cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Svenny
Advocate III
Advocate III

Issues with security group based access to PowerApp based on a custom common data service entity

Hello

 

I have created a PowerApp: Nice_App and a custom entity: Nice_Entity. I also have a security group: Group_A, and I am trying to use the standard common data service user (CDSU) role in this scenario. The common data service user role has been given the appropriate rights to App_Entity.

 

When the app was completed, I shared it through the make.powerapps.com interface. I entered the Group_A as the user, and was prompted to assign a security role for Group_A. I chose the CDSU role.

 

The users access the app, but cannot view, create or in any way interact with the data in Nice_Entity. Group_A appears under the CDSU role in the admin center. 

 

Somehow, it appears that the users within Group_A does not inherit the CDSU role.

 

When the users are assigned to the app and role individually it works as expected. However, adding and maintaning hundreds of users manually for each app is not an attractive option.

 

Any ideas on where I could be making a mistake?

1 ACCEPTED SOLUTION

Accepted Solutions
EricRegnier
Super User
Super User

Hi @Svenny,

If I understand correctly, assigning the security role individual works but not via a team/group? Is your security group Group_A an O365 (AAD) group that you have synced with CDS by these steps: https://docs.microsoft.com/en-us/power-platform/admin/manage-teams#create-a-group-team? Or are you using CDS teams? Also have you configured properly the Team member's privilege inheritance?

Roles assigned to a team does not directly mean the user directly inherits of those privileges. Only that the user can act-on-behalf of the team for records assigned to the Team. For instance, say the team has a role assigned with basic level read to an entity. A user can only view records assign to the team and would not be able to view even records assign to him/her. If the role was directly assigned to the user then they would be able to view their records.

 

Also, suggest not to modify the out-of-the-box CDS user role, instead create a custom role based on that role (copy) and apply your changes to the custom role: https://crmtipoftheday.com/1297/base-your-base-role-on-the-cds-user-role/

 

Here's a nice video summarizing CDS security model: https://powerusers.microsoft.com/t5/Webinars-and-Video-Gallery/Security-in-Common-Data-Service-CDS/t...

Hope this clarifies...

 

View solution in original post

3 REPLIES 3
EricRegnier
Super User
Super User

Hi @Svenny,

If I understand correctly, assigning the security role individual works but not via a team/group? Is your security group Group_A an O365 (AAD) group that you have synced with CDS by these steps: https://docs.microsoft.com/en-us/power-platform/admin/manage-teams#create-a-group-team? Or are you using CDS teams? Also have you configured properly the Team member's privilege inheritance?

Roles assigned to a team does not directly mean the user directly inherits of those privileges. Only that the user can act-on-behalf of the team for records assigned to the Team. For instance, say the team has a role assigned with basic level read to an entity. A user can only view records assign to the team and would not be able to view even records assign to him/her. If the role was directly assigned to the user then they would be able to view their records.

 

Also, suggest not to modify the out-of-the-box CDS user role, instead create a custom role based on that role (copy) and apply your changes to the custom role: https://crmtipoftheday.com/1297/base-your-base-role-on-the-cds-user-role/

 

Here's a nice video summarizing CDS security model: https://powerusers.microsoft.com/t5/Webinars-and-Video-Gallery/Security-in-Common-Data-Service-CDS/t...

Hope this clarifies...

 

View solution in original post

v-xida-msft
Community Support
Community Support

Hi @Svenny ,

Could you please share more details about privileges set for the CDSU role in your CDS Environment?

Could you please show more details about the Group_A? Is it a Security Group or Office 365 Group?

 

If the Group_A is a Security Group, you could assign a Security Role to this Security Group. And each members of this group would inherit role permission from this Security Group. Currently, you could not assign a Security Role to a Office 365 Group.

Please check the following article for more details:

https://docs.microsoft.com/en-us/powerapps/maker/canvas-apps/share-app#common-data-service

 

Also please make sure you have created a Team record for your Security Group in your CDS Environment:

3.JPG

 

2.JPG

 

Please check the following article for more details:

https://docs.microsoft.com/en-us/power-platform/admin/manage-teams

 

Regards,

Community Support Team _ Kris Dai
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

@v-xida-msft 

@EricRegnier 

 

Thank you both so much for your answers! I figured out after through trial, error and reading that the security role had to be configured correctly to allow this functionality. However, I did modify the standard security role. I will correct this and do as @EricRegnier suggested by making a new security role for this purpose.

 

Sincerely,

Svenny

 

 

Helpful resources

Announcements
UG GA Amplification 768x460.png

Launching new user group features

Learn how to create your own user groups today!

Community Connections 768x460.jpg

Community & How To Videos

Check out the new Power Platform Community Connections gallery!

Welcome Super Users.jpg

Super User Season 2

Congratulations, the new Super User Season 2 for 2021 has started!

Carousel 2021 Release Wave 2 Plan 768x460.jpg

2021 Release Wave 2 Plan

Power Platform release plan for the 2021 release wave 2 describes all new features releasing from October 2021 through March 2022.

Users online (1,483)