web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Apps / Issues with security g...
Power Apps
Answered

Issues with security group based access to PowerApp based on a custom common data service entity

(0) ShareShare
ReportReport
Posted on by Svenny 153

Hello

 

I have created a PowerApp: Nice_App and a custom entity: Nice_Entity. I also have a security group: Group_A, and I am trying to use the standard common data service user (CDSU) role in this scenario. The common data service user role has been given the appropriate rights to App_Entity.

 

When the app was completed, I shared it through the make.powerapps.com interface. I entered the Group_A as the user, and was prompted to assign a security role for Group_A. I chose the CDSU role.

 

The users access the app, but cannot view, create or in any way interact with the data in Nice_Entity. Group_A appears under the CDSU role in the admin center. 

 

Somehow, it appears that the users within Group_A does not inherit the CDSU role.

 

When the users are assigned to the app and role individually it works as expected. However, adding and maintaning hundreds of users manually for each app is not an attractive option.

 

Any ideas on where I could be making a mistake?

Categories:
Microsoft Dataverse with Power Apps
I have the same question (0)
  • Verified answer
    EricRegnier Profile Picture
    EricRegnier 8,720 Most Valuable Professional on at

    Hi @Svenny,

    If I understand correctly, assigning the security role individual works but not via a team/group? Is your security group Group_A an O365 (AAD) group that you have synced with CDS by these steps: https://docs.microsoft.com/en-us/power-platform/admin/manage-teams#create-a-group-team? Or are you using CDS teams? Also have you configured properly the Team member's privilege inheritance?

    Roles assigned to a team does not directly mean the user directly inherits of those privileges. Only that the user can act-on-behalf of the team for records assigned to the Team. For instance, say the team has a role assigned with basic level read to an entity. A user can only view records assign to the team and would not be able to view even records assign to him/her. If the role was directly assigned to the user then they would be able to view their records.

     

    Also, suggest not to modify the out-of-the-box CDS user role, instead create a custom role based on that role (copy) and apply your changes to the custom role: https://crmtipoftheday.com/1297/base-your-base-role-on-the-cds-user-role/

     

    Here's a nice video summarizing CDS security model: https://powerusers.microsoft.com/t5/Webinars-and-Video-Gallery/Security-in-Common-Data-Service-CDS/td-p/615512

    Hope this clarifies...

     

  • v-xida-msft Profile Picture
    v-xida-msft on at

    Hi @Svenny ,

    Could you please share more details about privileges set for the CDSU role in your CDS Environment?

    Could you please show more details about the Group_A? Is it a Security Group or Office 365 Group?

     

    If the Group_A is a Security Group, you could assign a Security Role to this Security Group. And each members of this group would inherit role permission from this Security Group. Currently, you could not assign a Security Role to a Office 365 Group.

    Please check the following article for more details:

    https://docs.microsoft.com/en-us/powerapps/maker/canvas-apps/share-app#common-data-service

     

    Also please make sure you have created a Team record for your Security Group in your CDS Environment:

    3.JPG

     

    2.JPG

     

    Please check the following article for more details:

    https://docs.microsoft.com/en-us/power-platform/admin/manage-teams

     

    Regards,

  • Svenny Profile Picture
    Svenny 153 on at

    @v-xida-msft 

    @EricRegnier 

     

    Thank you both so much for your answers! I figured out after through trial, error and reading that the security role had to be configured correctly to allow this functionality. However, I did modify the standard security role. I will correct this and do as @EricRegnier suggested by making a new security role for this purpose.

     

    Sincerely,

    Svenny

     

     

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!

Quick Links

Forum hierarchy changes are complete!

In our never-ending quest to improve we are simplifying the forum hierarchy…

Ajay Kumar Gannamaneni – Community Spotlight

We are honored to recognize Ajay Kumar Gannamaneni as our Community Spotlight for December…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Apps

#1
WarrenBelz Profile Picture

WarrenBelz 739 Most Valuable Professional

#2
Michael E. Gernaey Profile Picture

Michael E. Gernaey 343 Super User 2025 Season 2

#3
Power Platform 1919 Profile Picture

Power Platform 1919 268

Last 30 days Overall leaderboard

Featured topics

Auto-Populate field Power Pages
Gallery Tabs - Show or Hide Tabs based on Field Value
How to patch multiple records at once
Enable Copilot for end users in model-driven apps
Question for everyone : How are you using Create Text GPT in AI Builder?
Community content - sample components, blogs etc. - Link to this page (http://aka.ms/PCFdemos)
Welcome to the Power Apps forum!

Product updates

Microsoft Power Platform Community release plans