Configure user security to resources in an environment

Microsoft Dataverse uses a role-based security model to help secure access to the database. This article explains how to create the security artifacts that you must have to help secure resources in an environment. Security roles can be used to configure environment-wide access to all resources in the environment, or to configure access to specific apps and data in the environment. Security roles control a user's access to an environment's resources through a set of access levels and permissions. The combination of access levels and permissions that are included in a specific security role governs the limitations on the user's view of apps and data, and on the user's interactions with that data.

An environment can have zero or one Dataverse database. The process for assigning security roles for environments that have no Dataverse database differs from that for an environment that does have a Dataverse database.

Predefined security roles

Environments include predefined security roles that reflect common user tasks with access levels defined to match the security best-practice goal of providing access to the minimum amount of business data required to use the app.

These security roles can be assigned to the user, owner team and group team.

There is another set of security roles that is assigned to application users. Those security roles are installed by our services and cannot be updated.

Important

The predefined security roles that are available in your environment depend on the environment type and the apps you have installed in your environment. Read on to know about all the predefined security roles available in an environment.

Environments without a Dataverse database

Environment Maker and Environment Admin are the only predefined roles for environments that have no Dataverse database. These roles are defined in the following table.

Security role Database privileges* Description
Environment Admin Create, Read, Write, Delete, Customizations, Security Roles The Environment Admin role can perform all administrative actions on an environment, including the following:
  • Add or remove a user from either the Environment Admin or Environment Maker role.
  • Provision a Dataverse database for the environment. After a database is provisioned, the System Customizer role should also be assigned to an Environment Admin to give them access to the environment's data.
  • View and manage all resources created within an environment.
  • Set data loss prevention policies. More information: Data loss prevention policies
Environment Maker Customizations Can create new resources associated with an environment, including apps, connections, custom APIs, gateways, and flows using Microsoft Power Automate. However, this role doesn't have any privileges to access data within an environment. More information: Environments overview

Environment makers can also distribute the apps they build in an environment to other users in your organization. They can share the app with individual users, security groups, or all users in the organization. More information: Share an app in Power Apps

*The scope of these privileges is global, unless specified otherwise.

Environments with a Dataverse database

If the environment has a Dataverse database, a user must be assigned the System Administrator role instead of the Environment Admin role for full admin privileges, as described in the following table.

For users who make apps that connect to the database and need to create or update entities and security roles, you need to assign the System Customizer role in addition to the Environment Maker role. This is necessary because the Environment Maker role doesn't have privileges on the environment's data.

Security role Database privileges* Description
App Opener Create(self), Read,Write (self), Delete (self) Has minimum privileges for common tasks. This is primarily used when creating a new security role for model-driven apps, where a copy of the role is created before applying data access to your tables. This role is protected and cannot be updated.
Environment Maker Customizations Can create new resources associated with an environment, including apps, connections, custom APIs, gateways, and flows using Microsoft Power Automate. However, this role doesn't have any privileges to access data within an environment. More information: Environments overview

Environment makers can also distribute the apps they build in an environment to other users in your organization. They can share the app with individual users, security groups, or all users in the organization. More information: Share an app in Power Apps
System Administrator Create, Read, Write, Delete, Customizations, Security Roles Has full permission to customize or administer the environment, including creating, modifying, and assigning security roles. Can view all data in the environment. More information: Privileges required for customization
System Customizer Create, Read, Write, Delete, Customizations Has full permission to customize the environment. Can view all custom table data in the environment. However, users with this role can only view rows (records) that they create in Account, Contact, Activity tables. More information: Privileges required for customization
Basic User Read (self), Create (self), Write (self), Delete (self) Can run an app within the environment and perform common tasks for the records that they own. Note that this only applies to non-custom entities. More information: Create or configure a custom security role

Note: the Common Data Service User security role was renamed to Basic User. There is no action required - this is just a name changed and it doesn't impact the user privileges or role assignment. If you have a Solution with the Common Data Service User security role, you can inadvertently update the security role name back to Common Data Service User when you import the Solution. Please update the Solution before re-importing.
Service Reader Read Has full Read permission to all entities including custom entities. This is primarily used by backend service that requires reading all entities.
Service Writer Create, Read, Write Has full Create, Read, and Write permission to all entities including custom entities. This is primarily used by backend service that requires creating and updating records.
Delegate Act on behalf of another user Allows code to impersonate, or run as another user. Typically used with another security role to allow access to records. More information: Impersonate another user
Support User Read Customizations, Read Business Management settings Has full Read permission to customization and business management settings to allow Support staff to troubleshoot environment configuration issues. Does not have access to core records.
Office Collaborator Read (self) Has Read permission to tables where a record from these tables was shared with the organization. Does not have access to any other core and custom table records. This role is assigned to the Office Collaborators owner team and not to an individual user.
Global Reader The Global Reader role is not yet supported in the Power Platform admin center.

*The scope of these privileges is global, unless specified otherwise.

In addition to the predefined security roles listed above for Dataverse, there might be other security roles available in your environment depending on the Power Platform components (Power Apps, Power Automate, Power Virtual Agents) you have.

Power Platform component Information
Power Apps Predefined security roles for environments with a Dataverse database
Power Automate Security and privacy
Power Virtual Agents Assign environment security roles

Dataverse for Teams environments

For information on Dataverse for Teams environment security roles, see User access to Dataverse for Teams environments.

App-specific security roles

If you deploy Dynamics 365 apps in your environment, such as Dynamics 365 Sales or Dynamics 365 Field Service, additional security roles get added as a result of deploying these apps. For information about these additional security roles, see the respective apps’ documentation:

Dynamics 365 app Security role docs
Dynamics 365 Sales Predefined security roles for Sales
Dynamics 365 Marketing Security roles added by Dynamics 365 Marketing
Dynamics 365 Field Service Dynamics 365 Field Service roles + definitions
Dynamics 365 Customer Service Roles in Omnichannel for Customer Service
Dynamics 365 Customer Insights Customer Insights roles
App profile manager Roles and privileges associated with app profile manager
Dynamics 365 Finance Security roles in the public sector
Finance and operations apps Security roles in Microsoft Power Platform

Summary of resources available for predefined security roles

The following table describes which resources can be authored by each security role.

Resource Environment Maker Environment Admin System Customizer System Admin
Canvas app X X X X
Cloud flow X (non-solution aware) X X (solution aware) X
Connector X X - X
Connection X X - X
Data gateway X X - X
Dataflow X X - X
Dataverse tables - - X X
Model-driven app X - X X
Solution framework X - X X
*Desktop flow - - X X
AI Builder - - X X

*Dataverse for Teams users don’t get access to desktop flows by default. You need to upgrade your environment to full Dataverse capabilities and acquire Desktop flow license plans in order to use desktop flows.

Assign security roles to users in an environment that has no Dataverse database

For environments with no Dataverse database, security roles can be assigned to individual users or groups from Azure AD. A user who has the Environment Admin role in the environment can take these steps.

  1. Sign in to the Power Platform admin center.

  2. Select Environments > [select an environment].

  3. In the Access tile, select See all for Environment admin or Environment maker to add or remove people for either role.

    Choose a role.

  4. Select Add people, and then specify the name or email address of one or more users or groups from Azure AD to assign this role to.

    Select an action.

Assign security roles to users in an environment that has a Dataverse database

Security roles can be assigned to owner teams and Azure AD group teams, in addition to individual users. Before assigning a role to a user, verify that the user is present in the environment in Enabled status. Add the user to the environment or fix their status to become Enabled before assigning a role to them. You'll be able to assign a role as part of the process of adding the user.

In general, a security role can only be assigned to users who have Enabled status. But if you need to assign a security role to users in the Disabled state, you can do so by enabling allowRoleAssignmentOnDisabledUsers in OrgDBOrgSettings.

To add a security role to an owner team, group team, or a user who has Enabled status in an environment:

  1. Sign in to the Power Platform admin center.

  2. Select Environments > [select an environment].

  3. In the Access tile, select See all under Security roles.

    See all security roles.

  4. Make sure the right Business unit is selected from the dropdown, and select a role from the list of roles in the environment.

    Select Business unit.

  5. Select Add people to add a user, owner team, or group team to the role. If you do not find a user or team to assign the role to, make sure the user or team is present in the environment and the user has Enabled status before assigning a role to them.

    Add people.

Create or configure a custom security role

If your app uses a custom entity, its privileges must be explicitly granted in a security role before your app can be used. You can either add these privileges in an existing security role or create a custom security role.

Note

Every security role must include a minimum set of privileges before it can be used. These are described later in this article.

Tip

The environment might maintain the records that can be used by multiple apps; therefore, you might need multiple security roles to access the data by using different privileges. For example:

  • Some users (call them Type A) might only need to read, update, and attach other records, so their security role will have read, write, and append privileges.
  • Other users might need all the privileges that Type A users have, plus the ability to create, append to, delete, and share. The security role for these users will have create, read, write, append, delete, assign, append to, and share privileges.

For more information about access and scope privileges, see Security roles and privileges.

Create a custom security role with minimum privileges to run an app

  1. Sign in to the Power Platform admin center, and select Environments in the navigation pane.
  2. Select the environment for which you want to create a security role.
  3. Select Settings in the action bar.
  4. Select Users + permissions > Security roles.
  5. Select the check mark next to the App Opener role.
  6. Select Copy on the action bar.
  7. Enter a role name for your custom role, and then select Copy.
  8. From the list of security roles, locate your newly created custom role.
  9. Select the check mark next to your custom role.
  10. Select the More actions (...) icon, and then select Edit.
  11. In the role editor, select the Custom Entities tab to set permissions on your custom table.
  12. Find your custom table in the list, and select the Read, Write, and Append privileges.
  13. Select Save and Close.

Create a customer security role from scratch

  1. Sign in to the Power Platform admin center, and select Environments in the navigation pane.
  2. Select the environment for which you want to create a security role.
  3. Select Settings in the action bar.
  4. Select Users + permissions > Security roles.
  5. Select New role on the action bar.
  6. From the security role designer, enter a role name on the Details tab. From the other tabs, you'll select the actions and the scope for performing that action.
  7. Select a tab, and search for your entity. For example, select the Custom Entities tab to set permissions on a custom entity.
  8. Select the privileges Read, Write, Append.
  9. Select Save and Close.

Minimum privileges to run an app

When you create a custom security role, the role must have a set of minimum privileges in order for a user to run an app. We've created a solution you can import that provides a security role that includes the required minimum privileges.

See also

Grant users access
Control user access to environments: security groups and licenses
How access to a record is determined