Configure user security to resources in an environment
Microsoft Dataverse uses a role-based security model to help secure access to the database. This article explains how to create the security artifacts that you must have to help secure resources in an environment. Security roles can be used to configure environment-wide access to all resources in the environment, or to configure access to specific apps and data in the environment. Security roles control a user's access to an environment's resources through a set of access levels and permissions. The combination of access levels and permissions that are included in a specific security role governs the limitations on the user's view of apps and data, and on the user's interactions with that data.
An environment can have zero or one Dataverse database. The process for assigning security roles for environments that have no Dataverse database differs from that for an environment that does have a Dataverse database.
Predefined security roles
Environments include predefined security roles that reflect common user tasks with access levels defined to match the security best-practice goal of providing access to the minimum amount of business data required to use the app.
These security roles can be assigned to the user, owner team and group team.
There is another set of security roles that is assigned to application users. Those security roles are installed by our services and cannot be updated.
Important
The predefined security roles that are available in your environment depend on the environment type and the apps you have installed in your environment. Read on to know about all the predefined security roles available in an environment.
Environments without a Dataverse database
Environment Maker and Environment Admin are the only predefined roles for environments that have no Dataverse database. These roles are defined in the following table.
| Security role | Database privileges* | Description |
|---|---|---|
| Environment Admin | Create, Read, Write, Delete, Customizations, Security Roles | The Environment Admin role can perform all administrative actions on an environment, including the following:
|
| Environment Maker | Customizations | Can create new resources associated with an environment, including apps, connections, custom APIs, gateways, and flows using Microsoft Power Automate. However, this role doesn't have any privileges to access data within an environment. More information: Environments overview Environment makers can also distribute the apps they build in an environment to other users in your organization. They can share the app with individual users, security groups, or all users in the organization. More information: Share an app in Power Apps |
*The scope of these privileges is global, unless specified otherwise.
Environments with a Dataverse database
If the environment has a Dataverse database, a user must be assigned the System Administrator role instead of the Environment Admin role for full admin privileges, as described in the following table.
For users who make apps that connect to the database and need to create or update entities and security roles, you need to assign the System Customizer role in addition to the Environment Maker role. This is necessary because the Environment Maker role doesn't have privileges on the environment's data.
| Security role | Database privileges* | Description |
|---|---|---|
| App Opener | Create(self), Read,Write (self), Delete (self) | Has minimum privileges for common tasks. This is primarily used when creating a new security role for model-driven apps, where a copy of the role is created before applying data access to your tables. This role is protected and cannot be updated. |
| Environment Maker | Customizations | Can create new resources associated with an environment, including apps, connections, custom APIs, gateways, and flows using Microsoft Power Automate. However, this role doesn't have any privileges to access data within an environment. More information: Environments overview Environment makers can also distribute the apps they build in an environment to other users in your organization. They can share the app with individual users, security groups, or all users in the organization. More information: Share an app in Power Apps |
| System Administrator | Create, Read, Write, Delete, Customizations, Security Roles | Has full permission to customize or administer the environment, including creating, modifying, and assigning security roles. Can view all data in the environment. More information: Privileges required for customization |
| System Customizer | Create, Read, Write, Delete, Customizations | Has full permission to customize the environment. Can view all custom table data in the environment. However, users with this role can only view rows (records) that they create in Account, Contact, Activity tables. More information: Privileges required for customization |
| Basic User | Read (self), Create (self), Write (self), Delete (self) | Can run an app within the environment and perform common tasks for the records that they own. Note that this only applies to non-custom entities. More information: Create or configure a custom security role Note: the Common Data Service User security role was renamed to Basic User. There is no action required - this is just a name changed and it doesn't impact the user privileges or role assignment. If you have a Solution with the Common Data Service User security role, you can inadvertently update the security role name back to Common Data Service User when you import the Solution. Please update the Solution before re-importing. |
| Service Reader | Read | Has full Read permission to all entities including custom entities. This is primarily used by backend service that requires reading all entities. |
| Service Writer | Create, Read, Write | Has full Create, Read, and Write permission to all entities including custom entities. This is primarily used by backend service that requires creating and updating records. |
| Delegate | Act on behalf of another user | Allows code to impersonate, or run as another user. Typically used with another security role to allow access to records. More information: Impersonate another user |
| Support User | Read Customizations, Read Business Management settings | Has full Read permission to customization and business management settings to allow Support staff to troubleshoot environment configuration issues. Does not have access to core records. |
| Office Collaborator | Read (self) | Has Read permission to tables where a record from these tables was shared with the organization. Does not have access to any other core and custom table records. This role is assigned to the Office Collaborators owner team and not to an individual user. |
| Global Reader | The Global Reader role is not yet supported in the Power Platform admin center. |
*The scope of these privileges is global, unless specified otherwise.
In addition to the predefined security roles listed above for Dataverse, there might be other security roles available in your environment depending on the Power Platform components (Power Apps, Power Automate, Power Virtual Agents) you have.
| Power Platform component | Information |
|---|---|
| Power Apps | Predefined security roles for environments with a Dataverse database |
| Power Automate | Security and privacy |
| Power Virtual Agents | Assign environment security roles |
Dataverse for Teams environments
For information on Dataverse for Teams environment security roles, see User access to Dataverse for Teams environments.
