Create or edit a security role to manage access

Create security roles or edit the privileges associated with an existing security role to accommodate changes in your business requirements. You can export your changes as a solution to make a backup or for use in a different implementation.

Prerequisites

Make sure you have the System Administrator permission. If you don't, contact your system administrator.

Create a security role

  1. Sign in to the Power Platform admin center and select an environment.

  2. Select Settings > Users + permissions > Security roles.

  3. Select + New role.

  4. Enter a role name.

  5. Select a business unit.

  6. To allow team members to inherit the privileges of this role when it's assigned to a team, accept the default Member's privilege inheritance setting, which is Direct User (Basic) access level and Team privileges.

  7. To use the new role to run model-driven apps, accept the default Include App Opener privileges for running Model-Driven apps setting, which is set to On.

  8. Use the new or legacy experience to specify privileges for the security role.

  9. Select Save. The properties of the new role are displayed.

    Note

    You must grant your app's table privileges to this newly created security role. You also need to review and update the default privileges that were copied from the App Opener security role's minimum privileges for common tasks. There are some privileges that were granted with an Organization-level read access, such as Process (Flows), that allow the user to run system-supplied flows. If your app or user doesn't need to run system-supplied flows, you can change this privilege to User (basic) level.

  10. Enter your table name in the Search input field to find your app's table.

  11. Select your table and set the Permission settings. Then select the Save button.

    Note

    You may need to repeat the last two steps of this procedure if there is more than one table in your app.

Create a security role by Copy Role

  1. Sign in to the Power Platform admin center and select an environment.

  2. Select Settings > Users + permissions > Security roles.

  3. Select the security role you want to copy.

  4. Select Copy.

  5. Enter a name for the new role.

  6. Select OK.

  7. Use the new or legacy experience to specify privileges for the security role.

  8. Select Save + close.

Edit a security role

Before you edit a security role, make sure you understand the principles of controlling data access.

Note

You can't edit the System Administrator security role. Instead, copy the System Administrator security role and make changes to the new role.

  1. Sign in to the Power Platform admin center and select an environment.

  2. Select Settings > Users + permissions > Security roles.

  3. Select the security role you want to edit.

  4. Use the new or legacy experience to specify privileges for the security role.

  5. Select Save + close.

Minimum privileges for common tasks

Make sure that your users have a security role with the minimum privileges that are needed for common tasks like opening model-driven apps.

Don't use the min prv apps use role that's available in the Microsoft Download Center. It's being retired soon. Instead, use or copy the predefined security role App Opener, and then set the appropriate privileges.

  • To allow users to open a model-driven app or any Dynamics 365 customer engagement app, assign the App Owner role.

  • To allow users to view tables, assign the following privileges:

    • Core Records: Read privilege on the table, Read Saved View, Create/Read/Write User Entity UI Settings and assign the following privilege on the Business Management tab: Read User.
  • When logging in to Dynamics 365 for Outlook:

  • To render navigation for customer engagement apps and all buttons: assign the min prv apps use security role or a copy of this security role to your user

  • To render a table grid: assign Read privilege on the table

  • To render tables: assign Read privilege on the table

Privacy notices

Licensed Dynamics 365 Online users with specific security roles are automatically authorized to access the service by using Dynamics 365 for phones, and other clients. Examples of authorized roles include: CEO, Business Manager, Sales Manager, Salesperson, System Administrator, System Customizer, and Vice President of Sales.

An admin has full control, at the user's security role or entity level, to access and the level of authorized access associated with the phone client. Users can then access Dynamics 365 Online by using Dynamics 365 for phones. Customer data will be cached on the device running the specific client.

Based on the specific settings at the user security and entity levels, the types of customer data that can be exported from Dynamics 365 Online. The data that can be cached on an end user’s device include record data, record metadata, entity data, entity metadata, and business logic.

The Dynamics 365 for tablets and phones, and Project Finder for Project Finder for Dynamics 365 (the "App") enables users to access their Microsoft Dynamics CRM or Dynamics 365 instance from their tablet and phone device. In order to provide this service, the App processes and stores information, such as user's credentials and the data the user processes in Microsoft Dynamics CRM or Dynamics 365. The App is provided for use only by end users of Microsoft customers who are authorized users of Microsoft Dynamics CRM or Dynamics 365. The App processes user's information on behalf of the applicable Microsoft customer, and Microsoft may disclose information processed by the App at the direction of the organization that provides users access to Microsoft Dynamics CRM or Dynamics 365. Microsoft does not use information users process via the App for any other purpose.

If users use the App to connect to Microsoft Dynamics CRM (online) or Dynamics 365, by installing the App, users consent to transmission of their organization's assigned ID and assigned end user ID, and device ID to Microsoft for purposes of enabling connections across multiple devices, or improving Microsoft Dynamics CRM (online), Dynamics 365 or the App.

