You’re offline. This is a read only version of the page.
128
Hello,
I'm trying to figure out what security roles are required in a Dataverse environment when promoting a solution with a SharePoint data source (no Dataverse tables utilized) from a Sandbox environment to a Production environment. With one solution I promoted (consisting of a simple app, two SharePoint lists in two sites, a component and 2 simple Power Automate flows), users could not open the app until I added the Basic User and PowerAppsRPRole security roles. I struggled with this for a day or so before I found one reference somewhere (unfortunately I lost the link to the reference and now can't find it!) that said users needed these two roles when a solution was promoted.
However subsequent testing with other similar solutions do NOT require these security roles when I promote them to production. There is only one reference in all of Google that I could find regarding the PowerAppsRPRole--the System and Application Users page.
This page references two roles, PowerAppsRPRole and Flow-RP. It's interesting that my solution did not require the Flow-RP role even though I have flows in my solution. I am writing an article for LinkedIn on how to promote solutions with canvas apps and SharePoint and I'm blocked on publishing it because I can't figure out why some solutions require Basic User and PowerAppsRPRole and similar solutions do not. Any help would be greatly appreciated!
Hi Linn and Forum Readers,
Just to be clear to anyone reading this post about the test solution that I built and the error I am getting, which was resolved by creating a custom security role that gives User the Read right to the Canvas App table, as Linn suggested (see Linn's screenshot above). Here's the exact contents of the solution I tested with.
That's all that's in the solution. The solution is shared with two people, the developer Owner and a User. In the DEV environment the User has no security roles and Owner is System Administrator.
The User can run the Power App just fine in the Sandbox DEV environment with NO security role. When the solution is promoted to the Production PROD environment (with the SharePoint site/list being changed to the SharePoint production site/list on Import), the Owner can run the solution fine but the User gets an error "Connection not configured for this service" in Power Apps. What is happening is that the user CAN create an item in the SharePoint list but the flow will not run. It doesn't fail, it simply does not run.
Granting the user the custom security role resolves this issue. So it seems the Outlook 365 connection is the problem since the SharePoint connection appears to be working. I don't get the "User has no role" error that Linn got but probably that is the underlying error underneath the "Connection not configured for this device" error (which if you Google it is a very generic error.) The weird thing is that no security role is necessary in a Sandbox environment but the user needs to have the Read right to the Canvas App table in a Production environment. So there is some difference between these two types of environments that is not documented. Microsoft, how about an explanation for this difference?
Cheers, Kathryn
I agree. Microsoft should create a new predefined Canvas App Opener just like the "App Opener" role for the model-driven app.
Thanks so much Linn for testing this out! There is absolutely no Microsoft documentation about what is necessary for canvas apps when no Dataverse tables are used but this error message is pretty clear. I think what a lot of people are doing is simply making all their users Environment Maker which is so wrong.
PowerAppsRPRole might be specifically for the "# PowerAppsRPRole" application user which seems to be using the solution deployment of the Power Apps (canvas and model-driven apps) based on the privileges of that role. Since it is a role for an application user, I do not think it is the role to be assigned to the normal canvas app user.
Basic User security role contains Basic privileges for core entities of the Dataverse where the user can write, update, and delete records that they created or owned. I don't think that is the one that the canvas app users need it too (if there is no Dataverse tables utilized).
If that was really a security role-specific error, it should be replicable and the user should see the same error message when those roles are removed from that user. The fact that subsequent testing with other similar solutions do NOT require these security roles seems like it was due to one of the required privileged was fulfilled by adding those x2 roles but probably not the right roles.
I tried sharing a canvas app with no Dataverse datasource to the user with no role and I got this error message.
The request failed with error: '{"error":{"code":"0x80042f09","message":"TryGetMaxPrivilegeDepthForUserAcrossBusinessUnits: The user with id 1ed3dcab-0774-eb11-b1ab-000d3a6aa4e5 has not been assigned any roles. They need a role with the prvReadCanvasApp privilege."}}'. The correlation Id is '1630ee06-87bf-4b39-a155-8e0024560663'.
I believe it is because the app is promoted with a solution (solution aware app) and it exists in Dataverse Canvas App table. That is why the user needs the Read privilege for that table.
I created a new security role with User level Read privilege for the Canvas App table and after assigning that role to the user, the canvas app can be shared to the user.
I guess that is the security role with minimum privilege required for the user to be shared with solution-aware canvas app.
If you prefer to use one of the OOB roles, you can assign any of those with prvReadCanvasApp privilege but the user will have more privileges unnecessarily than they are supposed to have.
Unfortunately I don't have rights to another Production environment. I'll request another one and then test again to try to get the exact error message again. In any case, I'd really like to know under what circumstances the PowerAppsRPRole and Flow-RP roles are required. I've tested with other solutions using SharePoint and canvas apps and they don't require any security roles for users in the PROD environment. The description "to allow Power Apps/Power Automate to integrate with Dataverse" is very vague. I hate to write in my article "If users are getting an error when running you app, try adding Basic User and PowerAppsRPRole security roles to the user" (LOL!) so I'd really like to know when and why these roles are sometimes required!
Is there any details with missing privilege name in the error message when the users cannot open the canvas app?
#1
stampcoin
17
#2
mmbr1606
15
Super User 2025 Season 1
#3
ankit_singhal
11
Super User 2025 Season 1
Share
Report
All responses (
Answers (
