web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Apps / What security role per...
Power Apps
Unanswered

What security role permissions are necessary for a client app authenticated via S2S auth to fetch entity records using the ServiceClient?

(0) ShareShare
ReportReport
Posted on by CalvinDale 15

I do not receive data when I attempt to fetch account records in a .NET 6 Console app connecting to Dataverse using Server-to-Server (S2S) authentication. If I put the Dataverse application-user (which is mapped to the AAD app registration) into the Basic User role, then no account records are returned, and no exception is thrown. However, if I put the Dataverse application-user into the System Administrator role, then the account records are returned. Presumably, a permission granted to the System Administrator role but absent from the Basic User role accounts for the discrepant behavior.

 

Since the Basic User role is granted user-level Create, Read, Write, etc. permissions on the Account entity, it is surprising (at least to this newbie) that no records are returned when the ServiceClient authenticated via S2S attempts to fetch them. Why are the records not returned? What other permissions are required beyond those granted in the Basic User role? I also encounter this same behavior if I create a dedicated security role for the application-user and grant it read permission on the account entity. Therefore, I conclude that some other permission is necessary to make this work. But which permission?

Categories:
Microsoft Dataverse with Power Apps
I have the same question (0)
  • Guido Preite Profile Picture
    Guido Preite 1,488 Super User 2024 Season 1 on at

    which exact exception you received?

  • CalvinDale Profile Picture
    CalvinDale 15 on at

    I didn't receive an exception. However, no data was returned.

  • CalvinDale Profile Picture
    CalvinDale 15 on at

    If I map the Dataverse application-user to the Basic User role and also to the Service Reader role, data can be then read from the Account entity and other entities. This approach does not restrict permissions to specified entities only. But it is substantially more restrictive than mapping the application-user to the System Administrator role.

  • Guido Preite Profile Picture
    Guido Preite 1,488 Super User 2024 Season 1 on at

    User level means that the user can do CRUD operations only on records he owns. This user when has the Basic User role owns records? did you try to create a record and after read it?

  • CalvinDale Profile Picture
    CalvinDale 15 on at

    No I didn't try creating a record and then subsequently reading it. However, that's not my use-case. And I have just barely experimented with the API. But if the permissions level on the entity is root issue, then it's easily addressed by creating a dedicated security having with elevated permissions for the targeted entities and then mapping that security role to the application user. I'll run that experiment...eventually. But it's not a showstopper right now. Thanks for the feedback.

  • Fubar Profile Picture
    Fubar 8,352 Super User 2025 Season 2 on at

    If there is no exception and it works with System Administrator, then the role you are using does not have enough permissions to read the record(s) in question.

    Create your own Security Role and set permission to the Max full green circle, then start reducing them. As already suggested you probably have records that are owned by different users/teams, and the Security Role assigned to your user only has User level (one yellow quadrant in the permission) so cannot see the other records - also if a business unit structure has been implemented you may end up with all green or 3/4 green permissions to make it work.

  • CalvinDale Profile Picture
    CalvinDale 15 on at

    Indeed, I suspect that creating a dedicated security role for the S2S app user is the proper way to achieve my goal of minimizing the security risk exposure. My question is which permission(s) in particular is(are) needed to grant that that app user read-only access to a particular table? The Basic User security role in combination with the Service Reader security role confers this permission. However, whereas I seek the minimum privilege set, that security role combination grants far more privileges than are strictly necessary to achieve the objective. And because there are so many possible permissions to specify when creating a security role, I am hoping to bypass doing the experiments necessary to figure this out, by simply asking if anyone else knows what permissions should be set.

  • Fubar Profile Picture
    Fubar 8,352 Super User 2025 Season 2 on at

    @CalvinDale can't give you a simple answer as you are after the minimum and it depends on what has been setup in the environment e.g. has a Business Unit structure been implemented (usually this is done to achieve Separation and Segmentation of Data)

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!

Quick Links

Forum hierarchy changes are complete!

In our never-ending quest to improve we are simplifying the forum hierarchy…

Ajay Kumar Gannamaneni – Community Spotlight

We are honored to recognize Ajay Kumar Gannamaneni as our Community Spotlight for December…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Apps

#1
WarrenBelz Profile Picture

WarrenBelz 721 Most Valuable Professional

#2
Michael E. Gernaey Profile Picture

Michael E. Gernaey 320 Super User 2025 Season 2

#3
Power Platform 1919 Profile Picture

Power Platform 1919 268

Last 30 days Overall leaderboard

Featured topics

Auto-Populate field Power Pages
Gallery Tabs - Show or Hide Tabs based on Field Value
How to patch multiple records at once
Enable Copilot for end users in model-driven apps
Question for everyone : How are you using Create Text GPT in AI Builder?
Community content - sample components, blogs etc. - Link to this page (http://aka.ms/PCFdemos)
Welcome to the Power Apps forum!

Product updates

Microsoft Power Platform Community release plans