Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Users only need access to the apps and flows that align with their departmental function. You can create Microsoft Entra ID security groups based on business processes and assign team members to the appropriate groups. The security groups control user access to the apps and visibility to the various components within the apps.
Create Microsoft Entra ID security groups
The following deployment model illustrates how you assign users to different Microsoft Entra ID security groups based on their departmental function.
Admin security group
Set up one or more administrators to an SAP Procurement Admin team.
Functional security groups
The security groups can align to specific business processes. Assign all of the users who participate in the procure-to-pay process to one or more of the six different user teams:
- Vendor management
- Purchase requisitions
- Purchase orders
- Vendor goods receipts
- Vendor invoice
- Vendor payments
This model is used throughout the rest of this document to show intent, but your configuration might differ based on your requirements.
More information:
Create Dataverse group teams
Admins manage the menu items visible to users in the canvas apps directly in the SAP Administrator app. Dataverse group team membership controls access and visibility to the menu items. Microsoft Entra ID security groups govern Dataverse group team membership and ensure one of two options:
- Users have visibility and access to appropriate menu items in the canvas apps when they're added to one or more security groups.
- Users lose visibility and access when they're removed from a security group.
Additionally, menu visibility drives the drill through behavior on certain fields in the canvas apps. For example, if a user isn't part of the purchase orders team, they can only view the associated purchase order number to the requisition in the SAP Requisition Management app. They can't drill through to see all the order details.
More information: Work with Microsoft Entra ID group teams
Steps to managing teams
Take these steps to create teams and configure security settings:
- Sign in to the Power Platform admin center.
- Go to Environments and select the environment that contains the solutions.
- Go to Settings > Users + permissions > Teams.
- Select + Create Team.
- Complete the required fields. For Team type, select Microsoft Entra ID Security Group. You also need to complete Group name and Membership type.
- Search for the example security group previously created in Microsoft Entra ID and associate it to the newly created group team.
- Assign security roles to teams that correspond to team functions.
Security role guidance
The following table provides guidance for assigning security roles:
| Dataverse Team Name | SAP Template User | SAP Template Administrator | Basic User |
|---|---|---|---|
| Vendor management | X | X | |
| Purchase requisitions | X | X | |
| Purchase orders | X | X | |
| Vendor goods receipt | X | X | |
| Vendor invoice | X | X | |
| Vendor payments | X | X | |
| Admin | X | X |
Note
- Add or remove users from a group team based on their membership in the linked Microsoft Entra ID security group.
- Team membership governs access to Dataverse data, with different access levels for SAP integration user and SAP integration admin security role assignments.
- You can also see the Dataverse group team setup in the Power Platform admin center in the SAP Admin app for reference.
More information: Manage group teams, Security roles and privileges
Share access to the apps and flows
Security group members can only access apps and flows that are shared with them. Use the security groups model as an example to help you set up security groups for your organization.
Share the flows with Run only privileges so users have access to embedded flows and the SAP ERP, Dataverse, and Office 365 connector user services use the triggering user's credentials.
Warning
Failure to change the Read Only privileges of the flows prevents the connector services from passing user credentials. Limit sharing of Dataverse and Office 365 connections.
Steps to share apps
- Go to the individual apps in Power Apps.
- Select the Share option.
- Search for and select the appropriate security group that contains the members who need to access that app.
- Select Share. You can also choose whether or not to include an email invitation (not required).
Steps to share flows
- Go to the individual cloud flows in Power Apps.
- Go to the Run only users section and select Edit.
- Invite system users and teams by searching for and selecting the Microsoft Entra ID security groups that need access to the flow according to the canvas apps that that team needs to use.
- For all three connections used, select the Provided by run-only end user option.
- Select Save.
Sharing summary
This table provides a mapping summary of what components you need to assign or share according to the example Microsoft Entra ID security group teams.
| Component | Type | Vendor management team | Purchase requisitions team | Purchase orders team | Vendor goods receipt team | Vendor invoice team | Vendor payments team | Admin team |
|---|---|---|---|---|---|---|---|---|
| SAP Vendor Management | app | X | ||||||
| SAP Purchase Requisitions | app | X | ||||||
| SAP Purchase Orders | app | X | ||||||
| SAP Goods Receipts | app | X | ||||||
| SAP Vendor Invoice | app | X | ||||||
| SAP Vendor Payments | app | X | ||||||
| SAP Template Administrator | app | X | ||||||
| ApprovePurchaseOrder | flow | X | ||||||
| ApproveVendorInvoice | flow | X | ||||||
| ConvertRequisitionToPurchaseOrder | flow | X | ||||||
| CreateGoodsReceipt | flow | X | ||||||
| CreatePurchaseOrder | flow | X | ||||||
| CreateRequisition | flow | X | ||||||
| CreateVendor | flow | X | ||||||
| CreateVendorInvoice | flow | X | ||||||
| ReadGLAccount | flow | X | X | X | ||||
| ReadGLAccountList | flow | X | X | X | ||||
| ReadGoodsReceipt | flow | X | X | X | ||||
| ReadGoodsReceiptList | flow | X | X | X | ||||
| ReadMaterial | flow | X | X | X | X | X | X | |
| ReadMaterialList | flow | X | X | X | X | X | X | |
| ReadPurchaseOrder | flow | X | X | X | X | |||
| ReadPurchaseOrderList | flow | X | X | X | X | |||
| ReadRequisition | flow | X | X | X | ||||
| ReadRequisitionList | flow | X | X | X | ||||
| ReadVendor | flow | X | X | X | X | X | X | |
| ReadVendorInvoice | flow | X | X | X | X | |||
| ReadVendorInvoiceList | flow | X | X | X | X | |||
| ReadVendorList | flow | X | X | X | X | X | X | |
| ReadVendorPayment | flow | X | X | X | ||||
| ReadVendorPaymentList | flow | X | X | X | ||||
| ReverseVendorInvoice | flow | X | ||||||
| UpdatePurchaseOrder | flow | X | ||||||
| UpdateVendor | flow | X | ||||||
| UpdateVendorInvoice | flow | X |
More information: