“I don’t want to ask platform admins each time there’s a change in user security roles, can I manage them myself with Power Automate flow?”
In the standard scenario, it’s the Power Platform environment admin who manages the roles using the admin portal. A user needs access to a specific solution, admin will manually assign a role. Once he doesn’t need it anymore, admin will manually remove it. That sounds like a lot of work, especially if the users are often changing. And a time consuming work, if you’re not the admin but need to ask somebody else to do it.
How could you avoid all this manual labour? Can a flow automate some of the work for your and/or the Power Platform administrator?
Note: according to documentation you can’t assign a role with higher privileges that you have, I believe it’s the same also with the flow.
List all users and their roles
Before we start adding and removing the roles, let’s list all the users and their roles first. There’re two Dataverse tables relevant for this solution – ‘User’ (list of users) and ‘Security Role’ (list of security roles). Each user has assigned 0-n security roles.
To see them add the ‘List rows’ action and list all the users. I like reducing the output a bit and Select only columns relevant for the solution. It’s not a necessity, but in this case it’s the user first name, last name, and email address.
Select columns:
firstname,lastname,internalemailaddressSince it’s two related tables, use also the Expand Query parameter to get the related roles right away. Again, you can Select only some of the columns, e.g. name and role id.
Expand Query:
systemuserroles_association($select=name,roleid)
As you can see above, the response JSON will contain a list of all users with their roles.
Add security role to a user
Assigning a security role to a user means creating a relationship between the User and the Security Role.
Start by finding the security role in the Security Role table, e.g. the ‘Approvals User’ role.
Filter rows:
name eq '<role name>'
The second input will be the user who should get this role from the ‘User’ table. Find him using ‘Filter array’ if you listed the users & roles first (the previous chapter), or with another filtered ‘List rows’ action.
Filter rows:
internalemailaddress eq '<email address>'
These two actions will give you the input for the ‘Relate rows’ action that’ll create the connection. Add it to your flow and extract the desired values from the output JSON with expressions – the user id and the role @odata.id, e.g.
User id:
first(outputs('List_rows_-_find_user')?['body/value'])?['systemuserid']
Role @odata.id:
first(outputs('List_rows_-_find_security_role')?['body/value'])?['@odata.id']
Run the flow and the user will receive the desired role on the environment (if you have a good enough role yourself).
Remove security role from a user
Removing a security role is very similar to adding a role, the only difference is in the action you run. Instead of ‘Relate rows’ use the ‘Unrelate rows’, the rest stays the same.
Summary
As you can see in this article, you can quite easily manage user security roles with a Power Automate flow. The users are stored in the ‘User’ dataverse table, security roles in the ‘Security Role’ table, and role assignment is only a relationship between a user and a role. You can list them, you can create them, you can remove them, all the operation you might need for a simplified user role management.
great!! That was really useful! I just wonder how can I filter by an object id as example, to do that with a security group? Thanks
Hello josee,
I’m not sure I understand the question, but there’s always the ‘Filter array’ action to filter anything if there’s no direct possibility in the action.