Assigning Dataverse security roles manually works pretty well – until it doesn’t.
Whether you are onboarding 50 new hires or rolling out access to a new app, managing roles by hand can be tedious and error-prone.
In this article, you will learn about three scalable ways to assign security roles across multiple users or teams, with low-code and pro-code options.
Table of Contents
Aside: Teams
Teams are the simplest way to assign roles to multiple users.
Dataverse admins and team owners can add users to one or more teams. Rather than assigning roles to individual users, the security role is assigned to the team.
But there are caveats: record ownership and team management can introduce their own complexity. In environments with many teams, updating security roles can become just as tedious as assigning them individually.
This article focuses on programmatic individual assignments, but keep in mind that all three methods described below can be adapted to work with teams as well.
Canvas Apps Relate / Unrelate Functions
Canvas app developers can use Power FX to assign security roles across users or teams. Minimal code is required, and the result can serve as a lightweight security role management portal.
While not ideal for massive batches, this approach is suitable for assigning roles to a few hundred users.
ForAll(
colSelectedUsers As User,
Relate(
User.'Security Roles (systemuserroles_association)',
cbx_securityRoles.Selected
)
)
Here:
-
colSelectedUsersis a collection of users. -
cbx_securityRolesis a Combobox control holding the security role to assign.
The Relate function connects each user with the selected security role. The first parameter is the many-to-many relationship (systemuserroles_association) between systemuser and role.
To find relationship names, open the User table > Relationships. Then, look for many-to-many connections to the role table.
The security role/user relationship is a many-to-many relationship.
Power Automate with the Relate Rows in Dataverse Action
The Relate Rows in Dataverse action allows you to assign roles dynamically in cloud flows.
How it works:
-
Trigger a flow (for example, manually or via Dataverse trigger).
-
Fetch a list of users based on a condition.
-
Loop through each user with Apply to Each.
-
Assign a static or dynamic security role.
C# Console App: Using the Dataverse SDK
This method offers maximum control and supports complex, high-scale role assignments – but it requires pro-code skills.
Example:
This console app:
-
Connects to the environment via client credentials.
-
Retrieves all users with the title “Salesperson”
-
Builds a batch of associate requests.
-
Executes the batch transactionally – if one fails, all fail.
<span class="hljs-keyword">using</span> Microsoft.PowerPlatform.Dataverse.Client;
<span class="hljs-keyword">using</span> Microsoft.Xrm.Sdk;
<span class="hljs-keyword">using</span> Microsoft.Xrm.Sdk.Messages;
<span class="hljs-keyword">using</span> Microsoft.Xrm.Sdk.Query;
<span class="hljs-keyword">class</span> <span class="hljs-title">Program</span>
{
<span class="hljs-function"><span class="hljs-keyword">static</span> <span class="hljs-keyword">void</span> <span class="hljs-title">Main</span>(<span class="hljs-params"><span class="hljs-keyword">string</span>[] args</span>)</span>
{
<span class="hljs-keyword">string</span> dataverseUrl = <span class="hljs-string">"https://your-org.crm.dynamics.com"</span>;
<span class="hljs-keyword">string</span> clientId = <span class="hljs-string">"client-id-here"</span>;
<span class="hljs-keyword">string</span> clientSecret = <span class="hljs-string">"client-secret-here"</span>;
<span class="hljs-keyword">string</span> tenantId = <span class="hljs-string">"tenant-id-here"</span>;
<span class="hljs-keyword">string</span> connectionString = <span class="hljs-string">$@"
AuthType=ClientSecret;
Url=<span class="hljs-subst">{dataverseUrl}</span>;
ClientId=<span class="hljs-subst">{clientId}</span>;
ClientSecret=<span class="hljs-subst">{clientSecret}</span>;
TenantId=<span class="hljs-subst">{tenantId}</span>;
