I've been trying to understand how Power Apps environments and security roles work. I'd welcome any commentary/sanity check upon this strategy:
We've initially create 3 new environments: dev, test and prod for "approved" apps.
All have a CDS and individual security group
My intention is to:
add all users to prod but only with a security role which allows the running of apps: CDS user
add users as required to dev and test environments but the former users have the "Environment Maker" role, to allow the creation of apps in dev and the latter only have the "CDS User" role
To do this, it appears that I have to add the users first to the relevant security groups, thus making them enabled, then allocate the security roles
Obviously there is more than just this but if someone could confirm that this is an appropriate method and correct procedure, this would be really helpful.
Presumably the same approach should be taken with corporate Flows?
Thanks Bill
Hi @BillYoung-arm ,
You not only could assign security role to a single user one by one, but also could assign security role to a security group.
Then all the users in the security group will have this permission.
What's more, if you want to assign security role to a security group, you need to create a security group.
Now let me explain how to assign permission of environment:
1)login in power platform:
https://admin.powerplatform.microsoft.com/
2)choose the environment that you want
3)create a security role
4)if you want to assign role to a single person, choose this:
if you want to assign role to a whole group, choose this:
5)If you choose "users", just select the user that you want, choose "manage role".
If you choose "teams", firstly you need to create a security group.
choose all the users that you want to assign roles, make them in the same group.
After you create security group successfully, assign role to this group.
Best regards,
Thanks Phoebe
The problem appears to be that new users added to the already linked Security group aren't displaying in the "Users" list, despite being added 24 hours ago.
I can see the user in the SG in the M365 Admin Center, has an E5 licence and that the SG is linked to the environment, so this doesn't seem to make sense. Perhaps there's something else that needs to be done?
Any advice would be great
Cheers Bill
Hi all!
Following a Christmas break, I'm still trying to pursue an understanding of custom environments
As mentioned previously, I’m trying to create a custom Power Apps Production environment in which all of our staff can view and run apps from, yet they don’t have any maker rights to amend those apps. We additionally will have custom Test and Dev environments to support this.
I now believe that I have to create the custom environment without a Security group. It seems SGs can't be nested. Adding "Everyone" didn't work but creating one without an SG, added all tenancy users as "Enabled users" to the environment.
As they were subseqently all also members of the Team and "Business Unit" I thought that this would solve my problem. I then created a “min priv apps use” Role (as shown here: https://docs.microsoft.com/en-us/power-platform/admin/database-security) and assigned both this and the CDS user roles to the Team (I believe that only the first one should necessary).
My Dynamics colleagues tell me that this is usual, as the Enabled Users inherit the roles from the Team they are a member of, even though this isn’t apparent on their individual records. However, when tested, I would then expect that all “Enabled Users” are able to see that custom environment listed in their Power Apps studio. This isn’t the case
At the moment, I believe that I’ve tried every possible configuration. However, I’m not clear if:
a/ I’m trying to create an inappropriate environment configuration or
b/ I’m doing something wrong in the creation/set up
With regard to a/:
Can anyone confirm that this is a common approach and configuration?
If so, could you outline the steps to achieve this?
If you have other comments or suggestions, that would be great also
Thanks again all