Showing results for 
Search instead for 
Did you mean: 
Advocate IV
Advocate IV

How to setup Security Roles in order to revoke access to "create" a Power Apps Canvas Apps


I would like to setup a security role in my environment so that the users have access to only run a canvas app shared w/ them but I don't want them to have "create" permissions to build other canvas apps.

Is it possible? I tried different permission combinations (Dynamics Security Roles) but no matter what I try, I can't revoke the "create" canvas app permission.


I appreciate any help w/ this.

Many thanks, Daniel

Dual Super User III
Dual Super User III

You can do this on anything except the Default Environment.  Unfortunately, at this point you can't remove people's ability to create PowerApps or Flows in the Default environment without removing their license.  In other environments just make sure they don't have Maker or Adminsitrator security role in the Environment.

If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.

Hi @Pstork1 , thanks for your help!


Indeed if I assign only the standard "Common Data Service user" role to the users (within a environment other than the 'default'), they are not able to save apps within that environment but they still can build an app and save it to the local computer. And while they are building the app, they can still use the connections that were shared with them at the time my original "Run only App" was shared.


My main goal w/ this "run only access" to the shared apps is actually to prevent the users from building apps within that environment using for instance a SQL Server connection or a CDS connection granted to them through the sharing of my "original run only app".


My complete scenario is:

1. I built an app w/ access to a SQL server table or a CDS entity and I'm implementing Role Level Security within the App itself so the users can't see all the rows within the tables.


2. I want to share this app to the users but I don't want them to have access to that shared connections.

However, currently they can do it by creating an app and using the connections within a gallery acessing all the records. Even if they can't save the app within that environment because they have only the "Common Data Service user" role assigned, it's still a security concern.


I hope I could explain better the whole point w/ my initial question.


Thanks! Daniel





I hadn't thougth about CDS.  Normally you just remove all roles from the user in that environment.  They can still run apps that are shared with them via the link that is shared.  But without any permissions they can't even see the environment. But I haven't tried it with other roles like CDS data user.  I suspect there is no way to accomplish what you want in the current model.

If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.

Yes, @Pstork1 , I tested it and indeed, even w/ only the "CDS user" role, the users can see the environments and, despite than can't save the apps within that environment, they could still create an app and connect to the tables that I don't want.


I've also posted this question in the Dynamics Forum. Let's see if someone can provide me w/ a workaround and I'll post it here as well.


Thanks, Daniel

In this case, given the way MS has designed this I don't think there is a workaround.

If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.

Helpful resources

New Badges

New Solution Badges!

Check out our new profile badges recognizing authored solutions!

New Power Super Users


We are excited to announce the Power Apps Super Users!

Power Apps Community Call

Power Apps Community Call: February

Did you miss the call? Check out the Power Apps Community Call here.

Microsoft Ignite

Microsoft Ignite

Join digitally, March 2–4, 2021 to explore new tech that's ready to implement. Experience the keynote in mixed reality through AltspaceVR!

Users online (56,963)