If you are an IT administrator who has to manage user access into the Dataverse environments, then this is the blog for you.
Recently, we encountered a use case where our client wanted to streamline the process of assigning security roles to users. They wanted to provide users read-only access to data that belonged to their business unit and wanted a solution that did not require navigating to the Power Platform Admin Center for each role assignment.
To address this, we built a Dataverse table where admins can easily add users who require read-only access to their data and a Power Automate flow that will automatically assign or unassign security roles.
Automating the process
When a user is added to the table, a Power Automate flow is triggered and the user will seamlessly get added to the security role in their business unit.
We have a custom security role created in advance that gives read-only access to the appropriate tables.
Admins are expected to deactivate a user, instead of deleting, on the table to unassign a security role, as the flow is unable to retrieve details of a deleted record. Hence, when a user is deactivated, the same flow is triggered to unassign the user from the role.
Power Automate Flow Implementation
The trigger of the flow is 'Added or Modified' on the Dataverse table named 'Read-Only Users.' We set the 'Select Columns' field to include statecode, so the flow triggers only upon status modification.
The 'Name' column of the user on the table is a lookup to the out of the box User table.
Then we did a 'Get Row' on the out of the box 'User' table, using the same 'Name'
column.
We also listed all the security roles with the name = 'Read Only' and in the same business unit as the user.
The user's business unit can be retrieved from the 'Get row' action.
Note: If you have multiple business units set up in your Dataverse environment, your security roles will be duplicated for each business unit.
We did a check to see if the status of the user from the trigger is active or inactive. In dataverse, the values for the out of the box status field are the following:
Active: 0
Inactive: 1
If status is active, because the systemuser and role tables have a N:N relationship, we will use the Dataverse Relate rows action to establish a relationship and assign a security role.
Table name: Users (out of the box systemusers table)
Row ID: Same user id from the trigger output
Relationship: Security Role - systemuserroles_association
Relate with: [Your environment url]api/data/v9.1/roles([role id from your list action\)
Note: your environment url will look something like https://environmentid.crm.dynamics.com/. In my case, I stored it in an environment variable.
Similarly, for unassigning a role, use the Dataverse Unrelate Rows action.
And lastly, don't forget to test your flow and access.
Hope that helped :)
See you next time!
About Me
I'm Leoza Kabir Barker, a Functional Consultant at XRM Vision with a focus on the Power Platform. Through my expertise, I aim to streamline processes, optimize operations, and maximize productivity.
Connect with Me
Blog: www.leozakabirbarker.com
Comments