cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
jeffgreenrc
Helper III
Helper III

Security roles automatically not getting assinged for Canvas App

‎07-19-2020 11:11 AM

Hi,


I have CDS environment in which I have created a canvas app. This CDS environment is accessible to all users in my company. For canvas app we have created a Security group in Azure AD and assigned limitted users to it.

 

Now we have shared canvas app with security group having custom Security roles assigned. Our understanding is that when we have shared the App, the users in the security group will automatically be assigned to that new custom security role. However, this is not happening.

 

Please can someone guide how custom security roles assigned works for canvas and model driven apps.

 

Thanks

Labels:
Message 1 of 13
2,164 Views
0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
mohsinkhalid
Resolver II
Resolver II
In response to jeffgreenrc

‎07-24-2020 01:32 PM

All what was explained is valid, I think the remaining information that can help you is the setting on the security role itself. If you set it to direct user privilege then when the role is assigned to the Team it will be passed on to the user level when the user is assigned to the team. What that does is enable the user to access records and change it as themselves instead of the Team.

 

Navigate to 'Settings -> Security -> Security Roles' Open the 'Sales Manager' security role. Change the 'Member's Privilege Inheritance' to 'Direct User (Basic) access level and Team privileges' and Save

 

Please mark the answer as solution if this helps. https://docs.microsoft.com/en-us/power-platform/admin/security-roles-privileges#team-members-privile...

View solution in original post

Preview file
118 KB
Message 13 of 13
2,076 Views
0 Kudos
12 REPLIES 12
jlindstrom
Community Champion
Community Champion

‎07-19-2020 07:42 PM

I think you are mixing several concepts together in a way that doesn’t work exactly the way that you think it does.

 

canvas apps can be shared with ad security groups and ad security groups can also be used to provision security access to cds, but these two concepts are not directly related.

 

1. using ad security groups to manage cds access: there is a type of team called an azure ad security group team. If you assign users to the group linked to the team and they have a license for power apps, they will inherit the roles associated with the team. https://docs.microsoft.com/en-us/power-platform/admin/manage-teams
some things to note:

1a. This works if the role assigned to the team has the setting on the first tab of the security role set to basic plus team security. Otherwise the role will not be a true inherited role and cannot grant permission you log in to the system.

1b. This doesn’t assign roles to a user—this is an alternative to assigning roles to users.

1c. The user won’t appear as an enabler user in cds or show as a team member until they log in for the first time.

1d. Users need a full power apps license per user or dynamics. This won’t work for office only licensed users

 

2. if you share the app with an ad group, the users in the group get access to the app if they have a role either directly assigned to them or they are part of an aad security group team.

 

note there are some rough edges to the aad security group teams, and if they don’t work you are best just assigning roles to users

Message 2 of 13
1,546 Views
0 Kudos
jeffgreenrc
Helper III
Helper III
In response to jlindstrom

‎07-20-2020 09:50 AM

Thank you for providing detail response on this.

 

We have already gone with the first approach. However, I have a question regarding the second approach.

 

if you share the app with an ad group, the users in the group get access to the app if they have a role either directly assigned to them or they are part of an aad security group team.

 

Based on the bold text above, did you mean the approach 1 or some other ?

 

Thanks !

 

 

Message 3 of 13
1,531 Views
0 Kudos
jlindstrom
Community Champion
Community Champion
In response to jeffgreenrc

‎07-20-2020 01:38 PM

If they are part of an aad security group linked to a team with a security role

Message 4 of 13
1,522 Views
0 Kudos
jeffgreenrc
Helper III
Helper III
In response to jlindstrom

‎07-20-2020 03:21 PM

how do i linked aad security group with team?

 

what i observed is, when a share a app with azure ad security group, it automatically creates a record under teams and has security roles assigned also what i had assigned while sharing the app. But i only see limited users only and those are the one who have so far tried to access the app. However the interested thing is these users who were able to access Apps, didnt have custom security roles assigned which i assigned to security role while sharing an App.

