Answered

Limiting Right in Managed Environment Deployment Pipelines

(0) Share

Report

Posted on by Franklyn

We have a use case of wanting to use Managed Environment Deployment Pipelines to deploy solutions to Test and Production environments. However, we do not want end users to have any other privileges in the managed Test or Production environments outside of using the deployment pipelines. We don’t want them to be able to do manual deployment at all or to be able to create anything in those environments manually. With giving them the OOB Environment Maker/System Customizer to do pipeline deployments, we also give the rights to do manual deployments, which we don’t want.

Is that possible to implement the solution I am looking for?

Some ideas I am thinking about but really have no idea how to go about them would be to

Create a custom role – I know how to create a custom role but am overwhelmed with all the privileges of the system customizer role. Would it be possible to create a copy and take away everything other than deployment capabilities and still have the deployment capability? If so what entitlements would we need to accomplish my requirements?
Switch the pipeline to use a service account behind the scenes? Is it possible to have a pipeline do a deployment as a service account rather than the interactive user? That way I could give the service account the right permissions and now worry about the end user logging into the environment and doing stuff manually.

Has alone solved this problem or seen any good solutions?

Categories:

Governance & administering

I have the same question (0)

All responses (7)

Answers (1)

AlbertoCastro 1,201 Most Valuable Professional on at

Like (0)

Report

Hi,
in the host environment where you have installed the Power Platform pipelines app tehere are 2 new roles:
- Deployment Pipeline User, that grants privileges to run pipelines
- Deployment Pipeline Admin, that grants full control over pipeline configuration.

Sharing only this security roles with your users will granted that they won't change anything in the environment.
-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.
Regards
Alberto

Was this reply helpful? Yes No
Franklyn 21 on at

Like (0)

Report

Thank you @AlbertoCastro. I get the new roles in the host environment, but is my understanding correct in that unless the end user has something like System Customizer in the target environment(s), they will not be able to execute the deployments?

Was this reply helpful? Yes No
AlbertoCastro 1,201 Most Valuable Professional on at

Like (0)

Report

Only Pipeline User role is necessary to execute pipelines.
------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.
Regards
Alberto

Was this reply helpful? Yes No
Franklyn 21 on at

Like (0)

Report

Thank you @AlbertoCastro for your continued response. Let me ask is this way. Giving the end user "Pipeline User" lets the end user see the pipeline and execute it. My concern is not that. My question related to what role does the end user need in the target environment for the deployment. IF they have no role, they get the following error during the deployment "TryGetMaxPrivilegeDepthForUserAcrossBusinessUnits: The user with id b21b931e-e345-ee11-bdf3-000d3a9bc14a has not been assigned any roles. They need a role with the prvImportCustomization privilege."

Was this reply helpful? Yes No
Verified answer

AlbertoCastro 1,201 Most Valuable Professional on at

Like (0)

Report

Oh sorry, I understand you now. The user can execute de pipeline (because have the Pipeline User role assigned) but he can't import the solution by this error.

Makers must also have privileges to export solutions from the source development environments, as well as privileges to import solutions to the target test and production environments for which the pipeline deploys to. By default, system customizer and environment maker roles have these privileges.

I was investigating much time to identify a correct combination of privileges in a Security Role to this goal unsuccessfully 😞

The only thing I got was to identify other privileges of the System Administrator role that are sometimes necessary in importing solutions and isolate them in a custom role.

I'm sorry I can't be more help.
------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.
Regards
Alberto

Was this reply helpful? Yes No
Franklyn 21 on at

Like (1)

Report

Thank you again @AlbertoCastro. I am glad I am not the only one struggling with this.

Was this reply helpful? Yes No
AbrahamLincoln 2 on at

Like (0)

Report

Hi, @Franklyn and @AlbertoCastro. I'm struggling with this exact thing, as well. Did either of you end up creating a custom role? If so, and you can provide advice about how you did, I'd appreciate it. Thanks.

Was this reply helpful? Yes No