Solutions and sharing

  • 6 minutes

When a Power Automate cloud flow is created in a solution or added to a solution, an extra layer of security is enabled and it changes how you share a cloud flow.

Solutions are the Microsoft Power Platform mechanism for implementing application lifecycle management (ALM) for Power Apps, Power Automate, and Power Virtual Agents. You can add Power Automate cloud flows as a solution component along with other resources, such as Power Apps and Dataverse tables. Then, solutions act as a container for your changes and allow you to transport them from one Microsoft Power Platform environment to another. Additionally, you can export solutions and store them in source control as part of your ALM strategy.

You can only create solutions in a Microsoft Power Platform environment with Microsoft Dataverse set up. Cloud flows that are associated with a solution are stored in a Dataverse table named Process. The ability of a user, other than the creator of the cloud flow, to run or modify the flow depends on the user's Dataverse security privileges.

For a user to run or modify a cloud flow, you first need to add them to the Dataverse environment where the cloud flow resides. For example, if you try to share with a user who isn't added to the environment, the following not found message displays.

Screenshot showing the results of adding a user who isn't in the Dataverse environment.

If you created the environment, you're an environment administrator and can add the user. Otherwise, any environment administrator can add users. The newly added user needs to have a security role assigned that gives them at least user-level privileges to the Processes table. A good built-in security role that would give them that ability is the Environment Maker role. However, you can also use or create a custom security role.

After you add the user to the environment, you can share a solution cloud flow with them, and they can see the flow in Solution Explorer. They can't view the shared flow in My flows > Shared with me. They only see it when using Solution Explorer.

Screenshot showing the process of accessing the cloud flow in Solution Explorer.

You can share a solution flow with a group of users, but it's done by using Dataverse Teams instead of user groups. You can still use Microsoft Entra security groups or office groups, but you need to first associate the group with a Dataverse team.

Before you can share flows with the team, you need to associate it with a security role. After you finish, you can share a solution cloud flow with the team, which will give owner access to the cloud flow to all members of the group.

Run-only flows

You can use a similar process to share cloud flows in solutions as run-only. To be effective at limiting a user's access to read-only, the security role that grants them privileges to the Dataverse Processes table must be limited to their own processes. That way, the users can't modify the processes that they didn't create. A good built-in role for run-only use would be the Basic User role.

Impact of Dataverse security roles

Because Dataverse security controls the sharing of solution cloud flows, users can also gain access to solution cloud flows based on their security roles that were assigned directly or indirectly through a Dataverse team. For example, users with the System Administrator or System Customizer built-in roles have the equivalency of owner access to all cloud flows in the environment without a direct share being required. Users who gain access to a cloud flow through a security role and not a direct share aren't listed in the owner's list on the cloud flow. You can check what privileges that a security role provides by looking at its setup.

Screenshot showing the System Customizer privileges for the Process table.

The green hierarchy symbol next to Organization in the previous image demonstrates how each privilege would grant permissions to perform the relevant operation (create, read, write, delete) for any solution flow in this environment. The following image shows what the Basic User role looks like.

Screenshot showing the Basic User security role privileges for the Process table.

The relevant operation (create, read, write, delete) is at the user level, meaning users can access solution cloud flows they created. The security role configuration allows for individual sharing of cloud flows with users or teams while only granting the privileges specified by the type of share, such as owner or run-only. This ensures secure and efficient management of cloud flows within a team or organization.

A complete discussion of Dataverse security is beyond the scope of this module. For more information, see Security concepts in Microsoft Dataverse.