App-specific security roles
If you deploy Dynamics 365 apps in your environment, such as Dynamics 365 Sales or Dynamics 365 Field Service, additional security roles get added as a result of deploying these apps. For information about these additional security roles, see the respective apps’ documentation:
| Dynamics 365 app | Security role docs |
|---|---|
| Dynamics 365 Sales | Predefined security roles for Sales |
| Dynamics 365 Marketing | Security roles added by Dynamics 365 Marketing |
| Dynamics 365 Field Service | Dynamics 365 Field Service roles + definitions |
| Dynamics 365 Customer Service | Roles in Omnichannel for Customer Service |
| Dynamics 365 Customer Insights | Customer Insights roles |
| App profile manager | Roles and privileges associated with app profile manager |
| Dynamics 365 Finance | Security roles in the public sector |
| Finance and operations apps | Security roles in Microsoft Power Platform |
Summary of resources available for predefined security roles
The following table describes which resources can be authored by each security role.
| Resource | Environment Maker | Environment Admin | System Customizer | System Admin |
|---|---|---|---|---|
| Canvas app | X | X | X | X |
| Cloud flow | X (non-solution aware) | X | X (solution aware) | X |
| Connector | X | X | - | X |
| Connection | X | X | - | X |
| Data gateway | X | X | - | X |
| Dataflow | X | X | - | X |
| Dataverse tables | - | - | X | X |
| Model-driven app | X | - | X | X |
| Solution framework | X | - | X | X |
| *Desktop flow | - | - | X | X |
| AI Builder | - | - | X | X |
*Dataverse for Teams users don’t get access to desktop flows by default. You need to upgrade your environment to full Dataverse capabilities and acquire Desktop flow license plans in order to use desktop flows.
Assign security roles to users in an environment that has no Dataverse database
For environments with no Dataverse database, security roles can be assigned to individual users or groups from Azure AD. A user who has the Environment Admin role in the environment can take these steps.
Sign in to the Power Platform admin center.
Select Environments > [select an environment].
In the Access tile, select See all for Environment admin or Environment maker to add or remove people for either role.
Select Add people, and then specify the name or email address of one or more users or groups from Azure AD to assign this role to.
Assign security roles to users in an environment that has a Dataverse database
Security roles can be assigned to owner teams and Azure AD group teams, in addition to individual users. Before assigning a role to a user, verify that the user is present in the environment in Enabled status. Add the user to the environment or fix their status to become Enabled before assigning a role to them. You'll be able to assign a role as part of the process of adding the user.
In general, a security role can only be assigned to users who have Enabled status. But if you need to assign a security role to users in the Disabled state, you can do so by enabling allowRoleAssignmentOnDisabledUsers in OrgDBOrgSettings.
To add a security role to an owner team, group team, or a user who has Enabled status in an environment:
Sign in to the Power Platform admin center.
Select Environments > [select an environment].
In the Access tile, select See all under Security roles.
Make sure the right Business unit is selected from the dropdown, and select a role from the list of roles in the environment.
Select Add people to add a user, owner team, or group team to the role. If you do not find a user or team to assign the role to, make sure the user or team is present in the environment and the user has Enabled status before assigning a role to them.
Create or configure a custom security role
If your app uses a custom entity, its privileges must be explicitly granted in a security role before your app can be used. You can either add these privileges in an existing security role or create a custom security role.
Note
Every security role must include a minimum set of privileges before it can be used. These are described later in this article.
Tip
The environment might maintain the records that can be used by multiple apps; therefore, you might need multiple security roles to access the data by using different privileges. For example:
- Some users (call them Type A) might only need to read, update, and attach other records, so their security role will have read, write, and append privileges.
- Other users might need all the privileges that Type A users have, plus the ability to create, append to, delete, and share. The security role for these users will have create, read, write, append, delete, assign, append to, and share privileges.
For more information about access and scope privileges, see Security roles and privileges.
Create a custom security role with minimum privileges to run an app
- Sign in to the Power Platform admin center, and select Environments in the navigation pane.
- Select the environment for which you want to create a security role.
- Select Settings in the action bar.
- Select Users + permissions > Security roles.
- Select the check mark next to the App Opener role.
- Select Copy on the action bar.
- Enter a role name for your custom role, and then select Copy.
- From the list of security roles, locate your newly created custom role.
- Select the check mark next to your custom role.
- Select the More actions (...) icon, and then select Edit.
- In the role editor, select the Custom Entities tab to set permissions on your custom table.
- Find your custom table in the list, and select the Read, Write, and Append privileges.
- Select Save and Close.
Create a customer security role from scratch
- Sign in to the Power Platform admin center, and select Environments in the navigation pane.
- Select the environment for which you want to create a security role.
- Select Settings in the action bar.
- Select Users + permissions > Security roles.
- Select New role on the action bar.
- From the security role designer, enter a role name on the Details tab. From the other tabs, you'll select the actions and the scope for performing that action.
- Select a tab, and search for your entity. For example, select the Custom Entities tab to set permissions on a custom entity.
- Select the privileges Read, Write, Append.
- Select Save and Close.
Minimum privileges to run an app
When you create a custom security role, the role must have a set of minimum privileges in order for a user to run an app. We've created a solution you can import that provides a security role that includes the required minimum privileges.
See also
Grant users access
Control user access to environments: security groups and licenses
How access to a record is determined
Feedback
Submit and view feedback for