Understand environment roles


You can manage environment security by using roles and then adding users to the environment and assigning roles to users. A role has certain permissions that are associated with it, and you can associate a user with one or many roles. Environments have two built-in roles that provide access to permissions within an environment. You'll assign users to one of these two roles when considering what permissions you want to give to a user in an environment.

The built-in environment roles are:

  • Environment Admin

  • Environment Maker


A user is automatically associated with the Environment Maker role when they are added to an environment.

Environment Admin role

The Environment Admin role can perform all administrative actions on an environment, including the following:

  • Add or remove a user or group from either the Environment Admin or Environment Maker role.

  • Provision a Dataverse database for the environment.

  • View and manage all resources created within the environment.

  • Set data loss prevention policies.

Environment Maker role

The Environment Maker role can create resources within an environment including apps, connections, custom connectors, gateways, and flows using Power Automate. The following rules apply to members of the Environment Maker role:

  • Environment Makers can distribute the apps that they build in an environment to other users within an organization. They share the app with individual users, security groups, or all users in the organization.

  • Users or groups that are assigned to these environment roles aren't automatically given access to the environment's database (if it exists). They must be given access separately by a Database owner.

  • Whenever a new user signs up for Power Apps, they're automatically added to the Maker role of the default environment.

  • When you add a user to an environment, they're assigned two roles by default.

    • Dataverse User (this role is created when you instantiate an instance of a Dataverse database and all users in the environment are assigned this role)

    • Environment Maker

Users or security groups can be assigned to either of these two roles by a System Administrator from the Power Platform admin center.