Hello
I have created a PowerApp: Nice_App and a custom entity: Nice_Entity. I also have a security group: Group_A, and I am trying to use the standard common data service user (CDSU) role in this scenario. The common data service user role has been given the appropriate rights to App_Entity.
When the app was completed, I shared it through the make.powerapps.com interface. I entered the Group_A as the user, and was prompted to assign a security role for Group_A. I chose the CDSU role.
The users access the app, but cannot view, create or in any way interact with the data in Nice_Entity. Group_A appears under the CDSU role in the admin center.
Somehow, it appears that the users within Group_A does not inherit the CDSU role.
When the users are assigned to the app and role individually it works as expected. However, adding and maintaning hundreds of users manually for each app is not an attractive option.
Any ideas on where I could be making a mistake?
Solved! Go to Solution.
Hi @Svenny,
If I understand correctly, assigning the security role individual works but not via a team/group? Is your security group Group_A an O365 (AAD) group that you have synced with CDS by these steps: https://docs.microsoft.com/en-us/power-platform/admin/manage-teams#create-a-group-team? Or are you using CDS teams? Also have you configured properly the Team member's privilege inheritance?
Roles assigned to a team does not directly mean the user directly inherits of those privileges. Only that the user can act-on-behalf of the team for records assigned to the Team. For instance, say the team has a role assigned with basic level read to an entity. A user can only view records assign to the team and would not be able to view even records assign to him/her. If the role was directly assigned to the user then they would be able to view their records.
Also, suggest not to modify the out-of-the-box CDS user role, instead create a custom role based on that role (copy) and apply your changes to the custom role: https://crmtipoftheday.com/1297/base-your-base-role-on-the-cds-user-role/
Here's a nice video summarizing CDS security model: https://powerusers.microsoft.com/t5/Webinars-and-Video-Gallery/Security-in-Common-Data-Service-CDS/t...
Hope this clarifies...
Hi @Svenny,
If I understand correctly, assigning the security role individual works but not via a team/group? Is your security group Group_A an O365 (AAD) group that you have synced with CDS by these steps: https://docs.microsoft.com/en-us/power-platform/admin/manage-teams#create-a-group-team? Or are you using CDS teams? Also have you configured properly the Team member's privilege inheritance?
Roles assigned to a team does not directly mean the user directly inherits of those privileges. Only that the user can act-on-behalf of the team for records assigned to the Team. For instance, say the team has a role assigned with basic level read to an entity. A user can only view records assign to the team and would not be able to view even records assign to him/her. If the role was directly assigned to the user then they would be able to view their records.
Also, suggest not to modify the out-of-the-box CDS user role, instead create a custom role based on that role (copy) and apply your changes to the custom role: https://crmtipoftheday.com/1297/base-your-base-role-on-the-cds-user-role/
Here's a nice video summarizing CDS security model: https://powerusers.microsoft.com/t5/Webinars-and-Video-Gallery/Security-in-Common-Data-Service-CDS/t...
Hope this clarifies...
Hi @Svenny ,
Could you please share more details about privileges set for the CDSU role in your CDS Environment?
Could you please show more details about the Group_A? Is it a Security Group or Office 365 Group?
If the Group_A is a Security Group, you could assign a Security Role to this Security Group. And each members of this group would inherit role permission from this Security Group. Currently, you could not assign a Security Role to a Office 365 Group.
Please check the following article for more details:
https://docs.microsoft.com/en-us/powerapps/maker/canvas-apps/share-app#common-data-service
Also please make sure you have created a Team record for your Security Group in your CDS Environment:
Please check the following article for more details:
https://docs.microsoft.com/en-us/power-platform/admin/manage-teams
Regards,
Thank you both so much for your answers! I figured out after through trial, error and reading that the security role had to be configured correctly to allow this functionality. However, I did modify the standard security role. I will correct this and do as @EricRegnier suggested by making a new security role for this purpose.
Sincerely,
Svenny
User | Count |
---|---|
20 | |
11 | |
8 | |
5 | |
5 |
User | Count |
---|---|
31 | |
30 | |
16 | |
12 | |
7 |