Dataverse Security Roles - Solution with SharePoint Canvas App

(0) Share

Report

Posted on by kbirstein

130

Hello,

I'm trying to figure out what security roles are required in a Dataverse environment when promoting a solution with a SharePoint data source (no Dataverse tables utilized) from a Sandbox environment to a Production environment. With one solution I promoted (consisting of a simple app, two SharePoint lists in two sites, a component and 2 simple Power Automate flows), users could not open the app until I added the Basic User and PowerAppsRPRole security roles. I struggled with this for a day or so before I found one reference somewhere (unfortunately I lost the link to the reference and now can't find it!) that said users needed these two roles when a solution was promoted.

However subsequent testing with other similar solutions do NOT require these security roles when I promote them to production. There is only one reference in all of Google that I could find regarding the PowerAppsRPRole--the System and Application Users page.

This page references two roles, PowerAppsRPRole and Flow-RP. It's interesting that my solution did not require the Flow-RP role even though I have flows in my solution. I am writing an article for LinkedIn on how to promote solutions with canvas apps and SharePoint and I'm blocked on publishing it because I can't figure out why some solutions require Basic User and PowerAppsRPRole and similar solutions do not. Any help would be greatly appreciated!

Categories:

Microsoft Dataverse with Power Apps

I have the same question (0)

All responses (6)

Answers (1)

Linn Zaw Win 2,996 on at

Like (0)

Report

Is there any details with missing privilege name in the error message when the users cannot open the canvas app?

Was this reply helpful? Yes No
kbirstein 130 on at

Like (0)

Report

Unfortunately I don't have rights to another Production environment. I'll request another one and then test again to try to get the exact error message again. In any case, I'd really like to know under what circumstances the PowerAppsRPRole and Flow-RP roles are required. I've tested with other solutions using SharePoint and canvas apps and they don't require any security roles for users in the PROD environment. The description "to allow Power Apps/Power Automate to integrate with Dataverse" is very vague. I hate to write in my article "If users are getting an error when running you app, try adding Basic User and PowerAppsRPRole security roles to the user" (LOL!) so I'd really like to know when and why these roles are sometimes required!

Was this reply helpful? Yes No
Verified answer

Linn Zaw Win 2,996 on at

Like (0)

Report

PowerAppsRPRole might be specifically for the "# PowerAppsRPRole" application user which seems to be using the solution deployment of the Power Apps (canvas and model-driven apps) based on the privileges of that role. Since it is a role for an application user, I do not think it is the role to be assigned to the normal canvas app user.

Basic User security role contains Basic privileges for core entities of the Dataverse where the user can write, update, and delete records that they created or owned. I don't think that is the one that the canvas app users need it too (if there is no Dataverse tables utilized).

If that was really a security role-specific error, it should be replicable and the user should see the same error message when those roles are removed from that user. The fact that subsequent testing with other similar solutions do NOT require these security roles seems like it was due to one of the required privileged was fulfilled by adding those x2 roles but probably not the right roles.

I tried sharing a canvas app with no Dataverse datasource to the user with no role and I got this error message.

The request failed with error: '{"error":{"code":"0x80042f09","message":"TryGetMaxPrivilegeDepthForUserAcrossBusinessUnits: The user with id 1ed3dcab-0774-eb11-b1ab-000d3a6aa4e5 has not been assigned any roles. They need a role with the prvReadCanvasApp privilege."}}'. The correlation Id is '1630ee06-87bf-4b39-a155-8e0024560663'.

I believe it is because the app is promoted with a solution (solution aware app) and it exists in Dataverse Canvas App table. That is why the user needs the Read privilege for that table.

I created a new security role with User level Read privilege for the Canvas App table and after assigning that role to the user, the canvas app can be shared to the user.

I guess that is the security role with minimum privilege required for the user to be shared with solution-aware canvas app.

If you prefer to use one of the OOB roles, you can assign any of those with prvReadCanvasApp privilege but the user will have more privileges unnecessarily than they are supposed to have.

Was this reply helpful? Yes No
kbirstein 130 on at

Like (1)

Report

Thanks so much Linn for testing this out! There is absolutely no Microsoft documentation about what is necessary for canvas apps when no Dataverse tables are used but this error message is pretty clear. I think what a lot of people are doing is simply making all their users Environment Maker which is so wrong.

Was this reply helpful? Yes No
Linn Zaw Win 2,996 on at

Like (0)

Report

I agree. Microsoft should create a new predefined Canvas App Opener just like the "App Opener" role for the model-driven app.

Was this reply helpful? Yes No
kbirstein 130 on at

Like (0)

Report
Hi Linn and Forum Readers,

Just to be clear to anyone reading this post about the test solution that I built and the error I am getting, which was resolved by creating a custom security role that gives User the Read right to the Canvas App table, as Linn suggested (see Linn's screenshot above). Here's the exact contents of the solution I tested with.

Canvas Power app with one Form to create new items in a SharePoint list
Canvas App runs a Power Automate flow in the OnSuccess property of the form, passing the LastSubmit.ID
A Power Automate flow uses the Power Apps V2 trigger and does a SharePoint "Get Item" action with the ID and then sends an Outlook 365 email with information supplied by the "Get Item" action.
There are two Connection References, one for SharePoint and one for Outlook, created by the Power Automate flow
There are two Environment variables, created by the Power App, for the SharePoint site and the SharePoint list
That's all that's in the solution. The solution is shared with two people, the developer Owner and a User. In the DEV environment the User has no security roles and Owner is System Administrator.

The User can run the Power App just fine in the Sandbox DEV environment with NO security role. When the solution is promoted to the Production PROD environment (with the SharePoint site/list being changed to the SharePoint production site/list on Import), the Owner can run the solution fine but the User gets an error "Connection not configured for this service" in Power Apps. What is happening is that the user CAN create an item in the SharePoint list but the flow will not run. It doesn't fail, it simply does not run.

Granting the user the custom security role resolves this issue. So it seems the Outlook 365 connection is the problem since the SharePoint connection appears to be working. I don't get the "User has no role" error that Linn got but probably that is the underlying error underneath the "Connection not configured for this device" error (which if you Google it is a very generic error.) The weird thing is that no security role is necessary in a Sandbox environment but the user needs to have the Read right to the Canvas App table in a Production environment. So there is some difference between these two types of environments that is not documented. Microsoft, how about an explanation for this difference?

Cheers, Kathryn

Was this reply helpful? Yes No