cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
BillYoung-arm
Helper III
Helper III

Understanding Custom Environments and Security roles

‎12-02-2019 07:29 AM

I've been trying to understand how Power Apps environments and security roles work. I'd welcome any commentary/sanity check  upon this strategy:

 

We've initially create 3 new environments: dev, test and prod for "approved" apps.
All have a CDS and individual security group

 

My intention is to:

add all users to prod but only with a security role which allows the running of apps: CDS user

add users as required to dev and test environments but the former users have the "Environment Maker" role, to allow the creation of apps in dev and the latter only have the "CDS User" role

To do this, it appears that I have to add the users first to the relevant security groups, thus making them enabled, then allocate the security roles

 

Obviously there is more than just this but if someone could confirm that this is an appropriate method and correct procedure, this would be really helpful.

 

Presumably the same approach should be taken with corporate Flows?

 

Thanks Bill

Labels:
Message 1 of 4
603 Views
0 Kudos
3 REPLIES 3
v-yutliu-msft
Community Support
Community Support

‎12-02-2019 10:50 PM

Hi @BillYoung-arm ,

You not only could assign security role to a single user one by one, but also could assign security role to a security group.

Then all the users in the security group will have this permission.

What's more, if you want to assign security role to a security group, you need to create a security group.

Now let me explain how to assign permission of environment:

1)login in power platform:

https://admin.powerplatform.microsoft.com/

2)choose the environment that you want

3)create a security role

1233.PNG

 4)if you want to assign role to a single person, choose this:

1234.PNG

 

if you want to assign role to a whole group, choose this:

1235.PNG

5)If you choose "users", just select the user that you want, choose "manage role". 

1236.PNG

 

 

If you choose "teams", firstly you need to create a security group.

1237.PNG

 choose all the users that you want to assign roles, make them in the same group.

After you create security group successfully, assign role to this group.

1238.PNG

 

 

Best regards,

 

Community Support Team _ Phoebe Liu
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
Message 2 of 4
571 Views
0 Kudos
BillYoung-arm
Helper III
Helper III
In response to v-yutliu-msft

‎12-03-2019 06:13 AM

Thanks Phoebe

The problem appears to be that new users added to the already linked Security group aren't displaying in the "Users" list, despite being added 24 hours ago.

I can see the user in the SG in the M365 Admin Center, has an E5 licence and that the SG is linked to the environment, so this doesn't seem to make sense. Perhaps there's something else that needs to be done?

Any advice would be great

Cheers Bill

 

Message 3 of 4
566 Views
0 Kudos
BillYoung-arm
Helper III
Helper III
In response to BillYoung-arm

‎01-02-2020 05:48 AM

Hi all!

Following a Christmas break, I'm still trying to pursue an understanding of custom environments

As mentioned previously, I’m trying to create a custom Power Apps Production environment in which all of our staff can view and run apps from, yet they don’t have any maker rights to amend those apps. We additionally will have custom Test and Dev environments to support this.

I now believe that I have to create the custom environment without a Security group. It seems SGs can't be nested. Adding "Everyone" didn't work but creating one without an SG, added all tenancy users as "Enabled users" to the environment.

As they were subseqently all also members of the Team and "Business Unit" I thought that this would solve my problem. I then created a “min priv apps use” Role (as shown here: https://docs.microsoft.com/en-us/power-platform/admin/database-security) and assigned both this and the CDS user roles to the Team (I believe that only the first one should necessary).

 

My Dynamics colleagues tell me that this is usual, as the Enabled Users inherit the roles from the Team they are a member of, even though this isn’t apparent on their individual records. However, when tested, I would then expect that all “Enabled Users” are able to see that custom environment listed in their Power Apps studio. This isn’t the case

 

At the moment, I believe that I’ve tried every possible configuration. However, I’m not clear if:

a/ I’m trying to create an inappropriate environment configuration or

b/ I’m doing something wrong in the creation/set up

 

With regard to a/:

Can anyone confirm that this is a common approach and configuration?

If so, could you outline the steps to achieve this?

If you have other comments or suggestions, that would be great also

Thanks again all

Message 4 of 4
454 Views
0 Kudos

Helpful resources

Announcements
Power Apps News & Annoucements carousel

Power Apps News & Announcements

Keep up to date with current events and community announcements in the Power Apps community.

Power Apps Community Blog Carousel

Power Apps Community Blog

Check out the latest Community Blog from the community!

View All
Users online (3,933)