When working on setting up security in Power Platform environments it is important to consider all the different aspects of security. Sometimes it may happen the user may experience missing environment instances while trying to access it from the maker portal and the admin portal.
Recently one of our clients reported that the user having the system administrator role was not able to see the Default environment from the admin portal and a few of the environment instances seemed to be missing from both the admin portal and the maker portal.
We started exploring more on it, as they were not sure why they are being restricted from viewing all the environments.
In this blog, we will have a walkthrough of the findings that we came up with while troubleshooting the above scenario.
User with “Global Administrator” role from admin Power Platform:
When we investigated further, “Alex” was the Global Administrator in the client environment and hence he was able to see all the environments from the maker portal as shown below:
The environments present in the organization are:
- DEV (default)
“Alex” can see all the environments from the admin portal as well:
User with “System Administrator” Dataverse role from maker portal:
But another user named “William” having the “System Administrator” role was having a different experience, as explained below:
“William” being the System Administrator was able to access the DEV1 environment through normal URL login as below:
But only the Default environment appeared from the maker portal:
- DEV (default) as shown below, and other environments were missing:
Also, “William” was getting a message saying, “No environments were found” as shown below when looking from the admin portal:
- As you can see in the above screenshot, even the Default environment named “DEV (default)” was not displayed in the admin portal.
- It took around 15-20 minutes for the intended DEV1 environment to appear in both the admin and maker portal for this user.
Why “DEV (default)” instance is missing?
When we explored more, we found that there are inbuilt roles named the “Environment admin” role and “Environment maker” role that provide access to permissions within an environment that are without the Dataverse database. For more details, kindly refer to this doc.
We then quickly assigned the “Environment admin” role to “William” explicitly, and the moment we assigned that role the default environment named “DEV (default)” immediately started appearing on the admin portal for “William”.
Follow below simple steps to assign the “Environment admin” role to the user:
Open the default environment [DEV (default)] > In the Access section > under “Environment admin” > click on the “See all” hyperlink as below:
After this click on the “Add users” button which navigates you to the page where you can select the appropriate user > in our scenario added “William Lee” by clicking on the “Add” button further as shown below:
Once added, “William” starts appearing under the “Environment Admin” role:
Immediately if you observe the “DEV (default)” environment appears in the admin portal as shown in the below screenshot:
NOTE: By default, there was no user added initially to the Environment Admin role for the default environment, need to explicitly add wherever required.
Why “DEV2” instance is missing?
Now the reason for “DEV2” not appearing is, that the instance “DEV2” had been associated with the security group “IT Services “as shown below:
So only the users that are a member of this security group can access the environment and “William” was not part of the security group and hence was not able to access the environment. You can explore more on the security groups by referring to this doc.
NOTE: If user “William” tried to log in to the instance “DEV2” then the following window will come as he is trying to access the environment associated with the security group and is currently not a member of this security group.
The new feature of highlighting the error while adding the user in Dataverse:
Recently we observed when you try to add a user from Maker Portal in Dataverse, it gets highlighted, due to which a requirement mismatch is shown, and in turn, it ends up not being added. (Earlier such highlighted errors were not shown and we had to check the conditions individually that restricted the addition).
If you try to add the user to an environment that is associated with the security group, and the user that you are trying to add is not part of that security group, you will experience the following:
Another example is if a user does not have any license and you are trying to add it in Dataverse then you will experience the following:
Hence, we can conclude that while setting up the security for users in your organization, the environment admin role and security groups play a major role.