Need help with troubleshooting an issue with a Canvas App in a Sandbox environment.

(0) Share

Report

Posted on by SC-Ryan

I have what I think is a permission-related issue. Here is how our environment is set up:

GCC
An auto-provisioned developer environment.
- Dev01 is my developer environment. And, I have System Administrator permission.
- Sysadmin01 is a Power Platform administrator and also has System Administrator permission in Dev01.
- I have an Unmanaged Solution shared with users User01 and User02. Both have User permissions only to the Canvas App within the Solution.
- About the Solution:
  - It is Unmanaged.
  - The Solution contains a Canvas App that connects to a couple of SharePoint lists as data sources. About the Canvas app:
    - It has a cloud flow that retrieves a list of employees from an MS Teams channel of a department. Everyone within the department has access to this MS Teams channel.
    - Within the app, the flow-generated list of employees is combined with data from SharePoint lists to display different information across multiple app screens.
    - User01 and User02 can play the Canvas App during development and view the data it displays.
Sysadmin01 created a sandbox environment named Sandbox01.
- Sandbox01 is a managed environment and was created with a Security Group named SG01-OnPrem-AD.
  - SG01-OnPrem-AD includes my account and five other users, including User01 and User02.
- Sandbox01 has a custom Team group, and SG01-OnPrem-AD is a member. This custom Team group has Basic User permission.
- Sysadmin01 has System Administrator permission in Sandbox01.
Sysadmin01 exported the Solution from my developer environment as a Managed Solution in a zip file and imported it into Sandbox01.
- Sysadmin01 can open the Canvas App and see the data it's supposed to display without issue.
- Sysadmin01 shared the Canvas App with SG01-OnPrem-AD, granting User permissions.
At this point, User01, User02, and I can play the app from Sandbox01 but cannot access data within it, except for one screen that displays information directly from the SharePoint lists. The screens that are supposed to display information based on a combination of data from the list of employees that the cloud flow is supposed to retrieve and data from the SharePoint list are not displaying any information.
Sysadmin01 and I have recorded trace events from myself, User01, and User02 while using the Canvas App from Sandbox01, but the trace logs do not show output that we thought we were going to see because, in most of the logs, they displayed that the cloud flow ran and the app connected to the data sources without an issue.

What I am having trouble understanding is why the Canvas app runs just fine for User01 and User02, who only have User sharing permission to the app without a Direct Permission to my developer environment.
Given the environment setup I have explained above, does anyone know where the issue could be coming from? Or is there another way for Sysadmin01 and me to troubleshoot this issue besides using the app trace event outputs?

Thank you in advance for your assistance.

Categories:

Building Power Apps

GCC, GCCH, DoD - Federal App Makers (FAM)

Governance & administering

General topics

I have the same question (0)

All responses (5)

Answers (0)

Suggested answer

WarrenBelz 154,393 Most Valuable Professional on at

Like (0)

Report
Copy link

Link copied!

Hi @SC-Ryan,

The first thing to check is any Run only users permissions in your Flows - they do not always migrate when deployed in a different environment.

Please ✅ Does this answer your question if my post helped you solve your issue. This will help others find it more readily. It also closes the item. If the content was useful in other ways, please consider answering Yes to Was this reply helpful? or give it a Like ♥
Visit my blog Practical Power Apps LinkedIn

Was this reply helpful? Yes No
SC-Ryan 4 on at

Like (0)

Report
Copy link

Link copied!

Warren, thanks for responding to my post.

Our sysadmin and I have deleted and re‑imported the solution several times, and we believe the “Run only users” settings are being carried over during the import. As a result, our test users are receiving a prompt to sign in as themselves before they can run the Canvas app.

After digging a bit deeper, we found that we’re unable to share the cloud flow within the solution with users, including our testers, because of this error:

“Sharing with this AAD user failed because auto‑creation of the user failed. Please manually create user in Dataverse and try again.”

I’ve been looking up how to manually create a user in Dataverse but haven’t found clear instructions yet. Do you happen to know how to do this, or have a link to a post that explains the process? We're using GCC and instructions may be different.

Thanks again for your help!

Ryan

Was this reply helpful? Yes No
WarrenBelz 154,393 Most Valuable Professional on at

Like (0)

Report
Copy link

Link copied!

Hi @SC-Ryan,

I did not receive a notification on this as you did not tag me- I only just saw it.

Forgetting about the Solution for the moment, does the Table in the target environment have a Security Role that includes the User in the environment, or are you saying the user is not in the Environment ? You should be able to see both Users and Security Roles in the Environment details.

Was this reply helpful? Yes No
Suggested answer

SC-Ryan 4 on at

Like (0)

Report
Copy link

Link copied!
@WarrenBelz,

We were able to figure this out after a lot of trial-and-error and testing different combinations of security roles. We more or less guessed our way through it, but the outcome seems to work.

Here’s what we did:

We found that the following tables required their Read permission set to either Organization or Business Unit:

Process (workflow)

Custom Control Extended Settings (msdyn_customcontrolextendedsettings)

Solution (solution)

Publisher (publisher)

We copied the Basic User security role, renamed it Custom Basic User Security Role, and added the permissions for those tables.

We then created a custom Team and assigned the Custom Basic User Security Role to that team.

The custom Team has an Active Directory Security Group as a member.

We shared the Canvas App from Solution to the Active Directory Security Group.

So far, every time someone from the Active Directory Security Group plays the app, that person is automatically added as a user in Sandbox01. And the Custom Basic User Security Role is applied to that user through the custom Team.

We’re still testing to see whether we can remove permissions for the Solution and Publisher tables, but so far, the setup above is functioning as expected.

Custom Basic User...

Was this reply helpful? Yes No
WarrenBelz 154,393 Most Valuable Professional on at

Like (0)

Report
Copy link

Link copied!

@SC-Ryan,

Glad that you got it working

Was this reply helpful? Yes No