Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Dataverse uses a role-based security model to control access to a database and its resources in an environment. Use security roles to configure access to all resources in an environment or to specific apps and data in the environment. A combination of access levels and permissions in a security role determines which apps and data users can view and how they can interact with those apps and data.
An environment can have no or one Dataverse database. You assign security roles differently for environments that have no Dataverse database and environments that have a Dataverse database.
Predefined security roles
Environments include predefined security roles that reflect common user tasks. The predefined security roles follow the security best practice of "minimum required access": provide the least access to the minimum business data that a user needs to use an app. These security roles can be assigned to a user, owner team, and group team. The predefined security roles that are available in an environment depend on the environment type and the apps installed in it.
Another set of security roles is assigned to application users. Those security roles are installed by our services and can't be updated.
Environments without a Dataverse database
Environment Maker and Environment Admin are the only predefined roles for environments that have no Dataverse database. To learn more about what these roles, see the following table.
| Security role | Description |
|---|---|
| Environment Admin | The Environment Admin role can perform all administrative actions on an environment, including:
|
| Environment Maker | Can create new resources associated with an environment, including apps, connections, custom APIs, and flows using Microsoft Power Automate. However, this role doesn't have privileges to access data in an environment. Environment makers can also distribute the apps they build in an environment to other users in your organization. They can share the app with individual users, security groups, or all users in the organization. |
Environments with a Dataverse database
If the environment has a Dataverse database, a user must be assigned the System Administrator role instead of the Environment Admin role to have full admin privileges.
Users who make apps that connect to the database and need to create or update entities must have the System Customizer role in addition to the Environment Maker role. The Environment Maker role doesn't have privileges on the environment's data. These security roles do not have the privileges to create or update security roles.
The following list provides the predefined security roles in an environment that has a Dataverse database. You can't edit these roles.
- App Opener
- Basic User
- Delegate
- Dynamics 365 Administrator
- Environment Maker
- Global Administrator
- Global Reader
- Office Collaborator
- Power Platform administrator
- Service Deleted
- Service Reader
- Service Writer
- Support User
- System Administrator
- System Customizer
- Website App Owner
- Website Owner
To learn more about these roles, including their descriptions, who they apply to, and a summary of the table privileges to which they have access, see Role name and description of a security role.
In addition to the predefined security roles described for Dataverse, other security roles might be available in your environment depending on the Power Platform components—Power Apps, Power Automate, Microsoft Copilot Studio—you have. The following table provides links to more information.
| Power Platform component | Information |
|---|---|
| Power Apps | Predefined security roles for environments with a Dataverse database |
| Power Automate | Security and privacy |
| Power Pages | Roles required for website administration |
| Microsoft Copilot Studio | Assign environment security roles |
Dataverse for Teams environments
Learn more about predefined security roles in Dataverse for Teams environments.
App-specific security roles
If you deploy Dynamics 365 apps in your environment, other security roles are added. The following table provides links to more information.
| Dynamics 365 app | Security role docs |
|---|---|
| Dynamics 365 Sales | Predefined security roles for Sales |
| Dynamics 365 Marketing | Security roles added by Dynamics 365 Marketing |
| Dynamics 365 Field Service | Dynamics 365 Field Service roles + definitions |
| Dynamics 365 Customer Service | Roles in Omnichannel for Customer Service |
| Dynamics 365 Customer Insights | Customer Insights roles |
| App profile manager | Roles and privileges associated with app profile manager |
| Dynamics 365 Finance | Security roles in the public sector |
| Finance and operations apps | Security roles in Microsoft Power Platform |
Summary of resources available to predefined security roles
The following table describes which resources each security role can author.
| Resource | Environment Maker | Environment Admin | System Customizer | System Admin |
|---|---|---|---|---|
| Canvas app | X | X | X | X |
| Cloud flow | X (non–solution-aware) | X | X | X |
| Connector | X (non–solution-aware) | X | X | X |
| Connection* | X | X | X | X |
| Data gateway | - | X | - | X |
| Dataflow | X | X | X | X |
| Dataverse tables | - | - | X | X |
| Model-driven app | X | - | X | X |
| Solution framework | X | - | X | X |
| Desktop flow** | - | - | X | X |
| AI Builder | - | - | X | X |
*Connections are used in canvas apps and Power Automate.
**Dataverse for Teams users don't get access to desktop flows by default. You need to upgrade your environment to full Dataverse capabilities and acquire desktop flow license plans to use desktop flows.