When users shall have access to a PowerApp that is using Dataverse (formerly Common Data Service - CDS), they also need to have the permissions to access the data entity (nowadays called table). So, if your users get an ugly "unknown error occurred" when accessing the PowerApp, here´s the solution to assign the required security role and permissions.
The data table
To demonstrate how to set permissions, I switched to the environment (in my sample, it´s the "Dev environment") and created a new table in the https://make.powerapps.com/environments/<environment-id>/entities / Data / Table menu. The table name here is atworktest with some text columns.
This table will be used by a Power App. You can find out more about using Dataverse at Common Data Service Introduction - CDS 101.
Note that these steps are required, since the Environment Maker role doesn't have privileges on the environment's data. The System Administrator role has full permission to customize or administer the environment, including creating, modifying, and assigning security roles. Users with that security role can view all data in the environment - they don´t need explicit permissions. See more about the predefined security roles at Environments with a Dataverse database.
So, to add permissions to users follow these steps: As Administrator, you can open the gear icon in the top right corner next to the account icon to open the settings menu. In the menu, open the Advanced settings as here.
This opens a new tab https://<environment-id>.crm4.dynamics.com/main.aspx?settingsonly=true - just to mention, this can take some time to load…
Open the Settings in the menu bar. Under System, open Security.
Open the Security Roles.
Open the Security Role Basic User. Every user with a license is automatically assigned to that Security Role. This role is for actions in core entities where the user can write, update, and delete records that they created or owned.
Note from the docs: The (old) Common Data Service User security role was renamed to Basic User. There is no action required - this is just a name changed and it doesn't impact the user privileges or role assignment. If you have a Solution with the Common Data Service User security role, you can inadvertently update the security role name back to Common Data Service User when you import the Solution. Please update the Solution before re-importing.
Find details about the security roles at Environments with a Dataverse database and at Common Data Service User security role renamed to Basic User.
Of course, you can use other roles or a custom security role as well. Just to mention, when you create a custom security role, you need to include a set of minimum privileges into the security role in order for a user to run an app. You can set the Dataverse minimum privilege security role with the solution at MinprivilegeSecRole_1_0_0_0.zip. You find instructions at Create or configure a custom security role.
Here, we stay with the predefined role. Click on the Basic User security role. This opens a popup window where you can edit that role. Click on the tab Custom Entities here.
Locate your table(s). Here it´s table atworktest. We see that this role does not have any permissions to that table. The column names identify the permissions Create, Read, Write, Delete, Append, Append To, Assign and Share.
So we need to change that for the Basic User. Click on the permissions - the red icons - in that table row and for every column.
Note that you can click multiple times on each icon to set the state to the desired permission. The Key table below shows the options. To ensure all permissions are given, you use the yellow and the green icons. Here, as an example, the permissions to that table are set for all users for the whole organizations.
When done, click on the Save and Close icon. A message shows "Updating role" for some seconds. The popup closes.
Check the security role assignment
To ensure that the users have that role assigned, you can check the Settings and Security again.
Locate a user and click on the user name.
Click on Manage Roles in the menu bar. In the popup, you should see the assignment of that user to the Basic User role - again, this is the default group for every user.
So, this user will now have access to the table in Dataverse. That´s it. You can also find a cool video at Intro to PowerApps Common Data Service for Canvas Apps.
In real world scenarios, you would create a custom security role for a scenario and assign only the required permissions to specific users. We see, Dataverse (CDS) allows to set specific permissions for users and groups. Note that the users must have a Dataverse license, they show up in the Dynamics users list after the automatic sync from Azure AD. Again, this step is required to use the table(s) in the Power App. Since this often is a stumbling block, I hope this step-by-step instructions help to run PowerApps with Dataverse.