Answered

Developer User Pipeline Deployment Fails with Permission Error

(0) Share

Report

Posted on by NickTT

248

The developer has Environment Maker Role assigned in the DEV and TEST environments. The Deployment Pipeline was shared out with them and they have Pipeline User role in the Orchestrator Environment. When they try and deploy a new solution that has environment variables to a new environment they get the following error.

Failure details
Principal with id f0772446-20a0-ee11-be37-000d3a5a8baa does not have WriteAccess right(s) for record with id 3ce10b7e-0110-4230-bdcc-aaf77125c07c of entity environmentvariabledefinition. Details: {"CallerPrincipal":{"PrincipalId":"f0772446-20a0-ee11-be37-000d3a5a8baa","Type":8,"IsUserPrincipal":true},"OwnerPrincipal":{"PrincipalId":"cf0fca4d-d19b-ee11-be37-6045bd081aaa","Type":8,"IsUserPrincipal":true},"ObjectId":"3ce10b7e-0110-4230-bdcc-aaf77125c07c","ObjectTypeCode":380,"EntityName":"environmentvariabledefinition","ObjectBusinessUnitId":"9a07ca4d-d19b-ee11-be37-6045bd081aaa","RightsToCheck":"WriteAccess","RoleAccessRights":"None","PoaAccessRights":"None","HsmAccessRights":"None","GrantedAccessRights":"None","Messages":["BasicMinimumPrivilegeDepthRequired = None","EntityUserGroupRights = None","LocalMinimumPrivilegeDepthRequiredRights = WriteAccess","SecLib::AccessCheckEx2 failed. Owner Data: User principal cf0fca4d-d19b-ee11-be37-6045bd081aaa is not loaded in UserDataCache yet; Principal Data: roleCount=1, privilegeCount=891, accessMode='0 Read-Write', AADObjectId='42c06e7a-f452-42e7-8a00-1c66cdb8ad54', MetadataCachePrivilegesCount=4705, businessUnitId=9a07ca4d-d19b-ee11-be37-6045bd081aaa"],"EntityOwnershipTypeMask":1,"CallerInfo":{"IsSystemUser":false,"IsSupportUser":false,"IsAdministrator":false,"IsCustomizer":false,"IsDisabled":false,"IsIntegrationUser":false,"Teams":null,"Roles":null},"ReadOnlyState":"UserAndOrgFullAccess","IsHsmEnabled":false,"HsmInfo":null,"AccessOrigin":null}
See less

Categories:

Governance & administering

I have the same question (0)

All responses (2)

Answers (1)

Sort by

Verified answer

AlbertoCastro 1,201 Most Valuable Professional on at

Like (1)

Report
Copy link

Link copied!

Hi,

environment maker role doesn't allow customize dataverse, for example, work with solutions, components deployed by pipelines.
Users needs at least System Customizer role to work with solutions and pipelines.

Was this reply helpful? Yes No
NickTT 248 on at

Like (0)

Report
Copy link

Link copied!

I just got off the call with Microsoft and came to the same conclusion. Once I gave the Dev Team System Customizer role the deployment worked fine.

Just wish their documentation was a bit clearer as this one is tell me that they already have the access needed.
https://learn.microsoft.com/en-us/power-apps/maker/data-platform/EnvironmentVariables#security

What is odd too is that she was able to create environment variables for her project in Dev without any issue. However, solution also had an environment variable that I created\owned associated to the solution. So I suspect too that since she wasn't the owner of that variable, it wouldn't let her update it. If you look at the permissions for the Environment Maker role the account only has "USER" permissions to the definition table. Where System Customizer has "Organization".

Was this reply helpful? Yes No