web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

Welcome to the Power Platform Communities
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Apps / What is the least priv...
Power Apps
Answered

What is the least privileged security role to access a model-driven app?

(0) ShareShare
ReportReport
Posted on by HiroakiSasaki 73

 

Hello,

 

I built a model-driven app and several custom security roles for it.

I referred to the docs page below and made sure that I did give the "Read" privilege for Model-Driven App and all customs entities I created for the app.

https://docs.microsoft.com/en-us/powerapps/maker/model-driven-apps/share-model-driven-app

 

But still a user given the custom security role cannot access the app.

I gave the "Create" and "Write" privileges for the custom security role just for a try, and then of course the user can access the app along with all the other apps on the environment, which is the condition I would like to avoid.

 

If one knows some possible reason I cannot realize what I want here, please share some of your knowledge.

To summarize what I need to achieve:

- prepare a custom security role with least privileges to access an model-driven app

- without giving accesses to other apps on the same environment

 

I have some possible causes in my mind as shown below, but still cannot prove anything about them.

- the least privilege condition has changed from the docs reference 

- Or I'm missing some necessary privileges to give

 

Thanks!

Categories:
Microsoft Dataverse with Power Apps
I have the same question (0)
  • EricRegnier Profile Picture
    EricRegnier 8,720 Most Valuable Professional on at

    Hi @HiroakiSasaki,

    There are many other privileges required for a user to access and work with CDS. It's best to create custom security roles based on another out-of-the-box role. I usually use the role "Common Data Service User" as a base. You can follow this tip for more info: https://crmtipoftheday.com/1297/base-your-base-role-on-the-cds-user-role/

    Hope this helps! 

  • HiroakiSasaki Profile Picture
    HiroakiSasaki 73 on at

    Thank you for your comment! @EricRegnier 

     

    I gave user1 both of my custom security role and Common Data Service User,

    and still user1  cannot access the model-driven app.

    Is is still a valid solution to create custom security roles based on Common Data Service User?
    Or should I think other causes?

     

     

  • Verified answer
    EricRegnier Profile Picture
    EricRegnier 8,720 Most Valuable Professional on at

    Yep I would still create my custom role base on the CDS User role to reduce administration (assigning less roles to users).

    What error message (or screenshot if possible) is user1 getting? Is the model-driven app shared with a particular role? Here's how to check roles assigned to an app:

    1) App assigned a role: https://docs.microsoft.com/en-us/powerapps/maker/model-driven-apps/share-model-driven-app

    2) You can also check via the classic interface: 

    1. Navigate to your environment and append to the URL "main.aspx?forceClassic=1" (e.g. https://ericdxc.crm6.dynamics.com/main.aspx?forceClassic=1)
    2. Go to Settings --> My Apps
    3. Click on the ellipsis on the middle right of your app
      2020-04-07_20-50-31.png
    4. A right pane will open, expand Roles
      2020-04-07_20-52-05.png
  • HiroakiSasaki Profile Picture
    HiroakiSasaki 73 on at

     

    Alright, then I'll try to use CDS User role as a base.

     

    Btw, the error message is shown as below. (Though my browser and environment are set in English, I have the message in my language. Anyway, what the message says is what's written in yellow box.)

    HiroakiSasaki_0-1594625557744.png

     

     

    I tried to check the assigned role to the app, but I only found "Pin this app" , but not "Manage Roles" in the ellipsis. 

    HiroakiSasaki_1-1594625982838.png

     

     

     

    Sorry for many questions. I'm still new to CDS.
    Thank you very much for your advises!

     

  • Verified answer
    v-xida-msft Profile Picture
    v-xida-msft Microsoft Employee on at

    Hi @HiroakiSasaki ,

    Have you bind your custom Security Role to your Model-Driven app?

     

    Sharing a model-driven app involves two primary steps. First, associate a one or more security role(s) with the app then assign the security role(s) to users.

    Please make sure if you have associated your custom Security Role with your Model-Driven app already when you share your Model-Driven app.

     

    When you sharing your Model-Driven app, please firstly associate your Custom Security Role to your Model-Driven app as below:

    4.JPG

     

    5.JPG

     

    After that, choose the user you want to share your Model-Driven app with. If the chosen user has not been assigned to custom Security Role you set up, you could manage the Security roles for the chosen user as below:

    6.JPG

    Note: I think the privileges you set for your custom Security Role is correct

    Please consider take a try with above solution, check if the issue is solved.

     

    More details about new experience for sharing Model-Driven app, please check the following blog:

    https://powerapps.microsoft.com/en-us/blog/sharing-made-easy-for-model-driven-apps/

     

    Best regards,

  • EricRegnier Profile Picture
    EricRegnier 8,720 Most Valuable Professional on at

    That warning message is shown when users navigate directly to CDS outside an app, usually in the classic interface. What apps do you see when you click the app selector? The message should be gone when you access pages (i.e. entities) within an app, so try to click an app, or create a custom model-driven app first and don't assign any security role

    2020-07-13_20-46-02.png

  • HiroakiSasaki Profile Picture
    HiroakiSasaki 73 on at

    @v-xida-msft , @EricRegnier 

     

    I didn't bind custom security roles with the app!

    After associating them, now user1 has the access to the app without problems.

     

    I think what Eric showed me in his last reply meant the same solution, but just the UI has changed or something maybe?

     

    I deeply appreciate your helps! Thank you so much.

    The custom security roles were correctly configured, but I'll try to use CDS users role as a base for the next time as well 🙂 

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities

Quick Links

Introducing the 2026 Season 1 community Super Users

Congratulations to our 2026 Super Users!

Kudos to our 2025 Community Spotlight Honorees

Congratulations to our 2025 community superstars!

Congratulations to the March Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Apps

#1
11manish Profile Picture

11manish 536

#2
WarrenBelz Profile Picture

WarrenBelz 426 Most Valuable Professional

#3
Haque Profile Picture

Haque 305

Last 30 days Overall leaderboard

Featured topics

Auto-Populate field Power Pages
Gallery Tabs - Show or Hide Tabs based on Field Value
How to patch multiple records at once
Enable Copilot for end users in model-driven apps
Question for everyone : How are you using Create Text GPT in AI Builder?
Community content - sample components, blogs etc. - Link to this page (http://aka.ms/PCFdemos)
Welcome to the Power Apps forum!

Product updates

Microsoft Power Platform Community release plans