Skip to main content
Post a question

Notifications

Announcements

No record found.

Model-driven Power Apps and Permission issues

As a Model-driven Power App designer you might be already familiar with the Manage Roles option to associate security roles to a Model-Driven App. You can do this from apps page,  https://<orgname>.crm.dynamics.com/apps

4370.ModelDrivenapppermission.jpg

or "Manage security roles" drop down in Power Apps maker portal App share Dialog.

1348.ModelDrivenapppermission0.jpg

What could possibly be wrong when your App is not visible to a user despite his/her role is assigned to the App by either of above steps? Well, if there are custom security roles created from scratch and user roles doesn’t include Read privilege for Model-driven App, user wont’ be able to the see the App.

5545.ModelDrivenapppermission0_2D00_1.jpg

If a user has Read, Create, and Write privileges to the Model-driven App then they would have access to all Apps in the environment, even when they're not part of any role that has access to the App.

This requirement for Read privilege and behavior with Create and Write privileges is documented here on docs site.

Minimum Privilege Security role

While creating a custom security role, a set of minimum privileges must be included in the Security Role for the app to run. To ease out picking individual privileges and avoid chances of missing important system privileges, Power Platform provides a solution that includes a security role with the required minimum privileges. Refer this docs site that has the solution download link.

When you import the MinprivilegeSecRole_1_0_0_0 solution it creates the min prv apps use security role in the target environment. You can use copy role functionality to use this min prv apps as a base to build your own custom security role. This would easily help avoid missing out on important system privileges.

Troubleshooting missing Privileges:

In some scenarios, missing user privileges are surfaced in application as “Access Is Denied” error like below example. Some of you who’s worked for a while on Dynamics might miss the download log file option.

4667.ModelDrivenapppermission_2D00_2.jpg

One can quickly find missing privileges in response to HTTP request for the operation. This technique requires basic knowledge of web traffic debugger like Fiddler or Browser Developer Tools (F12). Once Browser Dev Tools loads, click Network->Right pane Response body. Response body has the error and the missing privilege name.

For example, users trying to assign a record which they don’t have assign privilege for.

You can see few sample screenshots of such errors:

 4721.ModelDrivenapppermission1.jpg

6052.ModelDrivenapppermission3.jpg

Hope this helps!

Bhavesh Shastri

Comments

*This post is locked for comments