Unanswered

Security Role assigned in Flow but access denied

(0) Share

Report

Posted on by dpj620

My flow successfully assigns a custom security role and shares a Power App. The Power app uses a Dataverse table. This works—the app is shared and the user shows up in the list of users assigned that security role.

However, when the user attempts to open the Power App they are denied permission. In the flow, I've tried putting in Delays and reversing the steps, but still have the problem.

If I manually re-share the app then the data permissions dropdown is pre-populated with the correct security role for the entity. If I continue and click Share, the user can now access the Power App. Clearly my flow is needing another step, but what?

Categories:

Microsoft Dataverse with Power Apps

I have the same question (0)

All responses (9)

Answers (1)

ChrisPiasecki 6,422 Most Valuable Professional on at

Like (0)

Report

Hi @dpj620,

Can you share a bit more detail about the flow such as some screenshots of the steps?

---
Please click Accept as Solution if my post answered your question. This will help others find solutions to similar questions. If you like my post and/or find it helpful, please consider giving it a Thumbs Up.

Was this reply helpful? Yes No
dpj620 29 on at

Like (0)

Report

Pertinent flow steps shown in attached PDF. Flow triggers in adding a new table record from a Power App.

Flow with Securit...

Was this reply helpful? Yes No
ChrisPiasecki 6,422 Most Valuable Professional on at

Like (1)

Report

Hi @dpj620 ,

Thanks for providing the detailed steps. Is there an Azure AD Security Group assigned to the environment? If so, is one of the steps you have listed adding the user to this particular group? Adding the user into that security group would add them to the environment.

Also, not sure if you tried this already, but I wonder if maybe assigning the user's security role before sharing the app with them would make a difference. Additionally, not sure what your business unit structure is like in the environment, but you may want to explicitly associate them with a business unit, then assign security role, then share the app. If you only have the root business unit then its probably not required, but I would recommend doing it anyway.

---
Please click Accept as Solution if my post answered your question. This will help others find solutions to similar questions. If you like my post and/or find it helpful, please consider giving it a Thumbs Up.

Was this reply helpful? Yes No
dpj620 29 on at

Like (0)

Report

There is no AAD Security Group assigned to the environment. Although this page indicates that all properly licensed users will be enabled by default ("If a Dataverse environment does not have an associated security group, all users with a Dataverse license (customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), Power Automate, Power Apps, etc.) will be created as users and enabled in the environment.").

Also, I've reversed the order of assigning the security role and app sharing, It made no difference.

Here's the difference between sharing via the Flow and sharing manually as far assigned security role:

Was this reply helpful? Yes No
EricRegnier 8,720 Most Valuable Professional on at

Like (0)

Report

Hi @dpj620, is looks like a canvas app but can you confirm if you are trying to share a model-driven app or canvas app? If your database is Dataverse, it seems you're also missing a step to assign a Dataverse security role to the user before sharing the app.

Cheers

Was this reply helpful? Yes No
dpj620 29 on at

Like (0)

Report

Canvas app.

The step to assign the security role is in the flow (PDF above) and it works. It made no difference which order (assign security role then share app or share app then assign security role) I had them in the Flow.

I can go to the Power Platform Admin center and see the employee assigned in the flow listed under that role.

Was this reply helpful? Yes No
EricRegnier 8,720 Most Valuable Professional on at

Like (1)

Report
Sharing a canvas app manually like in your previous screenshot actually does 2 things:

Shares the app directly the user

(Optionally) if you select a security role, it will auto-assign that role to the user for convenience.
Note: when selecting a user, if the user does roles, then you'll see those roles pre-selected. If the user doesn't have any then it means he/she doesn't have any roles assigned yet.

Regardless if the user has a security role assigned or not, shouldn't affect whether they see the app. Sharing the app grants access to the app, security roles to the data access by the app. But in saying that, I just tried from my side (without assign a role) and getting the same behavior as you with the error message "The security roles didn't load" when I open the Share app window afterwards. I thing this is actually a bug and would lodge a Microsoft support ticket at: https://admin.powerplatform.microsoft.com/support

Keep up posted!

Was this reply helpful? Yes No
ChrisPiasecki 6,422 Most Valuable Professional on at

Like (0)

Report

Yes I agree with @EricRegnier that this behavior is not as designed and warrants a support ticket with MS. You should not have to go through this additional hoop of trying to assign the Security Role for every Dataverse table data source, rather just setting the security role once at the user level like you already are doing in the flow.

The doc on Sharing a Canvas App has a strange note at the bottom that doesn't seem to make much sense, so I don't know if it would all be related to this or not but figured I'd post it here incase it is relevant.

When you share an app that's based on an older version of Dataverse, you must share the runtime permission to the service separately. If you don’t have permission to do this, see your environment administrator.

---
Please click Accept as Solution if my post answered your question. This will help others find solutions to similar questions. If you like my post and/or find it helpful, please consider giving it a Thumbs Up.

Was this reply helpful? Yes No
Verified answer

dpj620 29 on at

Like (0)

Report

Many thanks for the link to the document about sharing a canvas app. This lead me to read the section entitled Share an app with Microsoft 365 groups. Following the instructions, I set the property SecurityEnabled to true for the group that everyone is joined to in the flow. Then I manually shared the app with that M365 group while choosing the correct security role. Once a user is joined to the group, they inherit the security role and the app share from the group. This worked and is more elegant.

Was this reply helpful? Yes No