Power Automate Approval Action - Encountered a general permissions error
Issue description
============
Recently, the production environment's Power Automate Flow - Create Approval action occasionally encounters the following error. It's very strange because it doesn't happen every time, only occasionally.
The following screenshot is the Error Details.
Error Details
Encountered a general permissions error trying to access the Microsoft Dataverse database. This could be caused by modification of the approvals administrator or user roles, or by an incompatible plugin. Detailed message: 'The cache request to assign a role failed with status code 'Forbidden' and message: 'Message: VerifyCallerPrivileges failed. To avoid elevation of privileges calling user should have all required privileges.
Calling user (systemuserid=b749c8d5-fce0-ea11-a814-000d3a1029ac, UserBU=6f947eb2-cad9-ea11-a814-000d3a102a7f) attempted action='PreAssignUserRoleChecks' which elevates calling user privileges.
User doesn't have total role privileges count=20, user has 7010 privileges in user cache from 3 roles.
First 5 missed role privileges
PrivilegeName(PrivilegeId)/Depth/BusinessUnitId
prvWritemsdyn_salesocmessage(fe64666b-cb85-445b-80d1-025f5f76c1b1)/Basic/b8cf9243-fdbf-ea11-a812-000d3a5a7103
prvDeletemsdyn_salesocmessage(ace0cb55-38a4-49c4-8c5f-03cde076cb2c)/Basic/b8cf9243-fdbf-ea11-a812-000d3a5a7103
prvDeletemsdyn_transcript(09a7f2b8-93f4-45a2-ba30-109cad79f127)/Basic/b8cf9243-fdbf-ea11-a812-000d3a5a7103
prvReadmsdyn_ChannelDefinition(58412566-7f07-457d-927e-339dcdc279a0)/Local/b8cf9243-fdbf-ea11-a812-000d3a5a7103
prvAppendmsdyn_salesocmessage(25a93e23-a2b0-49e1-bd64-3d552511771e)/Basic/b8cf9243-fdbf-ea11-a812-000d3a5a7103
Code: 0x80040220
InnerError: '.'
Investigation:
1. Above message hints that the issue may be related to the security role. We checked that the default security roles 'Approvals user' and 'Approval Adminstrator' in the environment. They are managed components, but they have an active solution layer, which means they were modified manually.
2. The changes in security roles may affect the creation of approval.
"Approvals User" role contains a subset of the permissions in the "Approvals Administrator" role. If the user modifies the "Approvals User" role so that it contains permission that is not in the "Approvals Administrator" role, then it will break the Approvals feature: the service identity will no longer have the ability to assign the Approvals User role to users when creating approval, and the error above will happen.
Solution
===============
1, Remove the Active Solution Layer, then revert to the default, then the action of "Approval" now works well.
Conclusion
====================
The two OOB roles 'Approvals Administrator' and 'Approvals User' are the dedicated system roles for the feature of flow approval.
Please don’t modify these roles to avoid conflicts with the new product functionality.
The End
*This post is locked for comments