cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Ballard297
Frequent Visitor

Dataverse Security Role Question: Table Creation Permissions

Hello,

 

Is there a way to create a role that allows users to create Dataverse tables and only view/edit/delete the tables (and the data within the tables) they created?

We have a number of developers who want to explore and use Dataverse, so we would like to have a single environment where developers can freely build new tables and apps on top of them. However, we do not want each developer to see the other's tables and their data. Only my team and I as system admins should have the capability.

When exploring the pre-built roles, I found that I can give a user create privileges for entities (tables), but when they create a table they are not automatically granted permissions to that custom table upon creation. We have to manually update each user's permissions to access the table they just created. Going this route would also likely mean we would need a custom security role for each user to isolate permissions of each users custom tables. The alternative would be to have an environment for each developer, but this would not be effective use of our Dataverse capacity. 

 

Essentially we are looking for a role that automatically grants CRUD privileges for tables that a user creates, but no other tables, without having to manually update their permissions each time they create a table. 

 

Any guidance is greatly appreciated!

1 ACCEPTED SOLUTION

Accepted Solutions

@Ballard297 It is not possible to configure a dataverse environment to allow user ownership over system metadata.
An environment ( outside of the default ) is intended to be used for a given purpose, thus entity management is a global function and permission exist to manage who can create entities and other metadata.

 

I have two suggestions for you to consider.

Use the developer environment types for an exploration, or have each developer create and workout of their own solution within a single environment. The solution approach allows for one environment with a visual separation of assets.

 

View solution in original post

9 REPLIES 9
AhmedSalih
Super User
Super User

Hello, @Ballard297, the best option is to use System customizer Role and which is "By default, system customizers have full access to custom entities. If you want to have the same limitations that exist for system entities, you’ll need to adjust the system customizer security role so that the access level is User rather than Organization for custom entities."  https://docs.microsoft.com/en-us/dynamics365/customerengagement/on-premises/customize/privileges-req...

 

With this, your developers can create custom tables and they will be only accessed by those who created them. 

 

Regards,

Ahmed

If my reply helped you, please give a 👍. And if it has solved your issue, please consider a 👍 & Accepting it as the Solution to help other members of the community find it more.

My Blog: www.powerplatformplace.com

Hey Ahmed,

This sounds promising, but I can't seem to find how I "adjust the system customizer security role so that the access level is User rather than Organization for custom entities."

 

When adjusting any security role, I find that the Entity privilege under the Customizations tab can only be triggered to two settings: None or Organization. Here is a screenshot of the privilege I am referring to:

Ballard297_0-1660132084511.png

 

Is this perhaps the wrong privilege to be tweaking to make the above quoted adjustment? If so, can you show/tell me exactly what adjustment I need to make to the System Customizer role to make the access level User rather than Organization for all custom entities by default?

Lastly, can you confirm that using this setup will allow for the following scenario for our developers?:
Developer A: creates tables 1 & 2
Developer B: creates table 3

 

Developer A would only be able to view and edit tables 1 & 2, but will have no permissions to table 3. Developer B would only be able to view and edit table 3, but will have no permissions to tables 1 & 2. 

 

Thank you for the feedback and I appreciate your further guidance to help me in this scenario!

anteneh
New Member

yugytyt6r7

@Ballard297, Okay, I had to re-read that documentation and the system customizer security role will work for the System Entities and not the custom ones. For the custom entities, you will have change the permissions after every time your developers create new table.  Let's wait and see if others have some input to resolve this use case. I will also play with it in my environment sometime over the weekend. 

 

Will be great to hear feedback from others, as I have to imagine this is a scenario that has been faced by others. Let me know if you find anything while testing this weekend!

@Ballard297 It is not possible to configure a dataverse environment to allow user ownership over system metadata.
An environment ( outside of the default ) is intended to be used for a given purpose, thus entity management is a global function and permission exist to manage who can create entities and other metadata.

 

I have two suggestions for you to consider.

Use the developer environment types for an exploration, or have each developer create and workout of their own solution within a single environment. The solution approach allows for one environment with a visual separation of assets.

 

Hey Matt, thank you for reaching out.

 

With the developer environment, will my team be able to govern these like we will any other environment we create or is created by Teams? We have the Power Platform Admin role, so we already see all environments, but just want to know if these developer environments would also be visible to those in the Power Platform Admin role.

 

With the solution approach, would you then recommend that our developers are set to the system customizer role and simply instructed to create their own solution and only create new content from within their solution?

 

These both sound like intriguing approaches, just need a little more detail on both and I will then mark as solution 🙂

You can read more up on the Developer environment here: Power Apps Developer Plan | Microsoft Power Apps

You can control the ability to create them by policy, but its a on or off thing, you cannot limit a developer's ability to create one if the feature is enabled.  Your admins will be able to see them. 
They are intended to be 'short lived' and have heavy restrictions on capacity and lifetime.

 

for the solutions approach,
Yes, use customizer role for your developers ( or create an AAD group connected team in dataverse and assign it customizer, where the AAD group has your developers ).  then instruct your developers to create a new solution + publisher for their use in the shared environment. 

Ballard297
Frequent Visitor

Thank you sir, accepted your two suggestions as the solution.

Helpful resources

Announcements
Microsoft 365 Conference – December 6-8, 2022

Microsoft 365 Conference – December 6-8, 2022

Join us in Las Vegas to experience community, incredible learning opportunities, and connections that will help grow skills, know-how, and more.

Power Apps Ideas

Check out the New Ideas Site

We are excited to announce a new way to share your ideas for Power Apps!

Users online (4,247)