You’re offline. This is a read only version of the page.
133
Hi! Can anyone confirm that creating a custom Production environment with all users only having use rights (no Maker rights) is appropriate, and also can you indicate what the process is to achieve this? This would be in addition to Dev & Test environments with limited Maker access.
I'm struggling to get a straight answer to this elsewhere and I can't find answers in the documentation.
Thanks
Hi all!
Following a Christmas break, I'm still trying to pursue an understanding of custom environments
As mentioned previously, I’m trying to create a custom Power Apps Production environment in which all of our staff can view and run apps from, yet they don’t have any maker rights to amend those apps. We additionally will have custom Test and Dev environments to support this.
I now believe that I have to create the custom environment without a Security group. It seems SGs can't be nested. Adding "Everyone" didn't work but creating one without an SG, added all tenancy users as "Enabled users" to the environment.
As they were subseqently all also members of the Team and "Business Unit" I thought that this would solve my problem. I then created a “min priv apps use” Role (as shown here: https://docs.microsoft.com/en-us/power-platform/admin/database-security) and assigned both this and the CDS user roles to the Team (I believe that only the first one should necessary).
My Dynamics colleagues tell me that this is usual, as the Enabled Users inherit the roles from the Team they are a member of, even though this isn’t apparent on their individual records. However, when tested, I would then expect that all “Enabled Users” are able to see that custom environment listed in their Power Apps studio. This isn’t the case
At the moment, I believe that I’ve tried every possible configuration. However, I’m not clear if:
a/ I’m trying to create an inappropriate environment configuration or
b/ I’m doing something wrong in the creation/set up
With regard to a/:
Can anyone confirm that this is a common approach and configuration?
If so, could you outline the steps to achieve this?
If you have other comments or suggestions, that would be great also
Thanks again all
Thanks again Sik
It's the "assign them a security role" bit that's a problem.
I ended up recreating the environment without a SG. This populated the "Enabled users" list with all of the users, who are also in one Team. I then added the "minimum security" role to the environment and assigned it to that team, however, this hasn't subsequently assigned any user roles to any of the Enabled Users, which is what I was expecting/hoping for.
The only thing that I can think of that I haven't tried is recreating the environment with the "Everyone" security group.
Any comments/further suggestions you have would be great. Thanks again!
Bill
I think you just need to enable all user to business unit (environment), then assign them a security role that only assign read permission to Canvas apps in User level, then all users will be able to see all apps in the environment, and they can only run them.
'
Best regards,
Sik
Hi Sik
Thanks for taking the time to investigate and detail your findings
Yes that's exactly what I find also.
To describe my understanding:
My primary issue is that I am trying to create a "Production" environment where the users can view all of the apps (e.g. on their mobile) but not edit them. However, when I added "Everyone" to the linked Security Group, it didn't enable any users in the group, even those users who have a CDS licence for that environment. Adding them individually works, so I'm trying some smaller SGs to see if this does.
Do you know if nesting should work?
Perhaps there's some issue with our Everyone SG!
I still haven’t been able to identify where all of this is detailed but if anyone has any references, that would be great
Thanks again Sik
Whether or not the user is assigned to the environment, Only if the app is shared with the user, the user would be able to run it.
In my test,
1. I create a canvas app, the data source is a SharePoint list.
2. Users is the member of that SharePoint list, and is not enabled to the environment.
3. If I don't share the app to the user, and share the URL to him, it shows that the user don’t have access to this app.
4. If I share the app to the use, then I share the URL to him, it is able to run the app properly.
If this doesn't make sense for you, could you please share the details steps with screenshots, so that we could provide further assistant.
Best regards,
Sik
Thanks again Sik for the feedback
I've done some further testing, which shows that:
Only if user is enabled to the environment ,assigned with role having enough permission, and shared with the app can be able to run the app.
...doesn't appear to be the case. I have tried this with a couple of custom environments, where I can create a Canvas app and share it with anyone in the tenancy (enabled user or not and, where this is the case, consequently no role assigned in that environment).
That user can use the app. The app doesn't access CDS but does use data from the tenancy's SharePoint sites. The apps work fine for the user.
Obviously they can't make anything in the environment nor edit the apps but do appear to be able to use them!
Cheers
Bill
Hi @BillYoung-arm ,
I don't think so, if the user isn't assigned to Enabled User list of environment, he will not be able to see the environment and have no permission and access to the data and app.
Only if user is enabled to the environment ,assigned with role having enough permission, and shared with the app can be able to run the app.
I have test on my side, could you please check if the account sign in to the app has permission? Could you share more screenshot to detail your scenario?
Best regards,
Sik
Thanks again Sik for the detailed information.
Having looked into this further, I may, however, have misunderstood how things work in custom environments.
As I now understand this, users can’t view or create apps in a custom environment (with CDS), unless they are licensed for CDS but can however, view and use canvas apps created in those environments despite this. I tried this and was able to confirm that a user who was not listed in the “Enabled Users” list of the custom CDS environment, could run an app from that environment via its web URL.
Presumably users just need to be on the same tenancy to use Canvas apps from any environment?
I had expected that users needed to be “enabled” for this to be possible and that, as they did not see the environment or subsequently the apps in that environment, these wouldn’t be available to them.
Is this correct?
Thanks Bill
Hi @BillYoung-arm ,
Sorry for my omissions.
If you want that, you should first to create a new security role ,and restrict the Create right of Canvas App.
Second, assign the security role to users. For more reference: Security roles and privileges
Then, Users will have no permission to create apps.
Please note that only admin could assign roles!
Best regards,
Sik
Hi Sik,
Thanks for the quick response.
I'm aware that this is the case in the Default environment, as that discussion says but doesn't appear to be so for custom environments.
Could you confirm, please?
Cheers
Bill
#1
Michael E. Gernaey
15
Super User 2025 Season 1
#2
stampcoin
9
#3
bscarlavai33
5
Super User 2025 Season 1
Share
Report
All responses (
Answers (
