web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

Welcome to the Power Platform Communities
🚀 Season of Sharing Community Challenge Launch!
Ask A Community Pro - Series II
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Apps / Custom Environment Mak...
Power Apps
Suggested Answer

Custom Environment Maker Role for Citizen Developers (Limiting Solution Access)

(1) ShareShare
ReportReport
Posted on by BW-26071642-0 5
Hello,

I am wondering if anyone has experience effectively incorporating a role with Citizen Developer level access in Power Platform. My overall goal is to create a role in which Flows can be created, but solution management and migrations are entirely unavailable and instead managed by users with elevated privileges.

I initially started with the Environment Maker role, and found that it has the unintended impact of allowing users to access, modify, or even delete solutions and their contents. It seems custom tables can also be deleted.

From there, I created a custom role based on the Environment Maker role with Solution table access removed entirely. Now I receive the following message when trying to save basic Power Automate Flows: "You are not permitted to make flows in this 'xxxx Environment'. Please switch to the default environment, or to one of your own environment(s), where you have maker permissions." This makes me think that some level of Solution table access may be required for flow creation, even when the user is not intentionally working inside a Solution.

Thank you for any thoughts or ideas.
Categories:
Governance & administering
I have the same question (0)
  • Kalyan Shetty Profile Picture
    Kalyan Shetty 12 on at
    Hi there,
     
    Your goal (“citizen developers can create flows but cannot manage/migrate solutions”) is possible, but not by removing Solution access entirely.
     
    1. Start with Environment Maker (or copy it).
    2. Restrict Solution privileges instead of removing them completely, then keep Read on Solution-related tables, remove Create/Write/Delete/Assign/Share where possible, especially avoid delete permissions on customization-related tables.
    3. Control deployment using: Separate environments (Dev → Test → Prod) -> Managed solutions only promoted by admins -> Deployment pipelines / release ownership.
    4. Use Environment security groups and DLP policies to limit what makers can do.
    5. Consider making makers work only in a dedicated development environment and prevent direct production access.
    Now creating the cloud flow again.
    If that works, you’ve identified the minimum dependency instead of granting full Environment Maker.
  • Suggested answer
    Pstork1 Profile Picture
    Pstork1 69,545 Most Valuable Professional on at
    I tested this and it appears to do what you want, but it doesn't change the UI the way I would prefer.
     
    1) I created a copy of the Environment Maker Role in a production environment
    2) I changed permissions in the copy for the Solution Table to remove Create and Delete permissions.
     
    When this role is given to a user they can add flows to an existing solution, but they can't Delete the solution or Import a new solution to that environment.  It doesn't prevent them from trying those actions, but will raise a permissions error when they try.  So it is effective.  They can still modify existing solutions, since they need that permission to add new flows to the solution.  They can also Export a solution since that only requires Read access to the solution.  But again they need that access to see the solutions to add things to them.

    ----------------------------------------------------------------------------------
    If this Post helped you, please click "Does this answer your question" and give it a like to help others in the community find the answer too!

    Paul Papanek Stork, MVP
    Blog: https://www.dontpapanic.com/blog
     
     
  • Suggested answer
    11manish Profile Picture
    11manish 3,038 on at
    I would avoid removing Solution permissions entirely. Instead, provide Environment Maker access in a dedicated development environment and enforce ALM
     
    through administrators or a platform team.
     
    This aligns with Microsoft's recommended Power Platform governance model and is generally much easier to maintain than trying to build a highly customized
     
    "flow creator but no solution access" security role.
  • BW-26071642-0 Profile Picture
    BW-26071642-0 5 on at
    "1) I created a copy of the Environment Maker Role in a production environment
    2) I changed permissions in the copy for the Solution Table to remove Create and Delete permissions."
     
    Thank you for this suggestion. It does seem to prevent Solution modification as hoped, with the notable drawback of also preventing Flow creation in the Environment. I am wondering if you have found this to be the case as well?
     
    I receive the following message when attempting to save a new flow: "You are not permitted to make flows in this 'xxxx Environment'. Please switch to the default environment, or to one of your own environment(s), where you have maker permissions."
     
  • Pstork1 Profile Picture
    Pstork1 69,545 Most Valuable Professional on at
    Make sure the user has Basic User role as well.  When I removed Create and Delete from the Solution table the user was still able to create flows.  Something else is preventing you from making flows in that environment.  Removing create and delete from the solution table only keeps you from creating or deleting new Solutions, not flows.

    ----------------------------------------------------------------------------------
    If this Post helped you, please click "Does this answer your question" and give it a like to help others in the community find the answer too!

    Paul Papanek Stork, MVP
    Blog: https://www.dontpapanic.com/blog
     

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities
🚀 Season of Sharing Community Challenge Launch!
Ask A Community Pro - Series II

Quick Links

Season of Sharing Community Challenge Launch!

Jump in, show your community spirit, and win prizes!

Kudos to our 2025 Community Spotlight Honorees

Expanding mentorship, skilling, and AI innovation

Congratulations to the May Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Apps

#1
Valantis Profile Picture

Valantis 481

#2
WarrenBelz Profile Picture

WarrenBelz 379 Most Valuable Professional

#3
11manish Profile Picture

11manish 291

Last 30 days Overall leaderboard

Featured topics

Auto-Populate field Power Pages
Gallery Tabs - Show or Hide Tabs based on Field Value
How to patch multiple records at once
Enable Copilot for end users in model-driven apps
Question for everyone : How are you using Create Text GPT in AI Builder?
Community content - sample components, blogs etc. - Link to this page (http://aka.ms/PCFdemos)
Welcome to the Power Apps forum!

Product updates

Microsoft Power Platform Community release plans