Minimum Privileges Required to Log in to Model-driven Apps in Dynamics 365/Microsoft Dataverse
One of the security best practices in Dynamics 365 is to use the base security
role as a baseline and apply that role to all Users. The base security role
will include all the common/basic permissions that are required to have access
to the system (you can read more details in
Tip #2 of Power Platform / Dynamics CRM Tip of the Day). The advantage of using the base security role is to allow the
administrator to add/remove privilege for all users by just updating the base
security role instead of having to go through all the security roles. The base
security role is different for each project depending on what the user with
the minimum permission should be able to perform in the system.
🛈 Note
Microsoft has documented the minimum privileges for common tasks and you can download the Microsoft Dataverse minimum privilege security role from the Download Center. It can be used as the base security role in your system or can be copied to start your custom security role.
Microsoft has documented the minimum privileges for common tasks and you can download the Microsoft Dataverse minimum privilege security role from the Download Center. It can be used as the base security role in your system or can be copied to start your custom security role.
To set up the base security role for the first time
- create a new empty security role.
- add the minimum privileges required to access the system.
- add the privileges required for the basic functionalities.
- test the role with the test user account.
- add the permissions to the entities that all users can access (e.g. reference data).
If you are not sure what are the privileges required, step 2 and 3 can be
time-consuming since those two need to be identified by trial and
error. Microsoft has added a new standard role called Common Data Service
User and that is the ideal role for your base role instead of the empty
role in step 1. But that role has quite a lot of privileges for standard CDS
entities and if your organisation requires a really strict base security
role, it might be better off starting with an empty role.
In that case, there are a few old articles by
Inogic
and Goutam Das
which contains the template for the base security role. This post will be
similar to those two posts but I will try my best to describe why each of
those privileges is required for each particular functionality. At that same
time, I hope that will be helpful for those who are looking for the solution
of a particular function not working well due to the missing privilege.
(e.g. unable to run an on-demand workflow, Business Rule is not working,
etc.)
In today's fast-paced Power Platform world, the structure of the security
role keeps changing and more privileges are added in each major updates. My
plan is to keep updating this post whenever there is an additional privilege
added in the future updates which need to be part of the base security role.
Please also leave a comment if you identify any privilege which is not part
of the list below.
CDS and Dynamics 365 Privileges
So, what are the minimum privileges required to log in to the model-driven
app?
- Read privilege to the Model-driven App entity. Voilà... You can
log in to the model-driven app as long as the user has the security role with
Organization level 🟢 prvReadAppModule.
But wait, prvReadAppModule is just the minimum privileges required to log in
to the model-driven app. That does not mean the app will be functional only
with that privilege. You will just see the Sitemap with Recent, Pinned,
Dashboards, etc. clicking on any of those will just show an error page. These
are the minimum privileges required to log in to the *functioning*
model-driven app
The following table was last updated in July 2020 based on CDS version
9.1.0000.20151.
These are the hidden privileges and you do not specifically need to add in the
security role.
| Privilege Name | Privilege | Access Level |
|---|---|---|
| prvReadSharePointDocument | Read | Organization |
| prvCreateSharePointData | Create | Organization |
| prvReadSharePointData | Read | Organization |
| prvWriteSharePointData | Write | Organization |
These are the privileges required to load the UI components of the
model-driven app and they are all in the Customization tab of the security role form. And make sure the base security role
has access to that particular model-driven app.
| Privilege Name | Entity | Privilege | Access Level |
|---|---|---|---|
| prvReadAttributeMap | Attribute Map | Read | Organization |
| prvReadCustomization | Customizations | Read | Organization |
| prvReadEntity | Entity | Read | Organization |
| prvReadEntityKey | Entity Key | Read | Organization |
| prvReadEntityMap | Entity Map | Read | Organization |
| prvReadAttribute | Field | Read | Organization |
| prvReadAppModule | Model-driven App | Read | Organization |
| prvReadOptionSet | Option Set | Read | Organization |
| prvReadRelationship | Relationship | Read | Organization |
| prvReadSavedQueryVisualizations | System Chart | Read | Organization |
| prvReadSystemForm | System Form | Read | Organization |
| prvReadQuery | View | Read | Organization |
| prvReadWebResource | Web Resource | Read | Organization |
The following privileges are required for some common basic functionalities in
the model-driven apps as specified in the Required For column
| Privilege Name | Tab | Entity | Privilege | Access Level | Required For |
|---|---|---|---|---|---|
| prvReadUserSettings | Business Management | User Settings | Read | Business Unit | Personal Options |
| prvWriteUserSettings | Business Management | User Settings | Write | Business Unit | |
| prvCreateUserEntityUISettings | Core Records | User Entity UI Settings | Create | User | Getting/Saving UI setting for the user such as Recent Items, Pin Items, etc. |
| prvReadUserEntityUISettings | Core Records | User Entity UI Settings | Read | User | |
| prvWriteUserEntityUISettings | Core Records | User Entity UI Settings | Write | User | |
| prvCreateUserQuery | Core Records | Saved View | Create | User | Managing personal Saved Views |
| prvReadUserQuery | Core Records | Saved View | Read | User | |
| prvWriteUserQuery | Core Records | Saved View | Write | User | |
| prvDeleteUserQuery | Core Records | Saved View | Delete | User | |
| prvAssignUserQuery | Core Records | Saved View | Assign | User | |
| prvShareUserQuery | Core Records | Saved View | Share | User | |
| prvFlow | Customization | Run Flows | N/A | Organization | Running On-demand Power Automate flows and showing On-demand workflows in Unified Interface |
| prvWorkflowExecution | Customization | Execute Workflow Job | N/A | Organization | Running On-demand workflows |
| prvReadWorkflow | Customization | Process | Read | Organization | Business Process Flow, On-demand workflows, Business Rules |
| prvAppendToWorkflow | Customization | Process | Append To | Organization | Business Process Flow, On-demand workflows |
| prvReadAsyncOperation | Customization | System Job | Read | User / Organization |
On-demand workflows / To view status of the run flow in BPF |
| prvCreate*BPFEntityName* | Business Process Flows | *BPF Name* | Create | Organization | Business Process Flow |
| prvRead*BPFEntityName* | Business Process Flows | *BPF Name* | Read | Organization | |
| prvWrite*BPFEntityName* | Business Process Flows | *BPF Name* | Write | Organization | |
| prvAppend*BPFEntityName* | Business Process Flows | *BPF Name* | Append | Organization | |
| prvAppendTo*BPFEntityName | Business Process Flows | *BPF Name* | AppendTo | Organization |
Dynamics 365 Specific Privileges
The privileges above might be enough for the model-driven app in the CDS but
in Dynamics 365, there are some system scripts which query certain data in the
backend. Some of those WebAPI calls will fail silently but some may throw a
generic error as below in Unified Interface.
You do not have {0} permission to access {1} records. Contact your Microsoft Dynamics 365 administrator for help.
In that case, open the Developer Tools of the browser and check the
descriptive error in the Network tab (with Result "Forbidden" / Status "403" errors) to find out which privilege is missing.
You can read more about deciphering the Unified Interface
generic permission errors in
this blog post by Alex Shlega.
The descriptive error message will say that the user is missing prvActionEntity. If you are not sure where that privilege is located in the security role
form, one of the methods is to check
this old Dynamics CRM 2016 documentation. I am not sure why "Security role UI to privilege mapping" is no longer
included in the Dynamics 365 Customer Engagement (on-premises) documentation
or Power Platform documentation. If you see the privilege but not sure if it
the prvActionEntity specified by the error message, you can open up the Developer Tools of
the browser and inspect the element (Ctrl + Shift + C in Chrome) to see the
backend privilege name.
You can also identify those scripts which fail silently due to the missing
privileges by checking the error lines in the Network tab of the browser's
Developer Tools. Another alternative way is checking the network request
details in
the recently announced monitor tool for model-driven apps.
Here are some examples of the privileges required by the system scripts.
| Privilege Name | Tab | Entity | Privilege | Access Level | Required For |
|---|---|---|---|---|---|
| prvReadOrganization | Business Management | Organization | Read | Organization | Dynamics 365 environment with Microsoft Teams integration Script Error for Web Request: /api/data/v9.0/organizations(xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)?$select=ismsteamsenabled,ismsteamscollaborationenabled |
| prvReadUser | Business Management | User | Read | Business Unit | System script to read azureactivedirectoryobjectid of current user Script Error for Web Request: /api/data/V9.1/systemusers()?$select=azureactivedirectoryobjectid&$filter=systemuserid%20eq%20xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
| prvReadSdkMessage | Customization | Sdk Message | Read | Organization | System script to read SDK Message Names Script Error for Web Request: /api/data/v9.0/sdkmessages(4c53ccbd-bbfa-4aad-a725-ffba2246d683)?$select=name |
| prvReadRoutingRule | Service Management | Routing Rule Set | Read | User | System scripts for routing rules Script Error for Web Request: /api/data/v9.0/routingrules?$filter=msdyn_entitylogicalname%20eq%20%27ENTITYNAME%27 |
| prvReadmsdyn_PostConfig | Custom Entities | Post Configuration | Read | Organization | System scripts for activity feed Script Error for Web Request: /xrmservices/2011/OrganizationData.svc/msdyn_PostConfigSet?$select=msdyn_EntityName,statecode&$filter=msdyn_EntityName%20eq%20%27ENTITYNAME%27 |
| prvReadActivity | Core Records | Activity | Read | User | System scripts in Omnichannel for Customer Service Script Error for Web Request: /api/data/v9.0/msdyn_ocliveworkitems?$filter=_regardingobjectid_value%20eq%20%27xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx%27%20and%20statecode%20ne%203%20and%20statuscode%20ne%204 |
It's worth saying that the Error code you are looking for in the Network tab of the Developer Tools is for Forbidden / 403 errors.
