web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Apps / Issues with security g...
Power Apps
Answered

Issues with security group based access to PowerApp based on a custom common data service entity

(0) ShareShare
ReportReport
Posted on by 153

Hello

 

I have created a PowerApp: Nice_App and a custom entity: Nice_Entity. I also have a security group: Group_A, and I am trying to use the standard common data service user (CDSU) role in this scenario. The common data service user role has been given the appropriate rights to App_Entity.

 

When the app was completed, I shared it through the make.powerapps.com interface. I entered the Group_A as the user, and was prompted to assign a security role for Group_A. I chose the CDSU role.

 

The users access the app, but cannot view, create or in any way interact with the data in Nice_Entity. Group_A appears under the CDSU role in the admin center. 

 

Somehow, it appears that the users within Group_A does not inherit the CDSU role.

 

When the users are assigned to the app and role individually it works as expected. However, adding and maintaning hundreds of users manually for each app is not an attractive option.

 

Any ideas on where I could be making a mistake?

I have the same question (0)
  • Verified answer
    EricRegnier Profile Picture
    8,720 Most Valuable Professional on at

    Hi @Svenny,

    If I understand correctly, assigning the security role individual works but not via a team/group? Is your security group Group_A an O365 (AAD) group that you have synced with CDS by these steps: https://docs.microsoft.com/en-us/power-platform/admin/manage-teams#create-a-group-team? Or are you using CDS teams? Also have you configured properly the Team member's privilege inheritance?

    Roles assigned to a team does not directly mean the user directly inherits of those privileges. Only that the user can act-on-behalf of the team for records assigned to the Team. For instance, say the team has a role assigned with basic level read to an entity. A user can only view records assign to the team and would not be able to view even records assign to him/her. If the role was directly assigned to the user then they would be able to view their records.

     

    Also, suggest not to modify the out-of-the-box CDS user role, instead create a custom role based on that role (copy) and apply your changes to the custom role: https://crmtipoftheday.com/1297/base-your-base-role-on-the-cds-user-role/

     

    Here's a nice video summarizing CDS security model: https://powerusers.microsoft.com/t5/Webinars-and-Video-Gallery/Security-in-Common-Data-Service-CDS/td-p/615512

    Hope this clarifies...

     

  • v-xida-msft Profile Picture
    on at

    Hi @Svenny ,

    Could you please share more details about privileges set for the CDSU role in your CDS Environment?

    Could you please show more details about the Group_A? Is it a Security Group or Office 365 Group?

     

    If the Group_A is a Security Group, you could assign a Security Role to this Security Group. And each members of this group would inherit role permission from this Security Group. Currently, you could not assign a Security Role to a Office 365 Group.

    Please check the following article for more details:

    https://docs.microsoft.com/en-us/powerapps/maker/canvas-apps/share-app#common-data-service

     

    Also please make sure you have created a Team record for your Security Group in your CDS Environment:

    3.JPG

     

    2.JPG

     

    Please check the following article for more details:

    https://docs.microsoft.com/en-us/power-platform/admin/manage-teams

     

    Regards,

  • Svenny Profile Picture
    153 on at

    @v-xida-msft 

    @EricRegnier 

     

    Thank you both so much for your answers! I figured out after through trial, error and reading that the security role had to be configured correctly to allow this functionality. However, I did modify the standard security role. I will correct this and do as @EricRegnier suggested by making a new security role for this purpose.

     

    Sincerely,

    Svenny

     

     

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Forum hierarchy changes are complete!

In our never-ending quest to improve we are simplifying the forum hierarchy…

Ajay Kumar Gannamaneni – Community Spotlight

We are honored to recognize Ajay Kumar Gannamaneni as our Community Spotlight for December…

Leaderboard > Power Apps

#1
WarrenBelz Profile Picture

WarrenBelz 739 Most Valuable Professional

#2
Michael E. Gernaey Profile Picture

Michael E. Gernaey 343 Super User 2025 Season 2

#3
Power Platform 1919 Profile Picture

Power Platform 1919 268

Last 30 days Overall leaderboard