 

Please guide where i am making mistake. Based on this documentation, my understanding is who is part of security group should automatically get security role access.


Thanks

Message 5 of 13
1,517 Views
0 Kudos
jlindstrom
Community Champion
Community Champion
In response to jeffgreenrc

‎07-20-2020 04:01 PM

So if you choose a security role when you share it it will give them that role. I believe you are right that it will create a team and grant it the selected role. The reason you only see the users who have accessed the app in the team is because users are added to the team when they log in the first time 

 

See https://docs.microsoft.com/en-us/power-platform/admin/manage-teams#about-group-teamsfor details about how to create the team

Message 6 of 13
1,514 Views
0 Kudos
jeffgreenrc
Helper III
Helper III
In response to jlindstrom

‎07-20-2020 04:09 PM

but somehow the user when accessing the App (App shared by selecting security group and then security roles) are not getting the custom security role assigned automatically. 


What could be the reason for that?

Message 7 of 13
1,512 Views
0 Kudos
jlindstrom
Community Champion
Community Champion
In response to jeffgreenrc

‎07-20-2020 04:35 PM

If users get a role through a team the role is not added directly to the user. If the user is on a team with the role they inherit the role from the team

Message 8 of 13
1,507 Views
0 Kudos
jeffgreenrc
Helper III
Helper III
In response to jlindstrom

‎07-21-2020 06:58 AM

I am getting little confuse. Please correct me if i am wrong below.

 

  1. Assign Security Role to Security group while sharing an App
    1. Based on this link (https://docs.microsoft.com/en-us/powerapps/maker/canvas-apps/share-app#security-group-considerations), it is my understanding that, if I create a AD security group and assign a custom security role to it when sharing the canvas app, the users in the AD security group will automatically get assigned this custom security role. 
  2. Change security role property to Basic 
    1. After changing the security role property to Basic, i can confirm that user were automatically getting accessed to App as security role was defined on team which was automatically created when we shared the canvas app.

We did approach 2 because the first approach didnt seem to work. Usually i like the approach as it is clean, i dont have to change security role and i can see which users are assigned which security roles.

 

Please confirm above and also guide me on how to correctly implement approach 1.

Thanks

Message 9 of 13
1,486 Views
0 Kudos
jlindstrom
Community Champion
Community Champion
In response to jeffgreenrc

‎07-21-2020 07:01 AM

They work together. You have to do #2 to make # 1 work. But you will not see a role linked to the user record. The user inherits permission based on the role associated with their team.

 

being on a team with a “basic” role assigned to it is equivalent to having that role directly associated with the user

Message 10 of 13
1,482 Views
0 Kudos

Helpful resources

Announcements
Hear what's next for the Power Up Program

Hear what's next for the Power Up Program

Hear from Principal Program Manager, Dimpi Gandhi, to discover the latest enhancements to the Microsoft #PowerUpProgram, including a new accelerated video-based curriculum crafted with the expertise of Microsoft MVPs, Rory Neary and Charlie Phipps-Bennett. If you’d like to hear what’s coming next, click the link below to sign up today! https://aka.ms/PowerUp  

