Del via

Configure security groups (preview)

  • Artikkel

[This article is prerelease documentation and is subject to change.]

Users only need access to the apps and flows that align to their departmental function. You can create Microsoft Entra ID security groups based on business processes and assign team members to the appropriate groups. The security groups control user access to the apps and visibility to the various components within the apps.

Create Microsoft Entra ID security groups

The following deployment model illustrates how you assign users to different Microsoft Entra ID security groups based on their departmental function.

Admin security group

Set up one or more administrators to a Copilot for Finance SAP Collections Admin team.

Functional security groups

The security groups can align to specific business processes. Assign all of the users who participate in the Copilot for Finance Collections to the following user team:

  • Collections

This model is used throughout the rest of this document to show intent but your configuration may differ based upon your requirements.

More information:

Create Dataverse group teams

Admins manage the menu items visible to users in the canvas apps directly in the SAP Administrator app. Dataverse group team membership controls access and visibility to the menu items. Microsoft Entra ID security groups govern Dataverse group team membership and ensure one of two options:

  • Users have visibility and access to appropriate menu items in the canvas apps when they're added to one or more security groups.
  • Users lose visibility and access when they're removed from a security group.

Additionally, menu visibility drives the drill through behavior on certain fields in the canvas apps. For example, if a user isn't part of the purchase orders team, then they can only view the associated purchase order number to the requisition in the SAP Requisition Management app. They can't drill through to see all the purchase order details.

More information: Work with Microsoft Entra ID group teams

Steps to managing teams

Take these steps to create teams and configure security settings:

  1. Sign in to the Power Platform admin center.
  2. Go to Environments and select the environment that contains the solutions.
  3. Go to Settings > Users + permissions > Teams.
  4. Select + Create Team.
  5. Complete the required fields. For Team type, select Microsoft Entra ID Security Group. You are also required to complete Group name and Membership type.
  6. Search for the example security group previously created in Microsoft Entra ID and associate it to the newly created group team.
  7. Assign security roles to teams that correspond to team functions.

Security role guidance

The following table provides guidance for assigning security roles:

Dataverse Team Name SAP Template User SAP Template Administrator Basic User
Finance Communcations X X
Admin X X

Note

  • Users are added to or removed from a group team based on their membership to the linked Microsoft Entra ID security group.
  • Access to Dataverse data is governed by team membership with access levels differentiated between SAP integration user and SAP integration admin security role assignments to the teams.
  • The Dataverse group team setup in the Power Platform admin center can also be seen in the SAP Admin app for reference.

For more information, see Manage group teams, and Security roles and privileges.

Share access to the flows

Security group members can only access apps and flows that are shared with them. To help you set up security groups for your organization, use the security groups model as an example.

Share the flows with Run only privileges so users have access to embedded flows and the SAP ERP, Dataverse, and Office 365 connector user services use the triggering user's credentials.

Warning

Failure to change the Read Only privileges of the flows will prevent the connector services from passing user credentials. Sharing of Dataverse and Office 365 connections should be limited.

Steps to share flows

  1. Go to the individual cloud flows in Power Apps.
  2. Go to the Run only users section and select Edit.
  3. Invite system users and teams by searching for and selecting the Microsoft Entra ID security groups that need access to the flow according to the canvas apps that that team needs to use.
  4. For all three connections used, select the Provided by run-only end user option.
  5. Select Save.

More information: