Set up access control lists in Microsoft Entra ID
Users only need access to the apps and flows that align to their departmental function. You can create Microsoft Entra ID security groups based on business processes and assign team members to the appropriate groups. The security groups control user access to the apps and visibility to the various components within the apps.
Create Microsoft Entra ID security groups
The following deployment model illustrates how you assign users to different Microsoft Entra ID security groups based on their departmental function.
Admin security group
Set up one or more administrators to an SAP Procurement Admin team.
Functional security groups
The security groups can align to specific business processes. Assign all of the users who participate in the procure-to-pay process to one or more of the six different user teams:
- Vendor management
- Purchase requisitions
- Purchase orders
- Vendor goods receipts
- Vendor invoice
- Vendor payments
This model is used throughout the rest of this document to show intent but your configuration may differ based upon your requirements.
More information:
Create Dataverse group teams
Admins manage the menu items visible to users in the canvas apps directly in the SAP Administrator app. Dataverse group team membership controls access and visibility to the menu items. Microsoft Entra ID security groups govern Dataverse group team membership and ensure one of two options:
- Users have visibility and access to appropriate menu items in the canvas apps when they are added to one or more security groups.
- Users lose visibility and access when they are removed from a security group.
Additionally, menu visibility drives the drill through behavior on certain fields in the canvas apps. For example, if a user is not part of the purchase orders team, then they can only view the associated purchase order number to the requisition in the SAP Requisition Management app. They can't drill through to see all the purchase order details.
More information: Work with Microsoft Entra ID group teams
Steps to managing teams
Take these steps to create teams and configure security settings:
- Sign in to the Power Platform admin center.
- Go to Environments and select the environment that contains the solutions.
- Go to Settings > Users + permissions > Teams.
- Select + Create Team.
- Complete the required fields. For Team type, select Microsoft Entra ID Security Group. You'll also be required to complete Group name and Membership type.
- Search for the example security group previously created in Microsoft Entra ID and associate it to the newly created group team.
- Assign security roles to teams that correspond to team functions.
Security role guidance
The following table provides guidance for assigning security roles:
| Dataverse Team Name | SAP Template User | SAP Template Administrator | Basic User |
|---|---|---|---|
| Vendor management | X | X | |
| Purchase requisitions | X | X | |
| Purchase orders | X | X | |
| Vendor goods receipt | X | X | |
| Vendor invoice | X | X | |
| Vendor payments | X | X | |
| Admin | X | X |
Note
- Users are added to or removed from a group team based on their membership to the linked Microsoft Entra ID security group.
- Access to Dataverse data is governed by team membership with access levels differentiated between SAP integration user and SAP integration admin security role assignments to the teams.
- The Dataverse group team setup in the Power Platform admin center can also be seen in the SAP Admin app for reference.
More information: Manage group teams, Security roles and privileges
Share access to the apps and flows
Security group members can only access apps and flows that are shared with them. Use the security groups model as an example to help you set up security groups for your organization.
Share the flows with Run only privileges so users have access to embedded flows and the SAP ERP, Dataverse, and Office 365 connector user services use the triggering user's credentials.
Warning
Failure to change the Read Only privileges of the flows will prevent the connector services from passing user credentials. Sharing of Dataverse and Office 365 connections should be limited.
Steps to share apps
- Go to the individual apps in Power Apps.
- Select the Share option.
- Search for and select the appropriate security group that contains the members who need to access that app.
- Select Share. You can also choose whether or not to include an email invitation (not required).
Steps to share flows
- Go to the individual cloud flows in Power Apps.
- Go to the Run only users section and select Edit.
- Invite system users and teams by searching for and selecting the Microsoft Entra ID security groups that need access to the flow according to the canvas apps that that team needs to use.
- For all three connections used, select the Provided by run-only end user option.
- Select Save.
Sharing summary
This table provides a mapping summary of what components need to be assigned or shared according to the example Microsoft Entra ID security group teams.
| Component | Type | Vendor management team | Purchase requisitions team | Purchase orders team | Vendor goods receipt team | Vendor invoice team | Vendor payments team | Admin team |
|---|---|---|---|---|---|---|---|---|
| SAP Vendor Management | app | X | ||||||
| SAP Purchase Requisitions | app | X | ||||||
| SAP Purchase Orders | app | X | ||||||
| SAP Goods Receipts | app | X | ||||||
| SAP Vendor Invoice | app | X | ||||||
| SAP Vendor Payments | app | X | ||||||
| SAP Template Administrator | app | X | ||||||
| ApprovePurchaseOrder | flow | X | ||||||
| ApproveVendorInvoice | flow | X | ||||||
| ConvertRequisitionToPurchaseOrder | flow | X | ||||||
| CreateGoodsReceipt | flow | X | ||||||
| CreatePurchaseOrder | flow | X | ||||||
| CreateRequisition | flow | X | ||||||
| CreateVendor | flow | X | ||||||
| CreateVendorInvoice | flow | X | ||||||
| ReadGLAccount | flow | X | X | X | ||||
| ReadGLAccountList | flow | X | X | X | ||||
| ReadGoodsReceipt | flow | X | X | X | ||||
| ReadGoodsReceiptList | flow | X | X | X | ||||
| ReadMaterial | flow | X | X | X | X | X | X | |
| ReadMaterialList | flow | X | X | X | X | X | X | |
| ReadPurchaseOrder | flow | X | X | X | X | |||
| ReadPurchaseOrderList | flow | X | X | X | X | |||
| ReadRequisition | flow | X | X | X | ||||
| ReadRequisitionList | flow | X | X | X | ||||
| ReadVendor | flow | X | X | X | X | X | X | |
| ReadVendorInvoice | flow | X | X | X | X | |||
| ReadVendorInvoiceList | flow | X | X | X | X | |||
| ReadVendorList | flow | X | X | X | X | X | X | |
| ReadVendorPayment | flow | X | X | X | ||||
| ReadVendorPaymentList | flow | X | X | X | ||||
| ReverseVendorInvoice | flow | X | ||||||
| UpdatePurchaseOrder | flow | X | ||||||
| UpdateVendor | flow | X | ||||||
| UpdateVendorInvoice | flow | X |
More information: