Solved: Re: haniRe: What is the least privileged security ...

HiroakiSasaki · ‎07-12-2020

Hello,

I built a model-driven app and several custom security roles for it.

I referred to the docs page below and made sure that I did give the "Read" privilege for Model-Driven App and all customs entities I created for the app.

https://docs.microsoft.com/en-us/powerapps/maker/model-driven-apps/share-model-driven-app

But still a user given the custom security role cannot access the app.

I gave the "Create" and "Write" privileges for the custom security role just for a try, and then of course the user can access the app along with all the other apps on the environment, which is the condition I would like to avoid.

If one knows some possible reason I cannot realize what I want here, please share some of your knowledge.

To summarize what I need to achieve:

- prepare a custom security role with least privileges to access an model-driven app

- without giving accesses to other apps on the same environment

I have some possible causes in my mind as shown below, but still cannot prove anything about them.

- the least privilege condition has changed from the docs reference

- Or I'm missing some necessary privileges to give

Thanks!

EricRegnier · ‎07-12-2020

Yep I would still create my custom role base on the CDS User role to reduce administration (assigning less roles to users).

What error message (or screenshot if possible) is user1 getting? Is the model-driven app shared with a particular role? Here's how to check roles assigned to an app:

1) App assigned a role: https://docs.microsoft.com/en-us/powerapps/maker/model-driven-apps/share-model-driven-app

2) You can also check via the classic interface:

Navigate to your environment and append to the URL "main.aspx?forceClassic=1" (e.g. https://ericdxc.crm6.dynamics.com/main.aspx?forceClassic=1)
Go to Settings --> My Apps
Click on the ellipsis on the middle right of your app
A right pane will open, expand Roles

View solution in original post

v-xida-msft · ‎07-13-2020

Hi @HiroakiSasaki ,

Have you bind your custom Security Role to your Model-Driven app?

Sharing a model-driven app involves two primary steps. First, associate a one or more security role(s) with the app then assign the security role(s) to users.

Please make sure if you have associated your custom Security Role with your Model-Driven app already when you share your Model-Driven app.

When you sharing your Model-Driven app, please firstly associate your Custom Security Role to your Model-Driven app as below:

After that, choose the user you want to share your Model-Driven app with. If the chosen user has not been assigned to custom Security Role you set up, you could manage the Security roles for the chosen user as below:

Note: I think the privileges you set for your custom Security Role is correct

Please consider take a try with above solution, check if the issue is solved.

More details about new experience for sharing Model-Driven app, please check the following blog:

https://powerapps.microsoft.com/en-us/blog/sharing-made-easy-for-model-driven-apps/

Best regards,

Community Support Team _ Kris Dai
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

View solution in original post

EricRegnier · ‎07-12-2020

Hi @HiroakiSasaki,

There are many other privileges required for a user to access and work with CDS. It's best to create custom security roles based on another out-of-the-box role. I usually use the role "Common Data Service User" as a base. You can follow this tip for more info: https://crmtipoftheday.com/1297/base-your-base-role-on-the-cds-user-role/

Hope this helps!

HiroakiSasaki · ‎07-12-2020

Thank you for your comment! @EricRegnier

I gave user1 both of my custom security role and Common Data Service User,

and still user1 cannot access the model-driven app.

Is is still a valid solution to create custom security roles based on Common Data Service User?
Or should I think other causes?

EricRegnier · ‎07-12-2020

Yep I would still create my custom role base on the CDS User role to reduce administration (assigning less roles to users).

What error message (or screenshot if possible) is user1 getting? Is the model-driven app shared with a particular role? Here's how to check roles assigned to an app:

1) App assigned a role: https://docs.microsoft.com/en-us/powerapps/maker/model-driven-apps/share-model-driven-app

2) You can also check via the classic interface:

Navigate to your environment and append to the URL "main.aspx?forceClassic=1" (e.g. https://ericdxc.crm6.dynamics.com/main.aspx?forceClassic=1)
Go to Settings --> My Apps
Click on the ellipsis on the middle right of your app
A right pane will open, expand Roles

View solution in original post

HiroakiSasaki · ‎07-13-2020

Alright, then I'll try to use CDS User role as a base.

Btw, the error message is shown as below. (Though my browser and environment are set in English, I have the message in my language. Anyway, what the message says is what's written in yellow box.)

I tried to check the assigned role to the app, but I only found "Pin this app" , but not "Manage Roles" in the ellipsis.

Sorry for many questions. I'm still new to CDS.
Thank you very much for your advises!

v-xida-msft · ‎07-13-2020