Exercise - App authorization

  • 10 minutes

In this exercise, you specify the users whom you identified in a previous phase to run your apps. The path we'll take is to create a new security role with access to the Dataverse tables in our solution. Then we'll add users to that security role simply by sharing our canvas app with those users.

Security role creation and sharing a Model-driven app

Model-driven apps use role-based security for sharing. The fundamental concept in role-based security is that a security role contains privileges that define a set of actions that users can perform on tables within the app. This approach means that, while two people are able to use the app, only one user might be able to read records or records that they've created. The other user might be able to view all records and have the rights to delete those records.

All app users must have one or more predefined or custom security role, in order to interact with data. Alternatively, you can assign security roles to teams. When a user or team is assigned to one of these roles, the person or team members are granted the set of privileges that are associated with that role.

The process for sharing a model-driven app is different from sharing a canvas app. Model-driven app sharing depends on how you've assigned Microsoft Dataverse table privileges for the tables that are in the app. As users are added to that role, they will instantly have access to the data.

Create a security role

When you have an app based in Dataverse, before you begin sharing your app, you need to define a security role. To start this exercise, we will create a new security role called Dive Shop App Access and grant access to users with that security role.

  1. Sign in to Power Apps.

  2. Select Solutions then find/select your Dive Center App solution.

  3. From the command bar, select New > Security > Security role.

    Screenshot of the path to find the Security role option.

  4. In the Create New Role panel, input/select the following:

    • Role Name: Dive Shop App Access
    • Business Unit: [select one that's available]
    • Member's privilege inheritance: Direct User (Basic) access level and Team privileges [default setting]
    • Include App Opener privileges for running Model-Driven apps: leave the option checked

    Select Save to continue.

  5. After you save, Power Apps creates your new security role and displays a list of all of your Dataverse tables available for assigning privileges according to this new role. You can adjust the access for this security role to any of the tables but focus the role according to the custom tables you created for this solution, notably the Dive Gear and Service Request tables. Start with the Dive Gear table by entering "dive" in the search field in the upper right corner. (Refer to the numbered image below for subsequent steps in the process.)

    Screenshot of the role selected and the Save button.

  6. Select the Dive Gear table. We want this role to have complete access all of the CRUD functions for this data.

  7. Using the drop down controls under each function, change from None to Organization. We want these users to be able to see/modify data created or modified by any other user in the organization. If you only wanted them to see/modify items that they created, you'd select User, but in this case we want to see all of them.

  8. Now that we have permissions set for our Dive Gear table, return to your search field and input "service" to search for your Service Request table.

  9. Adjust all of the drop downs for your Service Request table for Organization access.

  10. Since our solution also uses our Contact table, search for and select the Contact table. (Refer to the image below for subsequent steps.)

    Screenshot of the role selected and the Save button.

  11. We want this security role users to be able to have access and update these records, but not to delete them. Therefore, we will adjust all of the dropdowns except Delete to Organization. We'll leave Delete as None.

  12. That's all we need for now, so select Save from the command bar, and return to your Solution page for the Dive Center App.

Share the model-driven app

  1. Select your Dive Shop app.

  2. Select Share from the command bar. (Refer to the diagram below for subsequent steps.)

    Screenshot of the initial steps to share a model-driven app.

  3. In the Share Dive Shop panel that appears on the right, select your Dive Shop app at the top. This will allow you to define which security roles your app will use.

  4. In the dropdown next to Dataverse in the Manage security roles section, find/select your Dive Shop App Access role. Notice that any users who already have access to your Dataverse environment will be listed below People and any standard security roles for these users will automatically associate with your app.

  5. Enter a user in the People field to add that user to your app. They will show up as a New user.

    Screenshot of the initial steps to share a model-driven app.

  6. Select the user you want to share the app with. Then under their name, select which role you would like to share with that user. In this case select Dive Shop App Access.

  7. Continue to add additional users via the same process. When complete, select Share. Power Apps will notify you that sharing was successful. Select Cancel to close the sharing panel.

Share your canvas app

Alternatively, you can easily share your app and assign users to our security role via the canvas app share process.

Follow these steps to share your Canvas app from the solution:

  1. Sign in to Power Apps.

  2. On the left pane, select Solutions.

  3. Find/select your Dive Center App solution.

  4. Select the Service Request app.

  5. On the command bar, select Share.

    Screenshot of the Share option on the command bar.

  6. Specify, by name or alias, the users or security groups in Microsoft Entra ID with whom you want to share the app. Simply begin typing the name of the individual/group you want to share the app with and then select the contact as it appears below the search field. (Refer to the numbered image below for the next few steps.)

    Screenshot of an individual name in the lookup feature.

    Note

    You can't share an app with a distribution group in your organization or with a group outside your organization, but you can share your app with guest users of your tenant (see the link below in Recommended content)

  7. If you want to allow users to edit and share the app, select the Co-owner check box.

  8. If your app connects to data for which users need access permissions, specify security roles as appropriate.

    When you share this app, since it's built with Dataverse as the data source, the sharing panel prompts you to assign the users to a security role for that table.

    For more information, see Manage table permissions for Dataverse.

    If your app uses connections to other data sources, such as an Excel file that's hosted on OneDrive for Business, make sure that you share these data sources with the users you shared the app with.

    For more information, see Share resources used by canvas apps.

  9. If you want to help people find your app, select the Send an email invitation to new users check box.

  10. To complete the sharing process, select Share.

    Now your selected users can run the app by using Power Apps (for mobile devices) on a mobile device or in a browser. Co-owners can edit and share the app in Power Apps.

If you sent an email invitation, users can access the app by selecting the link in the invitation email:

  • If a user selects the link on a mobile device, the app opens in Power Apps for mobile devices.

  • If a user selects the link on a desktop computer, the app opens in a browser.

Co-owners who receive an invitation get another link that opens the app for editing in Power Apps Studio.

Recommended content

For more information, see the following articles: