What Dataverse Role(s) are Necessary for SharePoint Canvas App Solution?

(0) Share

Report

Posted on by kbirstein

140

Hi All,

I'm wondering if any one has a definite answer about what roles, if any, are required when creating a solution which contains only a canvas app utilizing SharePoint as a data source and simple flows that only send emails. The only other connector used is the Office 365 Users. This is an extremely common scenario for canvas apps so I'd like to have a standard answer.

In my experience the answer can be:

1. No role is required (I have often found this to be the case)

2. Only Basic User is required (seems to make sense but is it really required?)

3. Basic User and PowerAppsRPRole (had one similar simple solution that seemed to require this)

4. Just give everyone System Administrator role and don't worry about it.

Yesterday I was UAT testing a simple solution with just a SharePoint canvas app and simple emails and one person was getting an error about needing the "prvReadWorkflow privilege" and no one else was getting it. There were 7 people in the UAT session and all were clicking buttons that ran the simple flows that send out emails. No one had any role in the Dataverse and 6 of the UAT testers had no problem using the app or running the workflows, so big mystery!

Any answers greatly appreciated!

Kathryn

Categories:

Building Power Apps

I have the same question (0)

All responses (7)

Answers (0)

Sort by

AhmedSalih 6,680 Moderator on at

Like (0)

Report
Copy link

Link copied!

Hello, @kbirstein, first why you need Dataverse security roles, and you are not using Dataverse? DV security roles only apply to Dataverse and applications: Canvas or Model-Driven apps that are using Dataverse as Datasource. For your app access, you can use AAD M365 groups or AAD Security groups to share the app and set the proper permissions in SharePoint as needed.

So basicly make sure you have AAD groups and all the app end-users are members of the group then share the app with the group. This same group can be given access to your SharePoint lists.

If my reply helped you, please give a 👍 If it solved your issue, please give a 👍 & accept it as the Solution to help other community members find it more.

Visit my Blog: ahmedsalih.blog

Visit my YouTube Channel: https://www.youtube.com/@powerplatformplace/videos

Was this reply helpful? Yes No
kbirstein 140 on at

Like (0)

Report
Copy link

Link copied!

Hi Ahmed,

I agree with you. No roles should be necessary because when you use SharePoint as a data source, you are not using any Dataverse tables. The solution uses Dataverse to store some metadata but the Power App doesn't use any Dataverse. However, I recently had a problem where one user got an error saying he needed a role with the "prvReadWorkflow" privilege. However, only ONE user got this error. Other users of the app did the same actions as this user and they don't get the error. So it's a mystery.

I looked for this privilege in "Basic User" and "PowerAppRPRole" roles but it doesn't exist for either of those roles. Then I looked at "System Administrator" and that role has the "prvWorkflowExecution" privilege but not a "prvReadWorkflow" privilege, but I'm assuming "prvReadWorkflow" must be a sub privilege of "prvWorkflowExecution" but isn't explicitly stated. So I'll try to give the user getting the error the "System Administrator" role and see if it clears up the error for him. And I'll post the result here. Unfortunately, it's just really hard to get time with this user so it may be a while before I can test.

Was this reply helpful? Yes No
realwillwright 772 Moderator on at

Like (0)

Report
Copy link

Link copied!

Hi @kbirstein

I was in the same situation as you, it was working fine for me as the sys admin but other users, using the Flow in a RunAs scenario it was failing with that issue. I ended up having to create a custom 'Security Role' based on 'Basic User', but allowed them to read all Flows. I added Read All to the Processes table

-------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.

Was this reply helpful? Yes No
kbirstein2 6 on at

Like (0)

Report
Copy link

Link copied!

Hi @realwillwright
So 'd like to replicate what you did with your custom role because I have another app with a RunAs flow, When I create a new security role in Dataverse I see a "Process" table under the "Customization" section, with "Organization" under the "Read" and "Append to" rights and "User" for the other rights. Is this the table that you added to your custom role? And did you keep the assignments for the rights at their default level?

Was this reply helpful? Yes No
kbirstein2 6 on at

Like (0)

Report
Copy link

Link copied!

This forum post discusses the problem I've had where one person can't run a flow in a SharePoint canvas app and others can with no problem. Note that one person says the issue is rights but several people say the solution is to refresh the flows and republish OR removing the flows from the solution and adding them back again. I think the best solution would be for Microsoft to simply tell us whether special Dataverse rights are needed for SharePoint data source in solutions with flows OR admit that solutions are really buggy (which in my experience they are) and publish fixes so we don't to go through this endless troubleshooting!

Was this reply helpful? Yes No
realwillwright 772 Moderator on at

Like (0)

Report
Copy link

Link copied!

Hi @kbirstein2

I added the organisation level to read rights of the table, before I updated it read rights was set to user only.

Was this reply helpful? Yes No
kbirstein2 6 on at

Like (0)

Report
Copy link

Link copied!

I see, I'll try that. . .

Was this reply helpful? Yes No