Showing results for 
Search instead for 
Did you mean: 
Advocate IV
Advocate IV

How to setup Security Roles in order to revoke access to "create" a Power Apps Canvas Apps


I would like to setup a security role in my environment so that the users have access to only run a canvas app shared w/ them but I don't want them to have "create" permissions to build other canvas apps.

Is it possible? I tried different permission combinations (Dynamics Security Roles) but no matter what I try, I can't revoke the "create" canvas app permission.


I appreciate any help w/ this.

Many thanks, Daniel

Dual Super User
Dual Super User

You can do this on anything except the Default Environment.  Unfortunately, at this point you can't remove people's ability to create PowerApps or Flows in the Default environment without removing their license.  In other environments just make sure they don't have Maker or Adminsitrator security role in the Environment.

If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.

Hi @Pstork1 , thanks for your help!


Indeed if I assign only the standard "Common Data Service user" role to the users (within a environment other than the 'default'), they are not able to save apps within that environment but they still can build an app and save it to the local computer. And while they are building the app, they can still use the connections that were shared with them at the time my original "Run only App" was shared.


My main goal w/ this "run only access" to the shared apps is actually to prevent the users from building apps within that environment using for instance a SQL Server connection or a CDS connection granted to them through the sharing of my "original run only app".


My complete scenario is:

1. I built an app w/ access to a SQL server table or a CDS entity and I'm implementing Role Level Security within the App itself so the users can't see all the rows within the tables.


2. I want to share this app to the users but I don't want them to have access to that shared connections.

However, currently they can do it by creating an app and using the connections within a gallery acessing all the records. Even if they can't save the app within that environment because they have only the "Common Data Service user" role assigned, it's still a security concern.


I hope I could explain better the whole point w/ my initial question.


Thanks! Daniel





I hadn't thougth about CDS.  Normally you just remove all roles from the user in that environment.  They can still run apps that are shared with them via the link that is shared.  But without any permissions they can't even see the environment. But I haven't tried it with other roles like CDS data user.  I suspect there is no way to accomplish what you want in the current model.

If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.

Yes, @Pstork1 , I tested it and indeed, even w/ only the "CDS user" role, the users can see the environments and, despite than can't save the apps within that environment, they could still create an app and connect to the tables that I don't want.


I've also posted this question in the Dynamics Forum. Let's see if someone can provide me w/ a workaround and I'll post it here as well.


Thanks, Daniel

In this case, given the way MS has designed this I don't think there is a workaround.

If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.

Helpful resources

Power Apps News & Annoucements carousel

Power Apps News & Announcements

Keep up to date with current events and community announcements in the Power Apps community.

Community Call Conversations

Introducing the Community Calls Conversations

A great place where you can stay up to date with community calls and interact with the speakers.

Power Apps Community Blog Carousel

Power Apps Community Blog

Check out the latest Community Blog from the community!

Users online (5,764)