cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
dpj620
Frequent Visitor

Security Role assigned in Flow but access denied

My flow successfully assigns a custom security role and shares a Power App. The Power app uses a Dataverse table.  This works—the app is shared and the user shows up in the list of users assigned that security role. 

 

However, when the user attempts to open the Power App they are denied permission. In the flow, I've tried putting in Delays and reversing the steps, but still have the problem.

 

If I manually re-share the app then the data permissions dropdown is pre-populated with the correct security role for the entity. If I continue and click Share, the user can now access the Power App. Clearly my flow is needing another step, but what?

1 ACCEPTED SOLUTION

Accepted Solutions
dpj620
Frequent Visitor

Many thanks for the link to the document about sharing a canvas app. This lead me to read the section entitled Share an app with Microsoft 365 groups. Following the instructions, I set the property SecurityEnabled to true for the group that everyone is joined to in the flow. Then I manually shared the app with that M365 group while choosing the correct security role. Once a user is joined to the group, they inherit the security role and the app share from the group. This worked and is more elegant.

View solution in original post

9 REPLIES 9
ChrisPiasecki
Dual Super User
Dual Super User

Hi @dpj620,

 

Can you share a bit more detail about the flow such as some screenshots of the steps?

 

---
Please click Accept as Solution if my post answered your question. This will help others find solutions to similar questions. If you like my post and/or find it helpful, please consider giving it a Thumbs Up.

dpj620
Frequent Visitor

Pertinent flow steps shown in attached PDF. Flow triggers in adding a new table record from a Power App.

Hi @dpj620 ,

 

Thanks for providing the detailed steps. Is there an Azure AD Security Group assigned to the environment? If so, is one of the steps you have listed adding the user to this particular group? Adding the user into that security group would add them to the environment.

 

Also, not sure if you tried this already, but I wonder if maybe assigning the user's security role before sharing the app with them would make a difference. Additionally, not sure what your business unit structure is like in the environment, but you may want to explicitly associate them with a business unit, then assign security role, then share the app. If you only have the root business unit then its probably not required, but I would recommend doing it anyway.

 

---
Please click Accept as Solution if my post answered your question. This will help others find solutions to similar questions. If you like my post and/or find it helpful, please consider giving it a Thumbs Up.

 

 

dpj620
Frequent Visitor

There is no AAD Security Group assigned to the environment. Although this page indicates that  all properly licensed users will be enabled by default ("If a Dataverse environment does not have an associated security group, all users with a Dataverse license (customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), Power Automate, Power Apps, etc.) will be created as users and enabled in the environment.").

 

Also, I've reversed the order of assigning the security role and app sharing, It made no difference.

 

Here's the difference between sharing via the Flow and sharing manually as far assigned security role:

Sharing.png

EricRegnier
Super User
Super User

Hi @dpj620, is looks like a canvas app but can you confirm if you are trying to share a model-driven app or canvas app? If your database is Dataverse, it seems you're also missing a step to assign a Dataverse security role to the user before sharing the app. 

Cheers

dpj620
Frequent Visitor

Canvas app.

 

The step to assign the security role is in the flow (PDF above) and it works. It made no difference which order (assign security role then share app or share app then assign security role) I had them in the Flow.

 

I can go to the Power Platform Admin center and see the employee assigned in the flow listed under that role.

 

dpj620_0-1617691012276.png

 

EricRegnier
Super User
Super User

Sharing a canvas app manually like in your previous screenshot actually does 2 things:

  1. Shares the app directly the user
  2. (Optionally) if you select a security role, it will auto-assign that role to the user for convenience.
    Note: when selecting a user, if the user does roles, then you'll see those roles pre-selected. If the user doesn't have any then it means he/she doesn't have any roles assigned yet.

Regardless if the user has a security role assigned or not, shouldn't affect whether they see the app. Sharing the app grants access to the app, security roles to the data access by the app. But in saying that, I just tried from my side (without assign a role) and getting the same behavior as you with the error message "The security roles didn't load" when I open the Share app window afterwards. I thing this is actually a bug and would lodge a Microsoft support ticket at: https://admin.powerplatform.microsoft.com/support

Keep up posted!

Yes I agree with @EricRegnier that this behavior is not as designed and warrants a support ticket with MS. You should not have to go through this additional hoop of trying to assign the Security Role for every Dataverse table data source, rather just setting the security role once at the user level like you already are doing in the flow.

 

The doc on Sharing a Canvas App has a strange note at the bottom that doesn't seem to make much sense, so I don't know if it would all be related to this or not but figured I'd post it here incase it is relevant.

 

When you share an app that's based on an older version of Dataverse, you must share the runtime permission to the service separately. If you don’t have permission to do this, see your environment administrator.

 

---
Please click Accept as Solution if my post answered your question. This will help others find solutions to similar questions. If you like my post and/or find it helpful, please consider giving it a Thumbs Up.

dpj620
Frequent Visitor

Many thanks for the link to the document about sharing a canvas app. This lead me to read the section entitled Share an app with Microsoft 365 groups. Following the instructions, I set the property SecurityEnabled to true for the group that everyone is joined to in the flow. Then I manually shared the app with that M365 group while choosing the correct security role. Once a user is joined to the group, they inherit the security role and the app share from the group. This worked and is more elegant.

Helpful resources

Announcements
Power Platform Conf 2022 768x460.jpg

Join us for Microsoft Power Platform Conference

The first Microsoft-sponsored Power Platform Conference is coming in September. 100+ speakers, 150+ sessions, and what's new and next for Power Platform.

Power Platform Call June 2022 768x460.png

Power Platform Community Call

Join us for the next call on June 15, 2022 at 8am PDT.

PA Virtual Workshop Carousel 768x460.png

Register for a Free Workshop

This training provides practical hands-on experience in creating Power Apps solutions in a full-day of instructor-led App creation workshop.

PA.JPG

New Release Planning Portal (Preview)

Check out our new release planning portal, an interactive way to plan and prepare for upcoming features in Power Platform.

Users online (1,576)