- Article
- 10 minutes to read
Microsoft Dataverse uses a role-based security model to help protect access to the database. This article explains how to create the necessary security artifacts to help protect resources in an environment. Security roles can be used to configure environment-wide access to all environment resources, or to configure access to environment-specific applications and data. Security roles control a user's access to resources in an environment through a set of access levels and permissions. The combination of access levels and permissions included in a specific security role governs the limitations on the viewing of applications and user data and the user's interactions with that data.
An environment can have zero or one Dataverse database. The security role assignment process for environments that do not have a Dataverse database differs from that for an environment that has a Dataverse database.
Predefined security roles
Environments include predefined security roles that reflect common user tasks with access levels defined to align with the security best practice goal of providing access to the minimum amount of business data needed to use the application.
These security roles can be assigned to the user,owner teammigroup team.
There is another set of security roles assigned toapp users. These security features are installed by our services and cannot be updated.
The predefined security roles that are available in your environment depend on the environment type.
Environments without a Dataverse database
Environment Creator and Environment Administrator are the only predefined roles for environments that do not have a Dataverse database. These functions are defined in the following table.
| security function | Database privileges* | Description |
|---|---|---|
| environment manager | Create, read, write, delete, customizations, security roles | The environment administrator role can perform all administrative actions in an environment, including the following:
|
| environment creator | customizations | You can create new resources associated with an environment, including apps, connections, custom APIs, gateways, and flows using Microsoft Power Automate. However, this role does not have any privileges to access data in an environment. More information:Environments Overview Environment creators can also distribute the applications they create in an environment to other users in their organization. They can share the app with individual users, security groups, or all users in the organization. More information:Share an app in Power Apps |
*The scope of these privileges is global unless otherwise specified.
Environments with Dataverse database
If the environment has a Dataverse database, a user must be assigned the System Administrator role instead of the Environment Administrator role to gain full administrative privileges, as described in the following table.
For users who create applications that connect to the database and need to create or update security entities and roles, you must assign the System Customizer role in addition to the Environment Creator role. This is required because the Environment Creator role does not have privileges on environment data.
| security function | Database privileges* | Description |
|---|---|---|
| environment creator | customizations | You can create new resources associated with an environment, including apps, connections, custom APIs, gateways, and flows using Microsoft Power Automate. However, this role does not have any privileges to access data in an environment. More information:Environments Overview Environment creators can also distribute the applications they create in an environment to other users in their organization. They can share the app with individual users, security groups, or all users in the organization. More information:Share an app in Power Apps |
| system administrator | Create, read, write, delete, customizations, security roles | You have full permission to customize or manage the environment, including creating, modifying, and assigning security roles. You can see all the data in the environment. More information:Privileges Required for Personalization |
| system customizer | Create, read, write, delete, customizations | You have full permission to customize the environment. You can see all the data in the custom table in the environment. However, users with this role can only view the rows (records) they create in the Account, Contact, and Activity tables. More information:Privileges Required for Personalization |
| basic user | Read (automatic), Create (automatic), Write (automatic), Delete (automatic) | They can run an application in the environment and perform common tasks for the records they own. Note that this only applies to non-custom entities. More information:Create or configure a custom security role Observation: The Common Data Service User security role has been renamed to Basic User. No action is required; this is a name change only and does not affect the user's privileges or role assignment. If you have a solution with the Common Data Service User security role, you might inadvertently update the security role name to Common Data Service User when importing the solution. Please update the solution before importing again. |
| service reader | Ler | Has full read permission to all entities, including custom entities. This is mainly used by the back-end service which requires reading all the entities. |
| service writer | create, read, write | Has full create, read, and write permissions to all entities, including custom entities. This is mainly used by the back-end service that requires the creation and updating of records. |
| Delegate | Act on behalf of another user | allows codepersonifyor run as another user. Typically used with another security feature to allow access to records. More information:impersonate another user |
| support user | Read Customizations, Read Enterprise Management Settings | Has full read permission for customization settings and business management to allow support personnel to troubleshoot environment settings. You do not have access to the master records. |
| office worker | read (automatic) | Has read permission for tables where a record from those tables has been shared with the organization. It does not have access to any other main and custom table records. This role is assigned to the team that owns Office Collaborators, not to an individual user. |
| world reader | oworld readerThe role is not yet supported in the Power Platform admin center. |
*The scope of these privileges is global unless otherwise specified.
In addition to the predefined security roles listed above for Dataverse, there may be other security roles available in your environment depending on the Power Platform components (Power Apps, Power Automate, Power Virtual Agents) that you have.
| Component of the energy platform | Training |
|---|---|
| power apps | Predefined security roles for environments with a Dataverse database |
| power automation | security and privacy |
| Powerful virtual agents | Assign environment security roles |
Dataverse for Teams environments
For information about security roles for the Dataverse for Teams environment, seeUser access to Dataverse for team environments.
