There is a new sheriff in town

By | February 3, 2023

Or, in our case, there is a new user in Power Pages:

Power Pages :: Improved Dataverse connection using Dataverse Application User | Microsoft Power Pages

In short, this change unlinks portal accounts from the built-in System user in Dataverse, and, even though the transition is supposed to be smooth, I figured I’d dig a little deeper, so here is what it looks like.

There are 4 roles – 3 of them are mentioned in the post above:

  • Portal Application User
  • Service Reader (is it also a new one? I am, actually, not sure)
  • Service Writer
  • Service Deleter

Service reader is not assigned to the portal account, so I’m not sure what’s the purpose exactly. However, it does have readonly permisison on all the tables, and it’s automatically updated whenever a new table is added. So it works in almost the same way as the other two “Service” roles.

Portal Application User gives required permissions to read plugins/steps/etc – it’s, clearly, a service role.

The other two (Service Writer and Service Deleter) is where the magic happens. With the two of them assigned to an account, that account will get almost full permissions on all Dataverse tables in the environment:

There is one exception, though, since, if you look at those screenshots above, you’ll see that “Share” permission is not given by any of those roles.

Do you have a real-time workflow, or a synchronous plugin, which will be sharing the records created/updated by the portal? That’s, probably, not going to work anymore – you may need to reconfigure those to run under another account (or, alternatively, you may choose to add another role to the portal user).

Other than that, it seems quite straightforward:

  • All new tables added to the Dataverse environment will also be added to the Reader/Writer/Deleter roles (automatically, you don’t need to do a thing)
  • Those roles are not, actually, giving system admin permissions (such as the ability to publish changes, for example. It’s not given through those roles). That should not be a problem in most cases, and, if it is, you are likely doing something wrong anyways, since that kind of system customization is not supposed to be done through the customer portal

Have fun!

Leave a Reply

Your email address will not be published. Required fields are marked *