Security roles and permission levels in standard dataflows

Note

Effective November 2020:

  • Common Data Service has been renamed to Microsoft Dataverse. Learn more
  • Some terminology in Microsoft Dataverse has been updated. For example, entity is now table and field is now column. Learn more

This article will be updated soon to reflect the latest terminology.

If someone in the team has created a dataflow and wants to share it with other team members, how does it work? What are the roles and permission level options available? This article takes you through the roles and permission levels related to standard dataflows.

Access to the environment

A standard dataflow stores data in Dataverse. Dataverse is located in an environment. Before accessing data stored in Dataverse, and also dataflows, you first need to have access to the environment.

Image demonstrating how to add a user to the environment

Roles

There are multiple roles used to configure the security level for standard dataflows. The following table describes each role, along with the level of permission associated with that role.

Security role Privileges Description
Environment Maker Create dataflows and entities Can create dataflows and write to custom or non-custom entities
Common Data Service User Write to non-custom entities Has all the rights to work with non-custom entities
System Customizer Create custom entities Custom entities this user creates will be visible to this user only
Members of the environment Get data from dataflows Every member in the environment can get data from the dataflows in that environment

Row-level security isn't supported

The current version of standard dataflows doesn't support row-level security.

If you haven't heard of row-level security before, here's a quick introduction. If you have users with different levels of access to the same table, you can filter the data at the row level. For example, in the Orders table, you might have a SalesTerritory column, and you might want to filter the data in a way that users from California could only see records from the Orders table that belongs to California. This is possible through row-level security.

Steps to assign roles

The steps in the following procedure are sourced from Configure user security to resources in an environment.

Verify that the user you want to assign a security role to is present in the environment. If not, add the user to the environment. You can assign a security role as part of the process of adding the user. More information: Add users to an environment

In general, a security role can only be assigned to users who are in the Enabled state. But if you need to assign a security role to users in the Disabled state, you can do so by enabling allowRoleAssignmentOnDisabledUsers in OrgDBOrgSettings.

To add a security role to a user who is already present in an environment:

  1. Sign in to the Power Platform admin center.

  2. Select Environments > [select an environment] > Settings > Users + permissions > Users.

  3. Select Manage users in Dynamics 365.

    Select Manage users in Dynamics 365

  4. Select the user from the list of users in the environment, and then select Manage roles.

    Select Manage roles

  5. Assign one or more security roles to the user.

    Manage user roles

  6. Select OK.