Sharing a canvas app built on top of Common Data Service
Common Data Service for Apps has a powerful enterprise grade security model that allows you to group users in security roles and give those roles varying levels of access to entities that some of our most sophisticated business apps are built on. Depending on a user’s role within an organization, you can limit or expand their access to certain pieces of information for security and data integration purposes. That’s what makes apps built on top of Common Data Service so powerful. However, due to the sophistication of the security model, it can get complex when it comes to figuring out how to configure security access to your app. After building a canvas app using Common Data Service as the backend, many people have asked ‘how do I share this app with other users in my organization and make sure not only they have access to my app but also the Common Data Service as well’? This blog post outlines the steps that help you share access to the data in the Common Data Service that your canvas app uses.
Let’s assume I build a canvas app called Event Onboarding that uses two entities Contact and Event in the Common Data Service. To share this app with other users, I need to (1) grant users access to the canvas app and (2) share the access to the two entities Contact and Event via security roles.
The first part is not covered in this blog post. However, this article does an excellent job of laying out the step by step instructions that you can follow.
The second part, sharing access to the data in the Common Data Service, is a trickier piece and not as straightforward today. When your users run your Event Onboarding app, they need permission to access the Contact and Event entities the app uses. To grant them access, you will need to:
1. Create a security role
2. Assign users to the security role
Create a security role
If you have previously created a security role that grants permissions to the entities Contact and Event that your app uses, then you can use that role and skip this step. Otherwise, follow the steps below to create a new security role.
Step 1: From PowerApps, click on the setting gear and select Admin Center.
Step 2: In PowerApps admin center, select the environment where you want to create the new security role.
Step 3: Select the Details tab and select the link Dynamics 365 Administration Center to manage the environment. Note, this step can takes a little long depends on the number of instances in your tenant.
Step 4: In the new tab for Dynamics 365 Administration Center, select the instance (the instance name is the same as the environment name) and click on Open
Step 5: In the header, click on the Settings and select Security
Step 6: Select Security roles
Step 7: Click on New, this will open the security role designer
Step 8: Enter a name for your security role
Step 9: Locate the entities your app uses Contact and Event by clicking on each tab in the security role designer. If your entities are custom, they will be under Custom Entities tab.
Step 10: Once you locate your entities, select the privileges you’d like to grant your users such as Read, Write, Delete etc. and the scope for performing that action. Scope determines how deep or high within the environments hierarchy the user can perform a particular action.
Step 11: Click Save and Close.
Great, you now have a new security role that define access to the entities your app uses. Next you will assign users to this role. If you’d like to learn more about security roles for Common Data Service or understand privileges and scope, you can visit this article.
Assign users to a security role
To assign a user to a security role, you need to be an Environment Admin and follow these steps:
Step 1: From PowerApps, select on the settings gear and select Admin Center.
Step 2: In PowerApps admin center, select the environment where you want to update a security role.
Step 3: Select Security tab
Step 4: First, you need to check if the user(s) already exists in the environment by selecting view the list of users in the environment. If the user is not in the list, go to step 5. Otherwise, you can skip to step 6.
Step 5: In case user doesn’t exist, you can add the user by entering the email address of the user in your organization, and select the Add user button.
Step 6: After you know the user(s) you want to assign a security role exists in your environment, select the Details tab and select the link Dynamics 365 Administration Center to manage the environment.
Step 7: In the new tab for Dynamics 365 Administration Center, select the instance (the instance name is the same as the environment name) and click on Open
Step 8: In the header, click on the Settings and select Security
Step 9: Select Users
Step 10: Locate the user(s) you want to share with using the search box
Step 11: Select the user(s) and select Manage roles
Step 12: Select the role(s) you created in the previous section and make sure to also select *Common Data Service User* role (if it wasn’t already) Manager User Roles dialog. Common Data Service User role must be assigned to any user who wants to use your app or access the Common Data Service.
Step 13: Select OK to assign the role(s) to the user you selected.
Congratulations, you have now shared your canvas app with other users and grant them access to the entities Contact and Event that your canvas app uses. Let me know if you have any further question by dropping comments below.