cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
HiroakiSasaki
Frequent Visitor

What is the least privileged security role to access a model-driven app?

 

Hello,

 

I built a model-driven app and several custom security roles for it.

I referred to the docs page below and made sure that I did give the "Read" privilege for Model-Driven App and all customs entities I created for the app.

https://docs.microsoft.com/en-us/powerapps/maker/model-driven-apps/share-model-driven-app

 

But still a user given the custom security role cannot access the app.

I gave the "Create" and "Write" privileges for the custom security role just for a try, and then of course the user can access the app along with all the other apps on the environment, which is the condition I would like to avoid.

 

If one knows some possible reason I cannot realize what I want here, please share some of your knowledge.

To summarize what I need to achieve:

- prepare a custom security role with least privileges to access an model-driven app

- without giving accesses to other apps on the same environment

 

I have some possible causes in my mind as shown below, but still cannot prove anything about them.

- the least privilege condition has changed from the docs reference 

- Or I'm missing some necessary privileges to give

 

Thanks!

2 ACCEPTED SOLUTIONS

Accepted Solutions

Yep I would still create my custom role base on the CDS User role to reduce administration (assigning less roles to users).

What error message (or screenshot if possible) is user1 getting? Is the model-driven app shared with a particular role? Here's how to check roles assigned to an app:

1) App assigned a role: https://docs.microsoft.com/en-us/powerapps/maker/model-driven-apps/share-model-driven-app

2) You can also check via the classic interface: 

  1. Navigate to your environment and append to the URL "main.aspx?forceClassic=1" (e.g. https://ericdxc.crm6.dynamics.com/main.aspx?forceClassic=1)
  2. Go to Settings --> My Apps
  3. Click on the ellipsis on the middle right of your app
    2020-04-07_20-50-31.png
  4. A right pane will open, expand Roles
    2020-04-07_20-52-05.png

View solution in original post

Hi @HiroakiSasaki ,

Have you bind your custom Security Role to your Model-Driven app?

 

Sharing a model-driven app involves two primary steps. First, associate a one or more security role(s) with the app then assign the security role(s) to users.

Please make sure if you have associated your custom Security Role with your Model-Driven app already when you share your Model-Driven app.

 

When you sharing your Model-Driven app, please firstly associate your Custom Security Role to your Model-Driven app as below:

4.JPG

 

5.JPG

 

After that, choose the user you want to share your Model-Driven app with. If the chosen user has not been assigned to custom Security Role you set up, you could manage the Security roles for the chosen user as below:

6.JPG

Note: I think the privileges you set for your custom Security Role is correct

Please consider take a try with above solution, check if the issue is solved.

 

More details about new experience for sharing Model-Driven app, please check the following blog:

https://powerapps.microsoft.com/en-us/blog/sharing-made-easy-for-model-driven-apps/

 

Best regards,

Community Support Team _ Kris Dai
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

View solution in original post

7 REPLIES 7
EricRegnier
Super User II
Super User II

Hi @HiroakiSasaki,

There are many other privileges required for a user to access and work with CDS. It's best to create custom security roles based on another out-of-the-box role. I usually use the role "Common Data Service User" as a base. You can follow this tip for more info: https://crmtipoftheday.com/1297/base-your-base-role-on-the-cds-user-role/

Hope this helps! 

Thank you for your comment! @EricRegnier 

 

I gave user1 both of my custom security role and Common Data Service User,

and still user1  cannot access the model-driven app.

Is is still a valid solution to create custom security roles based on Common Data Service User?
Or should I think other causes?

 

 

Yep I would still create my custom role base on the CDS User role to reduce administration (assigning less roles to users).

What error message (or screenshot if possible) is user1 getting? Is the model-driven app shared with a particular role? Here's how to check roles assigned to an app:

1) App assigned a role: https://docs.microsoft.com/en-us/powerapps/maker/model-driven-apps/share-model-driven-app

2) You can also check via the classic interface: 

  1. Navigate to your environment and append to the URL "main.aspx?forceClassic=1" (e.g. https://ericdxc.crm6.dynamics.com/main.aspx?forceClassic=1)
  2. Go to Settings --> My Apps
  3. Click on the ellipsis on the middle right of your app
    2020-04-07_20-50-31.png
  4. A right pane will open, expand Roles
    2020-04-07_20-52-05.png

View solution in original post

 

Alright, then I'll try to use CDS User role as a base.

 

Btw, the error message is shown as below. (Though my browser and environment are set in English, I have the message in my language. Anyway, what the message says is what's written in yellow box.)

HiroakiSasaki_0-1594625557744.png

 

 

I tried to check the assigned role to the app, but I only found "Pin this app" , but not "Manage Roles" in the ellipsis. 

HiroakiSasaki_1-1594625982838.png

 

 

 

Sorry for many questions. I'm still new to CDS.
Thank you very much for your advises!

 

Hi @HiroakiSasaki ,

Have you bind your custom Security Role to your Model-Driven app?

 

Sharing a model-driven app involves two primary steps. First, associate a one or more security role(s) with the app then assign the security role(s) to users.

Please make sure if you have associated your custom Security Role with your Model-Driven app already when you share your Model-Driven app.

 

When you sharing your Model-Driven app, please firstly associate your Custom Security Role to your Model-Driven app as below:

4.JPG

 

5.JPG

 

After that, choose the user you want to share your Model-Driven app with. If the chosen user has not been assigned to custom Security Role you set up, you could manage the Security roles for the chosen user as below:

6.JPG

Note: I think the privileges you set for your custom Security Role is correct

Please consider take a try with above solution, check if the issue is solved.

 

More details about new experience for sharing Model-Driven app, please check the following blog:

https://powerapps.microsoft.com/en-us/blog/sharing-made-easy-for-model-driven-apps/

 

Best regards,

Community Support Team _ Kris Dai
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

View solution in original post

That warning message is shown when users navigate directly to CDS outside an app, usually in the classic interface. What apps do you see when you click the app selector? The message should be gone when you access pages (i.e. entities) within an app, so try to click an app, or create a custom model-driven app first and don't assign any security role

2020-07-13_20-46-02.png

@v-xida-msft , @EricRegnier 

 

I didn't bind custom security roles with the app!

After associating them, now user1 has the access to the app without problems.

 

I think what Eric showed me in his last reply meant the same solution, but just the UI has changed or something maybe?

 

I deeply appreciate your helps! Thank you so much.

The custom security roles were correctly configured, but I'll try to use CDS users role as a base for the next time as well 🙂 

Helpful resources

Announcements
PA User Group

Welcome to the User Group Public Preview

Check out new user group experience and if you are a leader please create your group

PA Community Call

Power Apps Community Call

Next call is happening on April 21st at 8a PST.

MBAS Carousel

Sign up for our May 4th event!

May the fourth be with you, join us online!

secondImage

Experience what’s next for Power Apps

See the latest Power Apps innovations, updates, and demos from the Microsoft Business Applications Launch Event.

Users online (85,674)