PowerApps – Creating and assigning CDS Security Roles

I’ve been working with the Common Data Service (CDS) recently while developing a few PowerApps and wanted to share my learnings with Security Roles. This was my first time using CDS so there was a bit of a learning curve but what I can say so far is that it’s awesome and incredibly powerful! 

I’m now considering using CDS for more of my apps as an alternative to SharePoint lists. When combined with the connector and actions in Flow this makes the platform even more powerful and suited to many different app scenarios. 

One of my apps uses a custom entity in CDS to store it’s data. I wanted to ensure that when sharing this app that a) users had the appropriate permissions to read/write to my entity and b) permissions were locked down to the specific entity ONLY. This is achieved through Security Roles. I will point out that the specific app in question and the steps below are based on a Canvas app, having not explored Model-driven apps yet I am unable to say if there is any difference when creating and assigning Security Roles.

If you have an environment with multiple apps that leverages CDS in any form including custom entities, you should be using these custom roles to secure your apps and database. This will ensure that users who have permissions to build/edit apps can only use the entities you have made available to them.

For the first part, PowerApps gives you the option to create a custom Security Role through the ‘Set permissions’ link –

Clicking the ‘Security Roles’ link will take you to the list of Security Roles in Dynamics –


Here you can create your custom Security Role or edit an existing role e.g. ‘Common Data Service User’ and assign permissions to your custom entity. The below screenshot shows my custom role and the permissions assigned – 

Once you have created your Security Role, the next step is to assign permissions to your users. This part actually requires slightly different steps than the documentation suggestions so I ended up going around in circles for a while in Dynamics! To assign a role to user(s), this is the correct navigation path to take:

  1. Navigate to the PowerApps Admin Centre – Settings cog > Admin center.
  2. Select the environment
  3. Click the ‘Security’ tab
  4. Use the ‘Add user’ section to add your users that you need to grant permissions to (this will add them into your org within Dynamics).
  5. Click the ‘Assign security roles’ button 
  6. Steps below are now different from the documentation – 
  7. This will take you to an ‘Users Enabled Users’ page in Dynamics where you can see the users you added in step 4, you may already have users listed in here. I could not find anywhere in here to assign a role to a user hence the following steps. 
  8. Click the cog > Advanced Settings
  9. Click Security under System –
  1. This will take you to another ‘Users Enabled Users’ page but if you look at the top menu and compare it to the page you navigated to earlier, you will notice it is different. It seems you can only assign roles here. The screenshots below show the difference between the two menus and a helpful message with a link to ‘Assign Roles’.
Enabled Users page navigated to from PowerApps (cannot assign roles)
Enabled Users page navigated to from Dynamics (can assign roles) – notice the difference in menus above
  1. You can now click ‘Assign Roles’ or highlight a user and click ‘Manage Roles’ in the menu. (It’s worth noting that clicking ‘Assign Roles’ didn’t do anything for me).
  2. When you click ‘Manage Roles’ you will see a dialog appear where you can assign your role to a user – 

Repeat the above for each user you wish to assign to the role and you are done 😃.

Now when you share your app you ensure that your users can use your custom entity or any of the out of the box entities that you have granted them permissions to.

In summary, Security Roles are a great way to secure your apps and Custom Entities in CDS offer a great deal of flexibility for either Model driven or Canvas apps. 

Leave a Reply

Your email address will not be published. Required fields are marked *