Add user to security role in environment

Access to Dataverse environments can be managed by using security roles. In this article I am showing you how you can use the Dataverse Web API to add a user to a specific security role via a Power Automate flow.

Inspiration

This question from KKJ:

Trying to assign Security role to an user in specific environment using CRM Api, in the URl passing the SystemUserId and in the body passing the Role Id. Any help on the same would be much appreciated.

Power Users Community thread: Action Http Post not working as Expected.

Security concepts Dataverse

Before you start implementing this automation it is probably good to read about the security concepts in Dataverse. Microsoft has great resources about this, for example: Security concepts in Microsoft Dataverse.

Within Dataverse you can use role based access to give user access to environments. Microsoft has a lot of predefined security roles. Today the aim is to automate the steps Assign security roles to users in an environment that has a Dataverse database manual process.

Web API

In this example I am using the Dataverse Web API again. After some research I found it should be possible by interacting with the systemuser entity and the many-to-many relationship systemuserroles_assocation.

The Associate Role to a User Microsoft Dynamics CRM (Rest API) thread on Stackoverflow and specifically this reply from Henrik H helped me out as well.

Application User

Before you start with the setup of your flow you want to create an Azure AD app and register it as an application user. I have described these steps in one of my earlier articles, How to use the Dataverse Web API.

However, since I published that article the Power Platform admin interface has slightly changed for the creation of an application user. Follow the steps below or the ones from the link.

1. Sign in to the Power Platform admin center as a System Administrator.
2. Select Environments in the left navigation, and then select an environment from the list.
3. Select Settings in the top navigation.
4. Expand the Users + permissions section, select Application users.
5. Select + New app user to open the Create a new app user page.
6. Click Add an app, search for your Azure AD App
7. Select a Business Unit
8. Assign a Security Role
9. Click Create

addapplicationuser_dataverse

Flow setup

addusertosecurityrole

1. Add a Manually trigger a flow trigger action.

manuallytriggeraflow

2. Add five Initialize variables actions (optional).

These actions are optional, you can also add the values directly into HTTP actions.

initializefivevariables

a. Use the settings from the table below, replace the values with your own specific values.

NameTypeValue
EnvironmentUrlStringhttps://org1234567.crm11.dynamics.com
EntityStringsystemusers
RecordIdString
SecurityRoleIdString754140cb-c4ec-ec11-bb3d-000d3a873455
EmailStringbill@contoso.onmicrosoft.com

3. Add a HTTP action.
This action is to retrieve the correct Record Id of the system user. A $filter query parameter is used with the internalemailaddress field to find the correct user. A $select query parameter is used to only retrieve the id value.

getsystemuser

a. Select the GET method
b. Use the URI from the codesnippet below

c. Use the Headers from the codesnippet below

d. Select Active Directory OAuth for the Authentication, provide the details of your Azure AD App.

4. Add a Set variable action (optional).
This action is optional, you can also add the expression directly into the HTTP action.

setvariable_recordid

a. Select the RecordId variable.
b. Use the expression from the codesnippet below for the Value field.

5. Add a second HTTP action.
In this HTTP action we associate the security role with the systemuser record.

addusertosecurityrole_http

a. Select the POST method
b. Use the URI from the codesnippet below

c. Use the Headers from the codesnippet below

d. Use the Body from the codesnippet below

e. Select Active Directory OAuth for the Authentication, provide the details of your Azure AD App.

That is it for the setup of this example.

Happy testing!

You may also like...

4 Responses

  1. Jon Russell says:

    This is great. Thanks !

  2. Dennis says:

    Thanks Jon! 🙂

  3. Necdet Saritas says:

    Great Job Jon. I wish you add an email subscription possibility to follow your great blog.

  4. Dennis says:

    Hi @Necdet Saritas

    If you want to follow my blog I have an RSS feed as an alternative:
    http://www.expiscornovus.com/feed/

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.