web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Apps / How to protect CDS env...
Power Apps
Answered

How to protect CDS environment with or without security group

(0) ShareShare
ReportReport
Posted on by Mx81 860

Hello,

 

I'm confused because of these 2 cases:

1) I can create an Canvas App or a flow in a CDS environment that is secured by a Security Group and share it with users that are not members of this Security Group. No Problem

2) I cannot send an Approval out of the CDS environment that is secured by a Security Group to a user that is not member of this Security Group. Error message ("user is not member of security group").

 

So my question is: how shall I setup my environment.

I want to have a protected environment called "IT solutions". In this environment with CDS, only a couple of users should have the rights for creating solutions, canvas apps, flows, custom connectors. All other users should only be able to use shared apps and flows and react on approvals.

How can I handle this?

 



Categories:
Governance & administering
I have the same question (0)
  • v-xida-msft Profile Picture
    v-xida-msft on at

    Hi @max81 ,

    According to the issue that you mentioned, I think you have some misunderstanding on the "Security Group" in CDS Environment.

     

    Actually, the "Security Group" is used to control data access to Common Data Service in a Environment for users in your tenant. For your first case, please note that the "Sharing" mechanism of a canvas app in PowerApps is not related to "Security Group".

    The "Sharing" mechanism of a canvas app is used to share canvas app Run or Edit permission to the users in your Org, it would not share the data source resource access permission to the users.

     

    For your second case, if you create a Approval flow in your CDS Environment using Power Automate flow, it would essentially store the Approval flow record in Approval Entities in your Common Data Service. In other words, the "Approvals" functionality in Power Automate flow is based on the "Approval" Entities in your Common Data Service:

    2.JPG

    If you assign a "Security Group" to your current Environment, only users with Common Data Service licenses that are members of this security group will be created as users and enabled in the Common Data Service environment, the other users who are not members of this Security Group would be disabled in this Environment.

    So the other users are not members of this Security Group could not access the CDS data (including the "Approval" Entity) in your Environment. So you could not send an approval flow to a user outside the Security Group.

    Best regards,

  • Mx81 Profile Picture
    Mx81 860 on at

    thank you @v-xida-msft for that clearification. Helps indeed to understand it a little bit more.

    Mayby you can also help me with the rest of my confusion.

     

     

    But still my question:

    I want to have a protected environment called "IT solutions". In this environment with CDS, only a couple of users should have the rights for creating solutions, canvas apps, flows, custom connectors. All other users should only be able to use shared apps and flows and react on approvals.

    How can I handle this?

     

     

    And also an additional question: where are Approvals stored in environments without CDS?

     

     

  • Verified answer
    danman71 Profile Picture
    danman71 83 on at

    it sounds like to me you need 2 environments. One to build solutions, then export those to another environment for your other users to use. Can you clarify what you mean by Approvals?

    here is the doc on Security Groups. https://docs.microsoft.com/en-us/power-platform/admin/control-user-access

     

    We are building a more traditional environment, DEV, TEST, & PROD. Controlling access to those via Security Groups, Business unit, Teams and Security Roles. Basically DEV is where everyone works and builds,and Developers are not in the SG's that are controlling our TEST and PROD environments. Test is basically the same, individuals who test are not allowed in DEV. PROD only has a few implementer's.

  • Mx81 Profile Picture
    Mx81 860 on at

    Ok, it was a kind of misunderstanding the security roles of CDS. I will therefore create a new topic.

     

    Thanks for your feedback.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!

Quick Links

Forum hierarchy changes are complete!

In our never-ending quest to improve we are simplifying the forum hierarchy…

Ajay Kumar Gannamaneni – Community Spotlight

We are honored to recognize Ajay Kumar Gannamaneni as our Community Spotlight for December…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Apps

#1
WarrenBelz Profile Picture

WarrenBelz 721 Most Valuable Professional

#2
Michael E. Gernaey Profile Picture

Michael E. Gernaey 320 Super User 2025 Season 2

#3
Power Platform 1919 Profile Picture

Power Platform 1919 268

Last 30 days Overall leaderboard

Featured topics

Auto-Populate field Power Pages
Gallery Tabs - Show or Hide Tabs based on Field Value
How to patch multiple records at once
Enable Copilot for end users in model-driven apps
Question for everyone : How are you using Create Text GPT in AI Builder?
Community content - sample components, blogs etc. - Link to this page (http://aka.ms/PCFdemos)
Welcome to the Power Apps forum!

Product updates

Microsoft Power Platform Community release plans