top of page
  • Writer's pictureLeoza Kabir Barker

Power Automate: Assign and Unassign Security Roles

Updated: Jun 7

If you are an IT administrator who has to manage user access into the Dataverse environments, then this is the blog for you.

Recently, we encountered a use case where our client wanted to streamline the process of assigning security roles to users. They wanted to provide users read-only access to data that belonged to their business unit and wanted a solution that did not require navigating to the Power Platform Admin Center for each role assignment.

To address this, we built a Dataverse table where admins can easily add users who require read-only access to their data and a Power Automate flow that will automatically assign or unassign security roles.

Automating the process

When a user is added to the table, a Power Automate flow is triggered and the user will seamlessly get added to the security role in their business unit.

We have a custom security role created in advance that gives read-only access to the appropriate tables.

Admins are expected to deactivate a user, instead of deleting, on the table to unassign a security role, as the flow is unable to retrieve details of a deleted record. Hence, when a user is deactivated, the same flow is triggered to unassign the user from the role.

Power Automate Flow Implementation

The trigger of the flow is 'Added or Modified' on the Dataverse table named 'Read-Only Users.' We set the 'Select Columns' field to include statecode, so the flow triggers only upon status modification.

The 'Name' column of the user on the table is a lookup to the out of the box User table.

Trigger: When a row is added or modified on the user table

Then we did a 'Get Row' on the out of the box 'User' table, using the same 'Name'


We also listed all the security roles with the name = 'Read Only' and in the same business unit as the user.

The user's business unit can be retrieved from the 'Get row' action.

Note: If you have multiple business units set up in your Dataverse environment, your security roles will be duplicated for each business unit.

Perform a Get User on the systemuser table and list security roles to be able to assign users to security role

We did a check to see if the status of the user from the trigger is active or inactive. In dataverse, the values for the out of the box status field are the following:

  • Active: 0

  • Inactive: 1

If status is active, because the systemuser and role tables have a N:N relationship, we will use the Dataverse Relate rows action to establish a relationship and assign a security role.

Table name: Users (out of the box systemusers table)

Row ID: Same user id from the trigger output

Relationship: Security Role - systemuserroles_association

Relate with: [Your environment url]api/data/v9.1/roles([role id from your list action\)

Note: your environment url will look something like In my case, I stored it in an environment variable.

Similarly, for unassigning a role, use the Dataverse Unrelate Rows action.

Assign and unassign security role

And lastly, don't forget to test your flow and access.

Hope that helped :)

See you next time!

About Me

I'm Leoza Kabir Barker, a Functional Consultant at XRM Vision with a focus on the Power Platform. Through my expertise, I aim to streamline processes, optimize operations, and maximize productivity. 

Connect with Me


Couldn’t Load Comments
It looks like there was a technical problem. Try reconnecting or refreshing the page.
bottom of page