Read Dataverse access rights: Who has access to which connection reference?
- kim
- 6 days ago
- 2 min read
How Marie and Marvin find out at the moped shed who has access to a connection reference – and what exactly is allowed.
🧠 Use Case: Who has access which access level to which connection reference?
In the last blog, Marie gave Marvin access to a connection reference via Flow.
Now Marvin asks himself:
“How can I actually check who has access to this line – and whether I really have the necessary permissions?”
And Marie wants to make sure that no one accidentally has more rights than necessary .
🧩 The solution: principalobjectaccess + systemuser + Power Automate
Any explicitly granted access to a Dataverse row is stored in the principalobjectaccessset table – also known as the POA (Principal Object Access) table .
These POA entries contain:
Field | Meaning |
principalid | Who has access (user or team) |
objectid | Which data set |
accessrightsmask | Which rights (bitmasked) |
🔧 This is what our flow looks like – in detail
The flow starts via Power Apps with a Dataverse ID as input (e.g. an ID from the Connection Reference table).
Step 1: FetchXML with Join on Systemuser
We use a List rows action with this FetchXML query on the table " principalobjectaccessset "
Note: This table is usually not found through the normal search function, so you must enter the value manually. For details, see: https://www.itaintboring.com/dynamics-crm/how-to-verify-principle-object-access-directly-from-the-flow/
💡 Advantage: We get the user's real name (full name) straight away.
Step 2: Select Action – Select important columns & translate AccessMask
The output of the list rows is processed via Parse JSON and then translated in a Select action .
We use an If/Else chain to translate accessrightsmask into plain text:
if(equals(item()?['accessrightsmask'],0),'No access',
if(equals(item()?['accessrightsmask'],1),'Read only',
if(equals(item()?['accessrightsmask'],3),'Read and Write',
if(equals(item()?['accessrightsmask'],5),'Read and Append',
if(equals(item()?['accessrightsmask'],7),'Read, Write, Append',
if(equals(item()?['accessrightsmask'],23),'Read, Write, Append, AppendTo',
if(equals(item()?['accessrightsmask'],262145),'Read, Share',
if(equals(item()?['accessrightsmask'],262147),'Read, Write, Share',
if(equals(item()?['accessrightsmask'],262151),'Read, Write, Append, Share',
if(equals(item()?['accessrightsmask'],262167),'Read, Write, Append, AppendTo, Share',
if(equals(item()?['accessrightsmask'],65539),'Read, Write, Delete',
if(equals(item()?['accessrightsmask'],65559),'Read, Write, Delete, Append, AppendTo',
if(equals(item()?['accessrightsmask'],589847),'Read, Write, Delete, Append, Assign',
if(equals(item()?['accessrightsmask'],851991),'Read, Write, Delete, Append, Assign, Share','Other'))))))))))))))Disclaimer:
It's certainly not perfect or complete, but it was enough for us to query the most important access rights and make them human-readable. We limited ourselves to 14 common combinations – otherwise, the function wouldn't save.
🧪 Example output (JSON)
[
{
"fullname": "Marvin Neumann",
"accessrightsmask": 65559,
"accessrightsmask_readable": "Read, Write, Delete, Append, AppendTo"
},
{
"fullname": "Marie Hoffmann",
"accessrightsmask": 1,
"accessrightsmask_readable": "Read only"
}
]
📱 Step 3: View in Power Apps
The flow returns the JSON directly to Power Apps.
There you can load it into a collection using ParseJSON() and ClearCollect():
Display in Power Apps interface
Which user has which access rights to which connection reference?
Comments