Edit

Share via

Configure user security in an environment

  • Article

You can create security roles and then assign those roles (new or existing) to users whether or not they use Dataverse.

Prerequisites

When you create a custom security role, the role must have a set of minimum privileges for a user to run an app. Learn more about required minimum privileges.

Create, edit, or copy a security role

You can easily create, edit, or copy a security role and customize it to meet your needs.

  1. Go to the Power Platform admin center.

  2. Select Environments in the navigation pane, and then select an environment.

  3. Select Settings.

  4. Expand Users + Permissions.

  5. Select Security roles.

  6. Complete the appropriate task:

Create a security role

  1. Select New role from the command bar.

  2. In the Role Name field, enter a name for the new role.

  3. In the Business unit field, select the business unit the role belongs to.

  4. Select whether team members should inherit the role.

    If this setting is enabled and the role is assigned to a team, all team members inherit all privileges associated with the role.

  5. Select Save.

  6. Define the privileges and properties of the security role.

Edit a security role

Either select the role name or select the row and then select Edit. Then define the privileges and properties of the security role.

Some predefined security roles can't be edited. If you try to edit these roles, the Save and Save + Close buttons aren't available.

Copy a security role

Select the security role and then select Copy. Give the role a new name. Edit the security role as needed.

Only the privileges are copied, not any assigned members and teams.

Audit security roles

Audit security roles to better understand changes made to security in your Power Platform environment.

Create or configure a custom security role

If your app uses a custom entity, its privileges must be explicitly granted in a security role before your app can be used. You can either add these privileges in an existing security role or create a custom security role.

Every security role must include a minimum set of privileges. Learn more about security roles and privileges.

Tip

The environment might maintain records used by multiple apps. You might need multiple security roles that grant different privileges. For example:

  • Some users (call them Editors) might only need to read, update, and attach other records, so their security role has read, write, and append privileges.
  • Other users might need all the privileges that Editors have plus the ability to create, append to, delete, and share. The security role for these users has create, read, write, append, delete, assign, append to, and share privileges.

Create a custom security role with minimum privileges to run an app

  1. Sign in to the Power Platform admin center.
  2. Select Environments in the navigation pane, and then select an environment.
  3. Select Settings > Users + permissions > Security roles.
  4. Select the App Opener role, and then select Copy.
  5. Enter the name of the custom role, and then select Copy.
  6. In the list of security roles, select the new role, and then select More actions () > Edit.
  7. In the role editor, select the Custom Entities tab.
  8. Find your custom table in the list, and select the Read, Write, and Append privileges.
  9. Select Save and Close.

Create a custom security role from scratch

  1. Sign in to the Power Platform admin center.
  2. Select Environments in the navigation pane, and then select an environment.
  3. Select Settings > Users + permissions > Security roles.
  4. Select New role.
  5. Enter the name of the new role on the Details tab.
  6. On the other tabs, find your entity and then select actions and the scope for performing them.
  7. Select a tab, and search for your entity. For example, select the Custom Entities tab to set permissions on a custom entity.
  8. Select the privileges Read, Write, Append.
  9. Select Save and Close.

Assign security roles to users in an environment that has no Dataverse database

For environments with no Dataverse database, a user who has the Environment Admin role in the environment can assign security roles to individual users or groups from Microsoft Entra ID.

  1. Sign in to the Power Platform admin center.

  2. Select Environments, then choose an environment.

  3. In the Access tile, select See all for Environment admin or Environment maker to add or remove people for either role.

    Screenshot of selecting a security role in the Power Platform admin center.

  4. Select Add people, and then specify the name or email address of one or more users or groups from Microsoft Entra ID.

  5. Select Add.

Assign security roles to users in an environment that has a Dataverse database

Security roles can be assigned to individual users, owner teams, and Microsoft Entra group teams. Before you assign a role to a user, verify the user's account is added to and enabled in the environment.

In general, a security role can only be assigned to users whose accounts are enabled in the environment. To assign a security role to a user account disabled in the environment, turn on allowRoleAssignmentOnDisabledUsers in OrgDBOrgSettings.

  1. Sign in to the Power Platform admin center.

  2. Select Environments, then choose an environment.

  3. In the Access tile, select See all under Security roles.

    Screenshot of the option to view all security roles in the Power Platform admin center.

  4. Make sure the correct business unit is selected in the list, and then select a role from the list of roles in the environment.

  5. Select Add people, and then specify the name or email address of one or more users or groups from Microsoft Entra ID.

  6. Select Add.