ReplyDeleteI would also say that all the security roles listed are required - I suspect you would get some very interesting support requests that would take a long time to debug if one of those roles were missing.
That should (of course) read all the security privileges listed are required for the role..
DeleteThanks for the feedbak eek, I have updated the blog post to add "Forbidden / 403 errors" around network tab part.
DeleteNice post
ReplyDeleteCheck me out
hidden camera price in pakistan
flowers Minsk
ReplyDeleteMbrascoul-za Wewere Tucson Programs
ReplyDeletediotrucuntab
http://google.fi/
ReplyDeleterantootika
ReplyDeleteпроверенные юридические адреса
ReplyDeleteможно скачать игры на xbox 360
ReplyDeleteThank you for the information about IN DYNAMICS 365/MICROSOFT DATAVERSE the basic security that we need. Κάμερες Ασφαλείας
ReplyDeleteBlog
ReplyDeleteВлагонепроницаемая https://fanwood.by/shop/fof-fanera/laminirovannaya-fanera-912002400-mm отличается от влагостойкой тем, что она обработана характерным составом смолы. По большей части с целью производства фанеры влагоупорной применяют синтетические связывающие клейстеры. Благодаря признакам фанерная плита зачастую востребована в судостроении, а также при производстве кабин самолетов и тому подобное.
ReplyDeletetutaj zobacz My site
ReplyDeletehttps://labdetstva.ru
ReplyDeleteПриумножайте лучшие гиперссылки на ваш интернет портал и приумножьте посещаемость, ИКС. Разбавьте текущую ссылочную массу, усиливайте ссылки с бирж ссылок, фигура ссылок, tier 1, tier 2, tier 3. Пожизненные ссылки с трастовых сайтов на ваш интернет ресурс, дешевле чем на биржах и аналогов на интернет рынке беклинков. Официальный сайт - https://seobomba.ru/
ReplyDeletetutaj sprawdź Check my pages
ReplyDeletekliknij tu trochę ode mnie
ReplyDeletewejdź i sprawdź My site
ReplyDeletehttps://israelnightclub.com/apartments/דירות-דיסקרטיות-באשקלון/
ReplyDeleteфанера 8мм цена
ReplyDeleteremont najlepsza strona na temat remonty mieszkań warszawa
ReplyDeletewejdź tutaj coś ode mnie
ReplyDeletehttps://zged.pl
ReplyDeleteСуществует огромное количество видов водостойкой фанеры, одной из которых является покрытая ламинатом ФОФ. Обработанная с одной или двух сторон полиэтиленовой пленкой, фанера получает возможность по максимуму противодействовать влажности. http://michelleclan.com/home.php?mod=space&uid=122567&do=profile считается особенно популярным облицовочным материалом в строительной сфере.
ReplyDeleteurl najlepsza strona www na temat remonty mieszkań warszawa
ReplyDeletekliknij Check my pages
ReplyDeleteIsraFace - еврейские анекдоды, это блог о евреях, где находятся евреи и еврейки и русский еврей из России, Беларуси. Выкладывайте личные кадры, видео, объединяйтесь в клуб, читайте блог, заходите на форум, заводите еврейские знакомства.
ReplyDeletekramp
ReplyDeletehttps://intnd.ru вырастить рассаду
ReplyDeleteстоимость ритуальных услуг в москве
ReplyDeleteБоклан Николай (48 фото) https://cojo.ru/znamenitosti/boklan-nikolay-48-foto/
ReplyDeleteДля внутренних действий использовать смоляно фенолформальдегидную плиту возбороняется - будут появляться разрушительные вещества при определенных условиях. Фанерная плита ФСФ https://xn--80aao5aqu.xn--90ais/ - это влагоупорный класс фанеры, получивший большое распространение в строительстве. В большинстве случаев смоляно фенолформальдегидную фанеру применяют как наружный отделочный материал. Водоустойчивый вид практически не абсорбирует жидкость, а в последствие просушки возвращается к своей первоначальной форме.
