As a Model-driven Power App designer you might be already familiar with the Manage Roles option to associate security roles to a Model-Driven App. You can do this from apps page, https://<orgname>.crm.dynamics.com/apps
or "Manage security roles" drop down in Power Apps maker portal App share Dialog.
What could possibly be wrong when your App is not visible to a user despite his/her role is assigned to the App by either of above steps? Well, if there are custom security roles created from scratch and user roles doesn’t include Read privilege for Model-driven App, user wont’ be able to the see the App.
If a user has Read, Create, and Write privileges to the Model-driven App then they would have access to all Apps in the environment, even when they're not part of any role that has access to the App.
This requirement for Read privilege and behavior with Create and Write privileges is documented here on docs site.
Minimum Privilege Security role
While creating a custom security role, a set of minimum privileges must be included in the Security Role for the app to run. To ease out picking individual privileges and avoid chances of missing important system privileges, Power Platform provides a solution that includes a security role with the required minimum privileges. Refer this docs site that has the solution download link.
When you import the MinprivilegeSecRole_1_0_0_0 solution it creates the min prv apps use security role in the target environment. You can use copy role functionality to use this min prv apps as a base to build your own custom security role. This would easily help avoid missing out on important system privileges.
Troubleshooting missing Privileges:
In some scenarios, missing user privileges are surfaced in application as “Access Is Denied” error like below example. Some of you who’s worked for a while on Dynamics might miss the download log file option.
One can quickly find missing privileges in response to HTTP request for the operation. This technique requires basic knowledge of web traffic debugger like Fiddler or Browser Developer Tools (F12). Once Browser Dev Tools loads, click Network->Right pane Response body. Response body has the error and the missing privilege name.
For example, users trying to assign a record which they don’t have assign privilege for.
You can see few sample screenshots of such errors:
Hope this helps!
*This post is locked for comments