"</span>;
<span class="hljs-comment">// Connect to our environment</span>
<span class="hljs-keyword">using</span> <span class="hljs-keyword">var</span> serviceClient = <span class="hljs-keyword">new</span> ServiceClient(connectionString);
<span class="hljs-keyword">if</span> (!serviceClient.IsReady)
{
Console.WriteLine(<span class="hljs-string">"Failed to connect."</span>);
<span class="hljs-keyword">return</span>;
}
<span class="hljs-comment">// Fetch a list of users that we intend to associate a role with</span>
<span class="hljs-keyword">var</span> query = <span class="hljs-keyword">new</span> QueryExpression(<span class="hljs-string">"systemuser"</span>)
{
ColumnSet = <span class="hljs-keyword">new</span> ColumnSet(<span class="hljs-string">"systemuserid"</span>),
Criteria = <span class="hljs-keyword">new</span> FilterExpression
{
Conditions =
{
<span class="hljs-keyword">new</span> ConditionExpression(
<span class="hljs-string">"title"</span>,
ConditionOperator.Equal,
<span class="hljs-string">"Salesperson"</span>
),
}
}
};
<span class="hljs-keyword">var</span> users = serviceClient.RetrieveMultiple(query);
<span class="hljs-comment">// Role to assign (pretend guid for demo purposes)</span>
<span class="hljs-keyword">var</span> securityRoleId = <span class="hljs-keyword">new</span> Guid(
<span class="hljs-string">"00000000-0000-0000-0000-000000000ABC"</span>
);
<span class="hljs-comment">// Prepare our transaction</span>
<span class="hljs-keyword">var</span> transaction = <span class="hljs-keyword">new</span> ExecuteTransactionRequest
{
ReturnResponses = <span class="hljs-literal">true</span>,
Requests = <span class="hljs-keyword">new</span> OrganizationRequestCollection()
};
<span class="hljs-comment">// For each user we fetched above, we add an associate request </span>
<span class="hljs-comment">// to the transaction</span>
<span class="hljs-keyword">foreach</span> (<span class="hljs-keyword">var</span> user <span class="hljs-keyword">in</span> users.Entities)
{
<span class="hljs-keyword">var</span> userId = (Guid)user[<span class="hljs-string">"systemuserid"</span>];
<span class="hljs-keyword">var</span> relationship = <span class="hljs-keyword">new</span> Relationship(
<span class="hljs-string">"systemuserroles_association"</span>
);
<span class="hljs-keyword">var</span> relatedReferences = <span class="hljs-keyword">new</span> EntityReferenceCollection
{
<span class="hljs-keyword">new</span> EntityReference(
<span class="hljs-string">"role"</span>,
securityRoleId
)
};
<span class="hljs-comment">// build the associate request</span>
<span class="hljs-keyword">var</span> request = <span class="hljs-keyword">new</span> AssociateRequest
{
Target = <span class="hljs-keyword">new</span> EntityReference(
<span class="hljs-string">"systemuser"</span>,
userId
),
RelatedEntities = relatedReferences,
Relationship = relationship
};
<span class="hljs-comment">// add the request to the transaction</span>
transaction.Requests.Add(request);
}
<span class="hljs-comment">// Finally, execute the batch as a transaction</span>
serviceClient.Execute(transaction);
}
}
You can even utilize this logic within a Custom API, allowing Power Automate or Canvas Apps to call it, blending low-code and pro-code capabilities.
Final Thoughts
If your teams are already well-structured and manageable in number, teams remain the easiest way to assign roles at scale.
But when teams aren’t feasible – or when assigning directly to users is required – each method we discussed here offers a viable alternative:
-
Use Canvas Apps for lightweight, user-facing management portals
-
Use Power Automate when complexity is low and there is a need to trigger it in a variety of ways.
-
Use C# and the Dataverse SDK for full control and batch efficiency.
Ready to automate your role assignments? Start small – build a simple Power App or Flow – and scale your approach from there. Check out more tips and tricks at ScriptedBytes.com
Source: freeCodeCamp Programming Tutorials: Python, JavaScript, Git & MoreÂ
