Hey,
How are you doing?
There are times when you might need to allow an admin the ability to assign roles and share a Model Driven app with a user, we can do this automatically with Power Automate by running the security role assignment flow.
This can be an over head for your IT function, and it can be put in your hands as the owner of the solution.
Pre-requisites for Security role assignment
For this blog post, I am going to assume that you have a Model Driven app and Dataverse security roles governing the access to that Model Driven app.
First, what we need to do is share the Model Driven App with the security role. To do this, go to your solution, click on Apps, and then click on the three dots next to the app and click Share:
Next, select the drop down next the Dataverse, and choose the security role you want the app shared with. In this case, that is Nursery Manager. Select the app, then select the security role drop down, and find the role you want to share with the app:
Don't forget to click Share, the app will get shared and you can close this pane.
We also need to create an Admin table. Create a new Table called Admin, and add a field called Email. We will use this as a place to add records, which will then be picked up by a Power Automate cloud flow, where the email address will be used to look up the user and associate them with the security role.
We also need to ensure that the User we add as part of the flow exists in the Users table inside Dataverse.
Power Automate Cloud flow
Head back to your solution, and create a new Automate cloud flow, let's call it Add user to Security group. For the trigger action, choose the When an item is added, modified or deleted from the Dataverse actions:
Click Create.
The first step should be configured like this, where Admins is the table where email addresses are getting added to be added to the security group as part of this flow:
Next we are going to check the email address is valid inside a Scope, by passing the Email address from the trigger step to the Get user profile (V2):
Next we need another Scope with a Send an email action, that if the previous scope fails, I am emailed to say that the email address added is invalid:
We need to click on the three dots on this scope and click on Configure run after, so that the second scope only runs when the first scope has failed, is skipped or has timed out:
Still with me? Nice !
Next we need to List Rows to find the User in the User table:
We also need to configure the List rows step - Configure run after:
Next we need to List Rows for the Security roles, and get the role that matches the name of thje Security role we created previously:
We also need to ensure that the user is enabled in the environment:
We can do this, by the Update a row action on the User table, using the User unique ID that came from the first List Rows step, we can pull this out of the Apply to each, which you can use the first expression
That looks like - first(outputs('List_rows')?['body/value'])?['systemuserid']
Click on the Show advanced options, and change the Status drop down to No.
Finally, the last step is to Relate the User ID with the Security Role:
Lets now add an email address to the Admin table via the form in the Model Driven app and see what happens.
The flow runs, and the user gets access to the app.
Thanks for reading, as always, any questions please send me an email - jon@jondoesflow.com