Tuesday Tip: Community User Groups

Tuesday Tip: Community User Groups

It's time for another TUESDAY TIPS, your weekly connection with the most insightful tips and tricks that empower both newcomers and veterans in the Power Platform Community! Every Tuesday, we bring you a curated selection of the finest advice, distilled from the resources and tools in the Community. Whether you’re a seasoned member or just getting started, Tuesday Tips are the perfect compass guiding you across the dynamic landscape of the Power Platform Community.   As our community family expands each week, we revisit our essential tools, tips, and tricks to ensure you’re well-versed in the community’s pulse. Keep an eye on the News & Announcements for your weekly Tuesday Tips—you never know what you may learn!   Today's Tip: Community User Groups and YOU Being part of, starting, or leading a User Group can have many great benefits for our community members who want to learn, share, and connect with others who are interested in the Microsoft Power Platform and the low-code revolution.   When you are part of a User Group, you discover amazing connections, learn incredible things, and build your skills. Some User Groups work in the virtual space, but many meet in physical locations, meaning you have several options when it comes to building community with people who are learning and growing together!   Some of the benefits of our Community User Groups are: Network with like-minded peers and product experts, and get in front of potential employers and clients.Learn from industry experts and influencers and make your own solutions more successful.Access exclusive community space, resources, tools, and support from Microsoft.Collaborate on projects, share best practices, and empower each other. These are just a few of the reasons why our community members love their User Groups. Don't wait. Get involved with (or maybe even start) a User Group today--just follow the tips below to get started.For current or new User Group leaders, all the information you need is here: User Group Leader Get Started GuideOnce you've kicked off your User Group, find the resources you need:  Community User Group ExperienceHave questions about our Community User Groups? Let us know! We are here to help you!

Super User of the Month | Ahmed Salih

Super User of the Month | Ahmed Salih

We're thrilled to announce that Ahmed Salih is our Super User of the Month for April 2024. Ahmed has been one of our most active Super Users this year--in fact, he kicked off the year in our Community with this great video reminder of why being a Super User has been so important to him!   Ahmed is the Senior Power Platform Architect at Saint Jude's Children's Research Hospital in Memphis. He's been a Super User for two seasons and is also a Microsoft MVP! He's celebrating his 3rd year being active in the Community--and he's received more than 500 kudos while authoring nearly 300 solutions. Ahmed's contributions to the Super User in Training program has been invaluable, with his most recent session with SUIT highlighting an incredible amount of best practices and tips that have helped him achieve his success.   Ahmed's infectious enthusiasm and boundless energy are a key reason why so many Community members appreciate how he brings his personality--and expertise--to every interaction. With all the solutions he provides, his willingness to help the Community learn more about Power Platform, and his sheer joy in life, we are pleased to celebrate Ahmed and all his contributions! You can find him in the Community and on LinkedIn. Congratulations, Ahmed--thank you for being a SUPER user!  

Tuesday Tip: Getting Started with Private Messages & Macros

Tuesday Tip: Getting Started with Private Messages & Macros

Welcome to TUESDAY TIPS, your weekly connection with the most insightful tips and tricks that empower both newcomers and veterans in the Power Platform Community! Every Tuesday, we bring you a curated selection of the finest advice, distilled from the resources and tools in the Community. Whether you’re a seasoned member or just getting started, Tuesday Tips are the perfect compass guiding you across the dynamic landscape of the Power Platform Community.   As our community family expands each week, we revisit our essential tools, tips, and tricks to ensure you’re well-versed in the community’s pulse. Keep an eye on the News & Announcements for your weekly Tuesday Tips—you never know what you may learn!   This Week's Tip: Private Messaging & Macros in Power Apps Community   Do you want to enhance your communication in the Community and streamline your interactions? One of the best ways to do this is to ensure you are using Private Messaging--and the ever-handy macros that are available to you as a Community member!   Our Knowledge Base article about private messaging and macros is the best place to find out more. Check it out today and discover some key tips and tricks when it comes to messages and macros:   Private Messaging: Learn how to enable private messages in your community profile and ensure you’re connected with other community membersMacros Explained: Discover the convenience of macros—prewritten text snippets that save time when posting in forums or sending private messagesCreating Macros: Follow simple steps to create your own macros for efficient communication within the Power Apps CommunityUsage Guide: Understand how to apply macros in posts and private messages, enhancing your interaction with the Community For detailed instructions and more information, visit the full page in your community today:Power Apps: Enabling Private Messaging & How to Use Macros (Power Apps)Power Automate: Enabling Private Messaging & How to Use Macros (Power Automate)  Copilot Studio: Enabling Private Messaging &How to Use Macros (Copilot Studio) Power Pages: Enabling Private Messaging & How to Use Macros (Power Pages)

