In a previous post, Adventures with Dataverse: Migrating Microsoft SQL Server Tables to Dataverse Tables – Matt Ruma, I walked through migrating a SQL Database to Microsoft Dataverse.
In this post, I want to look at adding security roles to control access to the Dataverse entities.
The first security role I will create is for the Sales team.
This security role should allow members read-only access to Customers and Addresses and read/write access to their own Sales Orders.
Let’s create the role!
Create security role
Navigate to the Power Platform Admin Center at https://admin.powerplatform.microsoft.com.
Click Environments.
Select the environment you want to create the Security Role in, in my case, it was AdventureWorks - Dev.
Click Security roles.
Click New role.
Set Role Name to AdventureWorks Sales.
Set Business unit to the Default business unit.
Click Save.
Model-driven apps require a set of minimum privileges to run. These minimum privileges are now captured in a security role called App Opener which is in all the environments.
See App Opener: Create custom security roles for your … – Power Platform Community (microsoft.com) for more information.
Before we add access to the custom entities, let’s add the security roles to the solution.
Navigate to the solution, click Objects.
Click Add Existing, then Security and then Security role.
Select AdventureWorks Sales and then click Add.
Just for kicks, I have a Demo User that I tried to access the Model-Driven App with, and not surprisingly, I received an error.
Let’s share the Model-Driven App with our user, in my case, Demo User.
Share the app
Navigate to the Model-Driven App in the solution.
Click the ellipsis next to the Model-Driven App and select Share.
I first need to assign the AdventureWorks Sales security role to the application by clicking on the Model-Dirven App and selecting the dropdown with the currently assigned roles, usually System Administrator and System Customizer.
I then search for the Demo User to share it with them, assign them the AdventureWorks Sales security role and click Share.
Note, if you don’t assign the user a security role the application will not be shared with them, even though you clicked Share.
When I tried to access the app, I still got the error message.
Assign table permissions to the security role
After giving this some thought, the user still doesn’t have any access to the any of the entities the Model-Driven App is using, maybe that is the issue.
The following table describes the table privileges you can grant in a security role. In all cases, which records a privilege applies to depends on the access level of the permission defined in the security role.
| Privilege | Description |
|---|---|
| Create | Required to make a new record |
| Read | Required to open a record to view the contents |
| Write | Required to make changes to a record |
| Delete | Required to permanently remove a record |
| Append | Required to associate the current record with another record; for example, if users have Append rights on a note, they can attach the note to an opportunity In the case of many-to-many relationships, a user must have Append privilege for both tables being associated or disassociated. |
| Append to | Required to associate a record with the current record; for example, if users have Append To rights on an opportunity, they can add a note to the opportunity |
| Assign | Required to give ownership of a record to another user |
| Share | Required to give access to a record to another user while keeping your own access |
Back to the Power Platform Admin Center and the AdventureWorks - Dev Environment.
Under Access, select See all under Security roles.
Set Display only parent security roles to Off, locate the AdventureWorks Sales security role and select it.
Set the Tables dropdown to Show all tables.
Search for SalesLT Customer and then set Read to Organization.
Repeat for SalesLT Address.
Refresh the Model-Driven App for the Demo User, and that seemed to fixed the issue!
Notice it only shows entities the user has access to and nothing more. The Demo User only has access to view SalesLT Customer and SalesLT Address, they cannot Edit or Delete.
Let’s give the security role access to SalesLT SalesOrderHeader and SalesLT SaleOrderDetail, but only for records the user owns.
Search for SalesLT SalesOrder.
For each table, click the ellipsis, select Private and then click Save.
Refresh the Model-Driven App, and the user should now see Sales Orders.
Add a Sales Order
From the Model-Driven App try to add a Sales Order.
Notice that the Customer, the Bill To Address and Ship To Address are locked.
This is because the Append To permission has not be set for SalesLT Customer and SalesLT Address. This will allow us to associate the SalesLT Customer and SalesLT Address entities to the SalesLT SalesOrderHeader entitiy.
Click Save.
Refresh the Model-Driven App.
Now the Customer and Address fields can be updated.
This is where I’ll leave this little exercise in permissions for now, while not overly complex, at least for me, it is just helpful to see it in actoin.
For deeper dive on security and roles in Microsoft Dataverse see Security roles and privileges – Power Platform | Microsoft Learn.