web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

Welcome to the Power Platform Communities
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Apps / Security Role assigned...
Power Apps
Answered

Security Role assigned in Flow but access denied

(0) ShareShare
ReportReport
Posted on by dpj620 29

My flow successfully assigns a custom security role and shares a Power App. The Power app uses a Dataverse table.  This works—the app is shared and the user shows up in the list of users assigned that security role. 

 

However, when the user attempts to open the Power App they are denied permission. In the flow, I've tried putting in Delays and reversing the steps, but still have the problem.

 

If I manually re-share the app then the data permissions dropdown is pre-populated with the correct security role for the entity. If I continue and click Share, the user can now access the Power App. Clearly my flow is needing another step, but what?

Categories:
Microsoft Dataverse with Power Apps
I have the same question (0)
  • ChrisPiasecki Profile Picture
    ChrisPiasecki 6,422 Most Valuable Professional on at

    Hi @dpj620,

     

    Can you share a bit more detail about the flow such as some screenshots of the steps?

     

    ---
    Please click Accept as Solution if my post answered your question. This will help others find solutions to similar questions. If you like my post and/or find it helpful, please consider giving it a Thumbs Up.

  • dpj620 Profile Picture
    dpj620 29 on at

    Pertinent flow steps shown in attached PDF. Flow triggers in adding a new table record from a Power App.

    Flow with Securit...
  • ChrisPiasecki Profile Picture
    ChrisPiasecki 6,422 Most Valuable Professional on at

    Hi @dpj620 ,

     

    Thanks for providing the detailed steps. Is there an Azure AD Security Group assigned to the environment? If so, is one of the steps you have listed adding the user to this particular group? Adding the user into that security group would add them to the environment.

     

    Also, not sure if you tried this already, but I wonder if maybe assigning the user's security role before sharing the app with them would make a difference. Additionally, not sure what your business unit structure is like in the environment, but you may want to explicitly associate them with a business unit, then assign security role, then share the app. If you only have the root business unit then its probably not required, but I would recommend doing it anyway.

     

    ---
    Please click Accept as Solution if my post answered your question. This will help others find solutions to similar questions. If you like my post and/or find it helpful, please consider giving it a Thumbs Up.

     

     

  • dpj620 Profile Picture
    dpj620 29 on at

    There is no AAD Security Group assigned to the environment. Although this page indicates that  all properly licensed users will be enabled by default ("If a Dataverse environment does not have an associated security group, all users with a Dataverse license (customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), Power Automate, Power Apps, etc.) will be created as users and enabled in the environment.").

     

    Also, I've reversed the order of assigning the security role and app sharing, It made no difference.

     

    Here's the difference between sharing via the Flow and sharing manually as far assigned security role:

    Sharing.png

  • EricRegnier Profile Picture
    EricRegnier 8,720 Most Valuable Professional on at

    Hi @dpj620, is looks like a canvas app but can you confirm if you are trying to share a model-driven app or canvas app? If your database is Dataverse, it seems you're also missing a step to assign a Dataverse security role to the user before sharing the app. 

    Cheers

  • dpj620 Profile Picture
    dpj620 29 on at

    Canvas app.

     

    The step to assign the security role is in the flow (PDF above) and it works. It made no difference which order (assign security role then share app or share app then assign security role) I had them in the Flow.

     

    I can go to the Power Platform Admin center and see the employee assigned in the flow listed under that role.

     

    dpj620_0-1617691012276.png

     

  • EricRegnier Profile Picture
    EricRegnier 8,720 Most Valuable Professional on at

    Sharing a canvas app manually like in your previous screenshot actually does 2 things:

    1. Shares the app directly the user
    2. (Optionally) if you select a security role, it will auto-assign that role to the user for convenience.
      Note: when selecting a user, if the user does roles, then you'll see those roles pre-selected. If the user doesn't have any then it means he/she doesn't have any roles assigned yet.

    Regardless if the user has a security role assigned or not, shouldn't affect whether they see the app. Sharing the app grants access to the app, security roles to the data access by the app. But in saying that, I just tried from my side (without assign a role) and getting the same behavior as you with the error message "The security roles didn't load" when I open the Share app window afterwards. I thing this is actually a bug and would lodge a Microsoft support ticket at: https://admin.powerplatform.microsoft.com/support

    Keep up posted!

  • ChrisPiasecki Profile Picture
    ChrisPiasecki 6,422 Most Valuable Professional on at

    Yes I agree with @EricRegnier that this behavior is not as designed and warrants a support ticket with MS. You should not have to go through this additional hoop of trying to assign the Security Role for every Dataverse table data source, rather just setting the security role once at the user level like you already are doing in the flow.

     

    The doc on Sharing a Canvas App has a strange note at the bottom that doesn't seem to make much sense, so I don't know if it would all be related to this or not but figured I'd post it here incase it is relevant.

     

    When you share an app that's based on an older version of Dataverse, you must share the runtime permission to the service separately. If you don’t have permission to do this, see your environment administrator.

     

    ---
    Please click Accept as Solution if my post answered your question. This will help others find solutions to similar questions. If you like my post and/or find it helpful, please consider giving it a Thumbs Up.

  • Verified answer
    dpj620 Profile Picture
    dpj620 29 on at

    Many thanks for the link to the document about sharing a canvas app. This lead me to read the section entitled Share an app with Microsoft 365 groups. Following the instructions, I set the property SecurityEnabled to true for the group that everyone is joined to in the flow. Then I manually shared the app with that M365 group while choosing the correct security role. Once a user is joined to the group, they inherit the security role and the app share from the group. This worked and is more elegant.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities

Quick Links

Introducing the 2026 Season 1 community Super Users

Congratulations to our 2026 Super Users!

Kudos to our 2025 Community Spotlight Honorees

Congratulations to our 2025 community superstars!

Congratulations to the January Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Apps

#1
WarrenBelz Profile Picture

WarrenBelz 93 Most Valuable Professional

#2
Haque Profile Picture

Haque 81

#3
Valantis Profile Picture

Valantis 49

Last 30 days Overall leaderboard

Featured topics

Auto-Populate field Power Pages
Gallery Tabs - Show or Hide Tabs based on Field Value
How to patch multiple records at once
Enable Copilot for end users in model-driven apps
Question for everyone : How are you using Create Text GPT in AI Builder?
Community content - sample components, blogs etc. - Link to this page (http://aka.ms/PCFdemos)
Welcome to the Power Apps forum!

Product updates

Microsoft Power Platform Community release plans