ReplyDeleteЛанская Елена https://cojo.ru/znamenitosti/lanskaya-elena-53-foto/
ReplyDeletekrmp.cc
ReplyDeletebok24.wroclaw.pl
ReplyDeleteТачскрин для автомагнитолы VARTA V-AVM650D - сенсорное стекло
ReplyDeleteСкарлетт йоханссон стрижка (48 лучших фото) HD фото https://cojo.ru/pricheski-i-strizhki/skarlett-yohansson-strizhka-48-foto/
ReplyDeleteИзящная пленка из полимерных материалов абсолютно не вбирает жидкость, в результате её зачастую монтируют в зданиях с высокой влажностью, например, сауна. Нередко для производства фанеры могут взять пару видов материала всевозможных пород дерева, но бывает и обычная березовая фанера. Влагонепроницаемую фанеру используются для декорированной покрытия мебельных изделий http://artemsoft.ru/index.php?subaction=userinfo&user=idusymiv, во время дизайнерских ремонтных работ, для внутреннего покрытия салонов грузовых автомобилей. Ламинированные образцы обладают большей долговечностью, чем их похожие варианты без водонепроницаемого ряда.
ReplyDeleteдетски матраци
ReplyDeletehttps://tehnoshef.ru
ReplyDeleteroses Minsk
ReplyDeleteЛеонова Анастасия 41 лучших фото https://cojo.ru/znamenitosti/leonova-anastasiya-41-foto/
ReplyDeleteprognozik.com
ReplyDeleteКамагра гель в Израиле купить мужской препарат камагра гель для повышения и увеличения потенции в Израиле. Это признанный, действующий и эффективный возбуждающее средство повышения и улучшения мужской силы по выгодной цене с доставкой по вему Израилю.
ReplyDeletehttps://seo-runs.ru
ReplyDeleteбиткоин миксер
ReplyDeleteКосички внутрь (36 лучших фото) подборка https://cojo.ru/pricheski-i-strizhki/kosichki-vnutr-36-foto/
ReplyDeleteНа нашем сайте вы узнаете - сдать телевизор на барусе
ReplyDeleteПродукция бритвы gillette купить оптом, это отличное начало нового бизнеса. Постоянные распродажи на лезвия gillette fusion proglide. Средства для бритья лезвие fusion практичные комплекты gillette купить оптом по минимальной стоимости производителя. Спешите купить лезвия джилет mach3, станки для бритья джиллет фьюжен проглайд, а также любой другой продукт линейки gillette mach 3 по максимальной выгодой цене!. Хит продаж одноразовые станки gillette venus.
ReplyDeleteвоенный адвокат Запорожье по мобилизации
ReplyDeletewww
ReplyDeleteНа нашем сайте вы узнаете - ремонт дачи своими руками дешево barus
ReplyDeleteбалясины из дуба купить в спб дешево со склада
ReplyDeleteподарунок дружині на новий рік https://prazdnikko.com/podarunki-cholovikovi/originalni-idei-shho-podaruvati-cholovikovi-na.html подарунки на новий рік для хлопця
ReplyDeleteХейли Мари 46 фото cojo.ru
ReplyDeleteHAIFA - ISRAEL
ReplyDeleteчерный PR
ReplyDeleteКотел для варки сиропа
ReplyDeleteрейтинг казино
ReplyDeletehttp://meshki-dlya-musora01.ru/
ReplyDeleteМиксер криптовалют
ReplyDeleteHi good friend. Let me introduce myself. I am Joya Otten although it's not the most feminine of names. Because of her family, her spouse and her live in American Samoa however she needs to move. What I like doing is to do interior design and I'm trying to make it a profession. Financial obligation gathering is what he performs in his day job and he will not change it anytime soon. See what's new on my site here: game download sites
ReplyDeleteHey there. Let me introduce the author. His name is Dirk Keifer and his wife doesn't like it at all. Montana is where my house is but I need to move for my household. Talking to is her profession. To model trains is what I do weekly. See what's new on my website here: pacman 30th anniversary
ReplyDeleteгригорий лепс билеты
ReplyDeletehttps://zp4.su/parts/SACHS/1878007170
ReplyDeleteJudie is what people call me though I do not really like being called like that. My family lives in Mississippi. My job is a bookkeeper however soon my partner and I will start our own business. To have fun with dogs is something I will never provide up. Go to my site to discover more: csgo cheats
ReplyDeletekraken
ReplyDeleteI'm Kenton and I feel comfortable when people utilize the complete name. My pals say it's not great for me however what I like doing is archery and I've been doing it for quite a while. My family resides in Mississippi. For several years I have actually been working as a customer care representative however I have actually already made an application for another one. You can discover my site here: fauji game download apk
ReplyDeletehttp://vbreste.by/biznes/kak-vospolzovatsya-virtualnymi-nomerami-dlya-sms.html
ReplyDelete