Location data. If users request and enable location-based services or features in the App, the App may collect and use precise data about their location. Precise location data can be Global Position System (GPS) data, as well as data identifying nearby cell towers and Wi-Fi hotspots. The App may send location data to Microsoft Dynamics CRM or Dynamics 365. The App may send the location data to Bing Maps and other third party mapping services, such as Google Maps and Apple Maps, a user designated in the user's phone to process the user's location data within the App. Users may disable location-based services or features or disable the App's access to user's location by turning off the location service or turning off the App's access to the location service. Users' use of Bing Maps is governed by the Bing Maps End User Terms of Use available at https://go.microsoft.com/?linkid=9710837 and the Bing Maps Privacy Statement available at https://go.microsoft.com/fwlink/?LinkID=248686. Users' use of third party mapping services, and any information users provide to them, is governed by their service specific end user terms and privacy statements. Users should carefully review these other end user terms and privacy statements.

The App may include links to other Microsoft services and third party services whose privacy and security practices may differ from those of Microsoft Dynamics CRM or Dynamics 365.  IF USERS SUBMIT DATA TO OTHER MICROSOFT SERVICES OR THIRD PARTY SERVICES, SUCH DATA IS GOVERNED BY THEIR RESPECTIVE PRIVACY STATEMENTS. For the avoidance of doubt, data shared outside of Microsoft Dynamics CRM or Dynamics 365 is not covered by users' Microsoft Dynamicss CRM or Dynamics 365 agreement(s) or the applicable Microsoft Dynamics Trust Center. Microsoft encourages users to review these other privacy statements.

Licensed Dynamics 365 Online users with specific Security Roles (CEO – Business Manager, Sales Manager, Salesperson, System Administrator, System Customizer, and Vice President of Sales) are automatically authorized to access the service by using Dynamics 365 for tablets, as well as other clients.

An administrator has full control (at the user security role or entity level) over the ability to access and the level of authorized access associated with the tablet client. Users can then access Dynamics 365 (online) by using Dynamics 365 for tablets, and Customer Data will be cached on the device running the specific client.

Based on the specific settings at the user security and entity levels, the types of Customer Data that can be exported from Dynamics 365 (online) and cached on an end user’s device include record data, record metadata, entity data, entity metadata, and business logic.

If you use Microsoft Dynamics 365 for Outlook, when you go offline, a copy of the data you are working on is created and stored on your local computer. The data is transferred from Dynamics 365 (online) to your computer by using a secure connection, and a link is maintained between the local copy and Dynamics 365 Online. The next time you sign in to Dynamics 365 (online), the local data will be synchronized with Dynamics 365 (online).

An administrator determines whether or not an organization’s users are permitted to go offline with Microsoft Dynamics 365 for Outlook by using security roles.

Users and administrators can configure which entities are downloaded via Offline Sync by using the Sync Filters setting in the Options dialog box. Alternatively, users and Administrators can configure which fields are downloaded (and uploaded) by using Advanced Options in the Sync Filters dialog box.

If you use Dynamics 365 (online), when you use the Sync to Outlook feature, the Dynamics 365 data you are syncing is “exported” to Outlook. A link is maintained between the information in Outlook and the information in Dynamics 365 (online) to ensure that the information remains current between the two. Outlook Sync downloads only the relevant Dynamics 365 record IDs to use when a user attempts to track and set regarding an Outlook item. The company data is not stored on the device.

An administrator determines whether your organization’s users are permitted to sync Dynamics 365 data to Outlook by using security roles.

If you use Microsoft Dynamics 365 (online), exporting data to a static worksheet creates a local copy of the exported data and stores it on your computer. The data is transferred from Dynamics 365 (online) to your computer by using a secure connection, and no connection is maintained between this local copy and Dynamics 365 (online).

When you export to a dynamic worksheet or PivotTable, a link is maintained between the Excel worksheet and Dynamics 365 (online). Every time a dynamic worksheet or PivotTable is refreshed, you’ll be authenticated with Dynamics 365 (online) using your credentials. You’ll be able to see the data that you have permissions to view.

An administrator determines whether or not an organization’s users are permitted to export data to Excel by using security roles.

When Dynamics 365 (online) users print Dynamics 365 data, they are effectively “exporting” that data from the security boundary provided by Dynamics 365 (online) to a less secure environment, in this case, to a piece of paper.

An administrator has full control (at the user security role or entity level) over the data that can be extracted. However, after the data has been extracted it is no longer protected by the security boundary provided by Dynamics 365 (online) and is instead controlled directly by the customer.

See also

Security concepts Predefined security roles Copy a security role