Assign Dataverse access rights via flow – share connection references with co-developers
- kim
- 5 days ago
- 3 min read
🛵 Use Case: Two makers, one mission
Marie and Marvin are Power Platform Makers at Mofa-Schuppen – a charming rental company for nostalgic mopeds.
In their joint solution, they are developing a flow that automatically processes new booking requests.
Problem:
✅ Marie created the flow and shared it with Marvin (co-owner) – this works smoothly via the interface in Power Automate
❌ But Marvin receives an error message when exporting or deploying to a new environment.
“I can see and edit the flow – but I can’t export or deploy the solution?” Marvin asks.
Error message during deployment or export by Marvin:
{"error":{"code":"0x80048306","message":"user with id 4498f998-4207-ef11-9f89-002248d8367d does not have ReadAccess right(s) for record with id edc22b0f-2838-f011-877a-000d3a83fd0f of entity Connection Reference. Consider assigning a role with the required access level to the user or team. For further troubleshooting, please work with a system administrator to use the Access Checker tool on this record: https://orgea7d98cf.crm16.dynamics.com/main.aspx?forceUCI=1&pagetype=entityrecord&etn=connectionreference&id=edc22b0f-2838-f011-877a-000d3a83fd0f. More details: {\"CallerPrincipal\":{\"PrincipalId\":\"4498f998-4207-ef11-9f89-002248d8367d\",\"Type\":8,\"IsUserPrincipal\":true},\"OwnerPrincipal\":{\"PrincipalId\":\"8c6ca988-16ff-ee11-9f89-002248d8367d\",\"Type\":8,\"IsUserPrincipal\":true},\"ObjectId\":\"edc22b0f-2838-f011-877a-000d3a83fd0f\",\"ObjectTypeCode\":10093,\"EntityName\":\"connectionreference\",\"ObjectBusinessUnitId\":\"c4bcba24-a7f3-ee11-a1fe-002248751586\",\"RightsToCheck\":\"ReadAccess\",\"RoleAccessRights\":\"None\",\"PoaAccessRights\":\"None\",\"HsmAccessRights\":\"None\",\"GrantedAccessRights\":\"None\",\"Messages\":[\"BasicMinimumPrivilegeDepthRequired = None\",\"EntityUserGroupRights = None\",\"LocalMinimumPrivilegeDepthRequiredRights = ReadAccess\",\"SecLib::AccessCheckEx2 failed. Owner Data: roleCount=2, privilegeCount=716, accessMode='0 Read-Write', AADObjectId='92d4a031-fcd0-45db-9c5e-8c0506b11e84', MetadataCachePrivilegesCount=4889, businessUnitId=c4bcba24-a7f3-ee11-a1fe-002248751586; Principal Data: roleCount=2, privilegeCount=716, accessMode='0 Read-Write', AADObjectId='21651703-e46e-4f26-bb5c-ac7d84b75439', MetadataCachePrivilegesCount=4889, businessUnitId=c4bcba24-a7f3-ee11-a1fe-002248751586\"],\"EntityOwnershipTypeMask\":1,\"CallerInfo\":{\"IsSystemUser\":false,\"IsSupportUser\":false,\"IsAdministrator\":false,\"IsCustomizer\":false,\"IsDisabled\":false,\"IsIntegrationUser\":false,\"Teams\":null,\"Roles\":null},\"ReadOnlyState\":\"UserAndOrgFullAccess\",\"IsHsmEnabled\":false,\"HsmInfo\":null,\"AccessOrigin\":null}"}}
🎯 The root cause: Connection References are Dataverse rows
Connection References are Dataverse rows – like any other table in the Dataverse.
And: The standard UI does not allow direct sharing of these records.
👉 Access must be done through another means – via API, flow or manual approval.
In this blog I will show you one of several ways how you can solve this:
Targeted sharing with the GrantAccess action in Power Automate.
And for those who prefer clicking to automating, there's also an option at the very end of this blog,
how to share connection references using the classic Dynamics 365 interface.
🔧 Grant access with GrantAccess
Power Automate offers the "Grant Access" action in the "Perform an unbound action" action , which you can use to give other system users access to specific Dataverse rows – for example, to a connection reference.
Example: Marvin gets read access to Marie's Connection Reference
Action: Perform an unbound action
Action Name: GrantAccess
Target:
{
"@{string('@odata.type')}":"Microsoft.Dynamics.CRM.connectionreference",
"connectionreferenceid": "<DeineConnectionReferenceId>"
}PrincipalAccess:
{
"AccessMask": "<GewünschtesZugriffsrecht",
"Principal": {
"@{string('@odata.type')}": "Microsoft.Dynamics.CRM.systemuser",
"systemuserid": "<DeineSystemUserId>"
}
}🧠 You only need to adjust three values:
YourSystemUserId: Marvin's ID (from the systemuser table)
YourConnectionReferenceId: ID of the Connection Reference for the desired connection reference
Desired access right: Level of access to the data record. e.g., "ReadAccess"
📘 AccessMask – What rights are possible?
Access Mask | Meaning |
ReadAccess | Reading is enough to export the solution |
WriteAccess | Edit |
AppendAccess | Be included in lookups |
AppendToAccess | Bind other lookups to you |
DeleteAccess | Delete |
ShareAccess | Granting rights to others |
AssignAccess | Change owner |
Example:
Marie gives Marvin access to the Connection Reference for Outlook with "ReadAccess" so that Marvin can export/deploy the solution.
Result:
Marvin can see Marie's connection reference but cannot delete it
Marvin can deploy / export the solution
🚫 Revoke access with RevokeAccess
If you want to clean up access, you can also revoke access.
Action: Perform an unbound Action
Action Name: RevokeAccess
Target:
{
"@{string('@odata.type')}": "Microsoft.Dynamics.CRM.connectionreference","connectionreferenceid": "<DeineConnectionReferenceId>"
}Revokee:
{
"@{string('@odata.type')}": "Microsoft.Dynamics.CRM.systemuser",
"systemuserid": "<DeineSystemUserId>"
}🔄 Bonus: Share Connection References via the classic Dynamics 365 interface
Don't want to build flows? There's also a way to share connection references through the classic Dynamics 365 interface – here's how:
Open make.powerapps.com
Click on the ⚙️ symbol in the top right corner → “Advanced Settings”
You will land in the classic Dynamics 365 interface
At the top of the menu bar: Advanced Search
Select as table: Connection Reference
Click on Show results
Select the desired row / connection reference
Click “Share” in the ribbon menu
Comments