April 4th Copilot Studio Coffee Chat | Recording Now Available

April 4th Copilot Studio Coffee Chat | Recording Now Available

Did you miss the Copilot Studio Coffee Chat on April 4th? This exciting and informative session with Dewain Robinson and Gary Pretty is now available to watch in our Community Galleries!   This AMA discussed how Copilot Studio is using the conversational AI-powered technology to aid and assist in the building of chatbots. Dewain is a Principal Program Manager with Copilot Studio. Gary is a Principal Program Manager with Copilot Studio and Conversational AI. Both of them had great insights to share with the community and answered some very interesting questions!     As part of our ongoing Coffee Chat AMA series, this engaging session gives the Community the unique opportunity to learn more about the latest Power Platform Copilot plans, where we’ll focus, and gain insight into upcoming features. We’re looking forward to hearing from the community at the next AMA, so hang on to your questions!   Watch the recording in the Gallery today: April 4th Copilot Studio Coffee Chat AMA

Tuesday Tip: Subscriptions & Notifications

Tuesday Tip: Subscriptions & Notifications

TUESDAY TIPS are our way of communicating helpful things we've learned or shared that have helped members of the Community. Whether you're just getting started or you're a seasoned pro, Tuesday Tips will help you know where to go, what to look for, and navigate your way through the ever-growing--and ever-changing--world of the Power Platform Community! We cover basics about the Community, provide a few "insider tips" to make your experience even better, and share best practices gleaned from our most active community members and Super Users.   With so many new Community members joining us each week, we'll also review a few of our "best practices" so you know just "how" the Community works, so make sure to watch the News & Announcements each week for the latest and greatest Tuesday Tips!   This Week: All About Subscriptions & Notifications We don't want you to a miss a thing in the Community! The best way to make sure you know what's going on in the News & Announcements, to blogs you follow, or forums and galleries you're interested in is to subscribe! These subscriptions ensure you receive automated messages about the most recent posts and replies. Even better, there are multiple ways you can subscribe to content and boards in the community! (Please note: if you have created an AAD (Azure Active Directory) account you won't be able to receive e-mail notifications.)   Subscribing to a Category  When you're looking at the entire category, select from the Options drop down and choose Subscribe.     You can then choose to Subscribe to all of the boards or select only the boards you want to receive notifications. When you're satisfied with your choices, click Save.   Subscribing to a Topic You can also subscribe to a single topic by clicking Subscribe from the Options drop down menu, while you are viewing the topic or in the General board overview, respectively.     Subscribing to a Label Find the labels at the bottom left of a post.From a particular post with a label, click on the label to filter by that label. This opens a window containing a list of posts with the label you have selected. Click Subscribe.           Note: You can only subscribe to a label at the board level. If you subscribe to a label named 'Copilot' at board #1, it will not automatically subscribe you to an identically named label at board #2. You will have to subscribe twice, once at each board.   Bookmarks Just like you can subscribe to topics and categories, you can also bookmark topics and boards from the same menus! Simply go to the Topic Options drop down menu to bookmark a topic or the Options drop down to bookmark a board. The difference between subscribing and bookmarking is that subscriptions provide you with notifications, whereas bookmarks provide you a static way of easily accessing your favorite boards from the My subscriptions area.   Managing & Viewing Your Subscriptions & Bookmarks To manage your subscriptions, click on your avatar and select My subscriptions from the drop-down menu.     From the Subscriptions & Notifications tab, you can manage your subscriptions, including your e-mail subscription options, your bookmarks, your notification settings, and your email notification format.     You can see a list of all your subscriptions and bookmarks and choose which ones to delete, either individually or in bulk, by checking multiple boxes.     A Note on Following Friends on Mobile Adding someone as a friend or selecting Follow in the mobile view does not allow you to subscribe to their activity feed. You will merely be able to see your friends’ biography, other personal information, or online status, and send messages more quickly by choosing who to send the message to from a list, as opposed to having to search by username.

Users online (5,981)