Exercise - Create a custom role
Microsoft Dataverse has many standard default roles, but there might be times when you want to define a custom security role. Dataverse supports the following eight different record-level privileges. You can use them to define how a user interacts with data for one or more tables for use in building a custom role. It's important to remember that every security role must include a minimum set of privileges before it can be used. The available record-level privileges for custom roles include:
Create - Required to make a new record. The records that can be created depend on the access level of the permission that is defined in your security role.
Read - Required to open a record to view the contents. The records that can be read depend on the access level of the permission that is defined in your security role.
Write - Required to make changes to a record. The records that can be changed depend on the access level of the permission that is defined in your security role.
Delete - Required to permanently remove a record. The records that can be deleted depend on the access level of the permission that is defined in your security role.
Append - Required to associate a record with the current record. For example, if a user has Append rights on an opportunity, the user can add a note to an opportunity. The records that can be appended depends on the access level of the permission that is defined in your security role. In case of many-to-many relationships, you must have Append privilege for both tables being associated or disassociated.
Append To - Required to associate the current record with another record. For example, a note can be attached to an opportunity if the user has Append To rights on the note. Which records can be appended to depends on the access level of the permission that is defined in your security role.
Assign - Required to give ownership of a record to another user. The records that can be assigned depends on the access level of the permission that is defined in your security role.
Share - Required to give another user access to a record while keeping your own access. The records that can be shared depends on the access level of the permission that is defined in your security role.
These record-level privileges can be grouped as needed and associated with a custom role. That custom role can then be applied to one or many tables as needed.
Roles can be copied so you can quickly create similar roles that might be slightly different. Also, it is much easier to copy a role and modify it, than to generate one from nothing.
Create a custom security role and assign to tables and users
This lab will show you how to create a new role and associate that role with a custom table. Then, you can associate users to the new role so they can access the data in the custom tables as needed.
To grant access, you'll need to:
Create a new user security role or amend an existing user security role to include settings for the custom table.
Assign users to the security role.
To get started, use the following steps to create a new security role.
Sign in to Power Apps as an administrator.
Select the gear icon in the menu and select Admin Center.
Select the Environments tab from the left side menu, and then select the name of the environment you would like to administer.
Select See all under Security Roles in the Access pane on the top right.
Select New role in the top menu bar, which will open the security role designer.
Enter a name for your security role in the Role Name field.
Locate the tables that your app uses by selecting each tab in the security role designer. If your tables are custom, they'll be under the Custom Entities tab.
When you've located your tables, select the privileges that you want to grant your users, such as Read, Write, Delete, and so on. Select the scope for performing that action by selecting the name of the table. Scope determines how deep or high within the environment's hierarchy that the user can perform a particular action.
You toggle through the privileges to assign them. In other words, when you repeatedly select a privilege that is empty, it cycles through User, then Business Unit, then Parent, then Organization, then back to empty.
Unfortunately, the header to the privilege levels doesn't freeze in place as you scroll down the list to find your table, but you can hover over each circle and it tells you which privilege it represents.
You can select the table name on the left to assign all of the record-level privileges simultaneously. You can also select them one at a time.
Select Save and Close.
Congratulations, you've created a new custom security role. Next, you'll assign users to this role.
To assign a user to a security role, you need to be a member of the System Administrator role in the current environment, and then follow these steps:
Sign in to Power Apps as an admin, select the settings gear, and then select Admin Center.
In Power Platform admin center, select Environments from the left side navigation pane, then select the environment where you want to update a security role.
Select See all under Users in the Access pane at the top right.
Verify that the user(s) already exists in the environment. You can scroll through the list or enter a user name in the search field in the top right ribbon. If the user isn't on the list, go to step 5. Otherwise, you can skip to step 6.
In case a user doesn't exist in the environment, you can add the user by selecting the Add user button and entering the user's email address in your organization.
After you know the users you want to assign a security role to exist in your environment, select the radio button to the left of their name.
Select Manage Security Roles from the top ribbon.
You can also select a user's name from the list, and then select Manage roles from the popout pane to manage their security roles.
In the Manage Security Roles dialog box, select the check boxes next to the role(s) that you created in the previous section and make sure to also select the Basic User role (if it wasn't already). The Basic User role must be assigned to any user who wants to use your app or access Dataverse.
Select Save to assign the role(s) to the user that you selected.
If you'd like to learn more about creating customer roles see: Create or configure a custom security role