Showing results for 
Search instead for 
Did you mean: 
Helper I
Helper I

Security Role Issue in Model-driven App

Hi. I have been stuck with the same predicament for over 3 days now and my research into the solution is going nowhere. I need this urgently so any direction would be great.

So I have a model-driven application with several custom entities. I have a few users that need to access that application, and depending on the department (or BU) each user is in, they should have custom read/write/create/delete permissions on the custom entities.


What I did is I separated the users into business units (all having the same parent BU which is the Organization). I moved the users from the root BU to their own BU, hence they moved Teams. That means they shouldn't inherit the permissions that apply to the Team associated with the root BU, right?


John is in BU1, which is under the root/parent BU. I created a security role under BU1. I gave him read permissions for model-driven apps (SCOPE: Organization so the filled green dot) in the Customization tab, and gave him create (SCOPE: BU) and read (SCOPE: Organization) for a custom entity. So this should allow him to see the custom entity and create a new record but not delete/update/etc. Is that correct? But when I wanted to share the app and gave John the security role (only ONE role was given to him), he could access the application (through the unified URL) and see the custom entity, but couldn't see the columns/records/etc of the entity. It's just empty and nothing happens when you click on the entity. What could be the problem?


Please and thank you for the help.


@Pstork1 @CNT @RandyHayes @WarrenBelz if either of you can help, I'd very much appreciate it. 

Dual Super User III
Dual Super User III

I'm not an authority on Model Drive apps, but I suspect the issue is with record ownership not permissions.  Review this article on how record ownership works with BU permissions.

Security concepts in Microsoft Dataverse - Power Platform | Microsoft Docs

I suspect you've given John permission to see the entities, but since they aren't owned by his BU he can't see them.  In your case I think you want the entities owned by the organization but john's permissions set by the BU.

If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.

Thank you for the reply. So something weird happened: I gave John create and read access at the organization level for a custom entity and added read access for the Web Resource in the Customization tab, and John could see all entities but only access the ones I gave him permission to (he could create records but couldn't delete/modify/etc them). It worked for a while, then I updated the role (removed read access for Web Resource), and everything broke. I tried to revert everything back as it was when it was working, but it just broke permanently. We waited to see if it was a validation/update issue but it wasn't. 


The concepts are clear but I really do not know why things aren't working.. 

Hi @NaCarns,


Under the customizations tab, you'll want to give your users read access to many of those tables as they are required for built in behavior to work for a user. Web resources for example are required for navigation between pages etc.


Please click Accept as Solution if my post answered your question. This will help others find solutions to similar questions. If you like my post and/or find it helpful, please consider giving it a Thumbs Up.

Responsive Resident
Responsive Resident

Hi @NaCarns 


Does Parent BU have read only access to custom entity?

Parent BU has complete access to everything. I think I figured out the problem; I had to clear the cache first, and turn on System Forms and Relationship in the Customization tab. Everything worked. I didn't think every component, like if two entities have a relationship together, has its own access permissions. 


If I want to add Power BI reports/dashboards to my app, do I need to enable more permissions in the Customization tab?  

Responsive Resident
Responsive Resident

Hi @NaCarns 


Power BI dashboard is the embed dashboard and it doesn't require more permission in customization tab but I think your users should have access to Power BI workspace/report   

Please Thumbs up and accept as solution if my post helped you solve your issue.

Helpful resources

UG GA Amplification 768x460.png

Launching new user group features

Learn how to create your own user groups today!

Power Apps Community Call Jan. 2022 768x460.png

Power Apps Community Call

Please join us on Wednesday, January 19th, at 8a PDT. Come and learn from our amazing speakers!

Community Connections 768x460.jpg

Community & How To Videos

Check out the new Power Platform Community Connections gallery!

Top Kudoed Authors
Users online (1,408)