Assign a security role to a user
About security roles
- Security roles control a user's access to data through a set of access levels and permissions. The combination of access levels and permissions that are included in a specific security role sets limits on the user's view of data and on the user's interactions with that data.
- Dataverse provide a default set of security roles. If necessary for your organization, you can create new security roles by editing one of the default security roles and then saving it under a new name. See Predefined security roles.
- You can assign more than one security role to a user. The effect of multiple security roles is cumulative, which means that the user has the permissions associated with all security roles assigned to the user.
- Security roles are associated with business units. If you've created business units, only those security roles associated with the business unit are available for the users in the business unit. You can use this feature to limit data access to data owned by the business unit.
- When the allow record ownership across business units is enabled, you can assign security roles from different business units to your users irrespective of which business unit the users belong to.
- To assign security roles to a user, you need to have the appropriate privileges (minimum privileges are Read and Assign on the Security Role table). To prevent elevation of security role privileges, the person who is assigning the security role can't assign someone else to a security role that has more privileges than the assigner. For example, a CSR Manager can't assign another user to the System Administrator role. This privilege validation includes checking each privilege that the assigner has at the privilege depth-level and business unit. For example, you can't assign a security role from a different business unit to another user if you don't have a security role with the appropriate privilege-level assigned from that business unit.
Note
By default, the System Administrator security role has all the required privileges to assign security roles to any user, including assigning the System Administrator security role. If you have a need to allow non-System Administrators to assign security roles, you should consider creating a custom security role with all the privileges listed in Create an administrative user and prevent elevation of security role privilege. Assign the custom security role and all the security roles that the non-System Administrator can assign to other users, to the non-System Administrator. This security role requirement is also required if you allow non-System Administrators to manage team members in owner teams .
For more information about the difference between Microsoft Online Services administrator roles and security roles, see Grant users access.
Tip
Check out the following video: Assigning security roles in the Power Platform admin center.
Follow these steps to assign a security role.
Sign in to the Power Platform Admin center as a System Administrator.
Select Environments, and then select an environment from the list.
Select Settings.
Select Users + permissions, and then select Users.
On the Users page select a user, and then select Manage security roles.
Select or deselect security roles. If the user has roles already assigned. When finished, select Save. After saving, all selected roles become the current assigned roles for the user. Unselected roles aren't assigned.
When the allow record ownership across business units is enabled, you can select security roles from different business unit.
Important
You must assign at least one security role to every user either directly or indirectly as a member of a group team. The service doesn't allow access to users who don't have at least one security role.
Note
The panel shown above shows and manages only direct role assignments for the user. Manage group teams explains how to see and manage roles assigned as a member of a group team.
User settings privileges for record ownership across business units
If you have enabled allow record ownership across business units, your users can access data in other business units by having a security role from these other business units directly assigned to them. The user also needs a security role assigned from the user's business unit with privileges from the following tables in order to update the user UI settings:
- Action Card User Settings
- Saved View
- User Chart
- User Dashboard
- User Entity Instance Data
- User Entity UI Settings
- User Application Metadata
To assign security roles to users in an environment that has zero or one Microsoft Dataverse database, see Configure user security to resources in an environment.
(Optional) Assign an administrator role
You can share Microsoft Online Services environment administration tasks among several people by assigning Microsoft Online Services environment administrator roles to users you select to fill each role. You might decide to assign the global administrator role to a second person in your organization for times when you're not available.
There are five Microsoft Online Services environment administrator roles with varying levels of permissions. For example, the password reset administrator role can reset user passwords only; the user management administrator role can reset user passwords in addition to adding, editing, or deleting user accounts; and the global administrator role can add online service subscriptions for the organization and manage all aspects of subscriptions. For detailed information about Microsoft Online Services administrator roles, see Assigning Admin Roles.
Note
Microsoft Online Services environment administrator roles are valid only for managing aspects of the online service subscription. These roles don't affect permissions within the service.
Automatic role assignment
When users are added to Dataverse, roles are assigned automatically based on the following criteria:
All Microsoft Entra ID admins (tenant admin, Power Platform admin, Dynamics 365 service admin) get the System Administrator role in Dataverse.
Important
The System Administrator role isn't removed automatically if the Microsoft Entra admin role is removed. Since there is no mechanism to track if the role was assigned by the system automatically or by an administrator, we recommend the administrator manually remove the System Administrator role once the Microsoft Entra role is removed.
Users, with a valid license, get corresponding mapped roles assigned to them automatically. Removal of the respective license results in automatic role removal. License-based default role management isn't applicable for users in these types of environments: Dataverse for Teams, Trial, and Developer.
For the Default environment type, Basic User and Environment Maker roles are assigned automatically to all users added in Dataverse.
In the finance and operations linked environment with a Dataverse database, the finance and operations Basic User security role is automatically assigned to all active users in Dataverse.
License to role mapping
If defined in your environment, certain roles are automatically assigned to users when users are added to Dataverse based on the license the users are assigned. You can view the license to role mapping in an environment by navigating to the License to Role Mapping page in the Power Platform admin center.
Go to Environments > [select an environment] > Settings > Users + Permissions > License To Role mapping.
See also
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for