Application-specific security features
If you deploy Dynamics 365 apps in your environment, such as Dynamics 365 Sales or Dynamics 365 Field Service, additional security roles will be added as a result of deploying these apps. For information on these additional security features, see the documentation for the respective applications:
| dynamic app 365 | Security Role Documents |
|---|---|
| Dynamics 365 sales | Predefined security roles for sales |
| Marketing de Dynamics 365 | Security roles added by Dynamics 365 Marketing |
| Dynamics 365 Field Service | Dynamics 365 Field Service definitions and functions |
| Dynamics 365 customer support | Omnichannel functions for customer service |
| Dynamics 365 customer insights | Customer Insights Features |
| Application Profile Manager | Roles and privileges associated with the application profiler |
| Dynamic Finance 365 | Security functions in the public sector |
| Finance and Operations Apps | Security roles in Microsoft Power Platform |
Summary of functions available for predefined security roles
The following table describes which resources each security role can create.
| Resource | environment creator | environment manager | system customizer | system administrator |
|---|---|---|---|---|
| screen app | X | X | X | X |
| cloud flow | X (without knowledge of the solution) | X | X (aware of the solution) | X |
| connector | X | X | - | X |
| Connection | X | X | - | X |
| data gateway | X | X | - | X |
| data flow | X | X | - | X |
| data universe tables | - | - | X | X |
| Model-Based Application | X | - | X | X |
| solution structure | X | - | X | X |
| *workspace flow | - | - | X | X |
| AI builder | - | - | X | X |
*Dataverse for Teams users do not have access to desktop streams by default. You must upgrade your environment to the full features of Dataverse and purchaseDesktop Flow License Plansto use desktop scripts.
Assign security roles to users in an environment that does not have a Dataverse database
For environments without a Dataverse database, security roles can be assigned to individual Azure AD users or groups. A user who has the environment administrator role in the environment can follow these steps.
Login inPower Platform Management Center.
Selectenvironments> [select an environment].
Noaccesstile selectsee everythingforenvironment manageroatmosphere creatorto add or remove people for any role.
Selectadd peopleand then specify the name or email address of one or more Azure AD users or groups to assign this role to.
Assign security roles to users in an environment that has a Dataverse database
Security roles can be assigned toproprietary teamsmiAzure AD group computers, in addition to individual users. Before assigning a role to a user,check if the user is present in the environment with the status Enabled.Add the user to the environment.ocorrect your status to enable itbefore assigning them a role. You will be able to assign a role as part of the user addition process.
In general, a security role can only be assigned to users with a status of Enabled. But if you need to assign a security role to users in the Disabled state, you can do so by enablingallowRoleAssignmentOnDisabledUsersand OrgDBOrgSettings.
To add a security role to an owner team, group team, or user with a status of Enabled in an environment:
Login inPower Platform Management Center.
Selectenvironments> [select an environment].
Noaccesstile selectsee everythingin Security Features.
Make sure the correct business unit is selected from the dropdown menu and select a role from the list of roles in the environment.
Selectadd peopleto add a user, owner team, or group team to the role. If you can't find a user or team to assign the role to, ensure that the user or team is present in the environment and that the user has a status of Enabled before assigning them a role.
Create or configure a custom security role
If your app uses a custom principal, its privileges must be explicitly granted in a security role before your app can be used. You can add these privileges to an existing security role or create a custom security role.
Observation
Each security role must include a minimum set of privileges before it can be used. These are describedlater in this article.
Advice
The environment can keep records that can be used by multiple applications; therefore, you may need multiple security roles to access data with different privileges. For example:
- Some users (called Type A) may only need to read, update, and add other records, so your security role will have read, write, and add privileges.
- Other users may need all the privileges that Type A users have, plus the ability to create, attach, delete, and share. The security role for these users will have create, read, write, attach, delete, assign, attach, and share privileges.
For more information on access privileges and scope, seeSecurity roles and privileges.
Login inPower Platform Management Centerand select the environment for which you want to update a security role.
Select the environment URL.
If you see published apps and tiles, select the gear icon (
) in the upper right corner and selectadvanced settings.On the menu bar, selectsettings>Security.
Selectsecurity features.
Selectnuevo.
In the security role designer, enter a role name in theDetailseyelash. On the other tabs, you'll select the actions and the scope to perform that action.
Select a tab and search for your entity. For example, select thecustom entitiestab to set permissions on a custom entity.
select privilegesread, write, attach.
Selectsave and close.
) in the upper right corner and selectadvanced settings.
Least privileges to run an application
When you create a custom security role, you must include a set of least privileges in the security role for a user to run an application. We have created a solution that you can import that provides a security role that includes the minimum necessary privileges.
Start by downloading the solution from the Download Center:Dataverse Least Privilege Security Role.
Then follow these instructions to import the solution:import solutions.
When you import the solution, it creates theuse of min pro applicationsfunction, which you can copy (see:Create one security role per copy role). When the role copy process is complete, navigate to each tab:main records,Business management,personalization, etc., and set the appropriate privileges.
Important
You must test the solution in a development environment before importing it into a production environment.
see also
Grant access to users
Control user access to environments: security groups and licenses
How access to a record is determined