried to access the app, I still got the error message.

Assign table permissions to the security role

After giving this some thought, the user still doesn’t have any access to the any of the entities the Model-Driven App is using, maybe that is the issue.

The following table describes the table privileges you can grant in a security role. In all cases, which records a privilege applies to depends on the access level of the permission defined in the security role.

PrivilegeDescription
CreateRequired to make a new record
ReadRequired to open a record to view the contents
WriteRequired to make changes to a record
DeleteRequired to permanently remove a record
AppendRequired to associate the current record with another record; for example, if users have Append rights on a note, they can attach the note to an opportunity
In the case of many-to-many relationships, a user must have Append privilege for both tables being associated or disassociated.
Append toRequired to associate a record with the current record; for example, if users have Append To rights on an opportunity, they can add a note to the opportunity
AssignRequired to give ownership of a record to another user
ShareRequired to give access to a record to another user while keeping your own access

Back to the Power Platform Admin Center and the AdventureWorks - Dev Environment.

Under Access, select See all under Security roles.

Set Display only parent security roles to Off, locate the AdventureWorks Sales security role and select it.

Set the Tables dropdown to Show all tables.

Search for SalesLT Customer and then set Read to Organization.

Repeat for SalesLT Address.

Figure 9 – Assign read permissions for custom entities

Refresh the Model-Driven App for the Demo User, and that seemed to fixed the issue!

Figure 10 – Demo User can now access the Model-Driven App

Notice it only shows entities the user has access to and nothing more. The Demo User only has access to view SalesLT Customer and SalesLT Address, they cannot Edit or Delete.

Let’s give the security role access to SalesLT SalesOrderHeader and SalesLT SaleOrderDetail, but only for records the user owns.

Search for SalesLT SalesOrder.

For each table, click the ellipsis, select Private and then click Save.

Figure 11 – Assign user permissions

Refresh the Model-Driven App, and the user should now see Sales Orders.

Figure 12 – Sales Orders

Add a Sales Order

From the Model-Driven App try to add a Sales Order.

Notice that the Customer, the Bill To Address and Ship To Address are locked.

Figure 13 – Unable to select customer or address

This is because the Append To permission has not be set for SalesLT Customer and SalesLT Address. This will allow us to associate the SalesLT Customer and SalesLT Address entities to the SalesLT SalesOrderHeader entitiy.

Figure 14 – Update Append To permissions

Click Save.

Refresh the Model-Driven App.

Now the Customer and Address fields can be updated.

Figure 15 – Customer and address are editable

This is where I’ll leave this little exercise in permissions for now, while not overly complex, at least for me, it is just helpful to see it in actoin.

For deeper dive on security and roles in Microsoft Dataverse see Security roles and privileges – Power Platform | Microsoft Learn.


Discover more from Matt Ruma

Subscribe to get the latest posts sent to your email.

Leave a Reply

Your email address will not be published. Required fields are marked *