In this post we will show you how to customize security roles for Power Automate for desktop (RPA) and create a custom security role with minimum privileges to monitor production runs. Our post is filled with invaluable tips and tricks for keeping your data safe and protecting your company. So, whether you’re new to Power Automate for desktop or a seasoned pro, this is the ultimate guide for any administrator prioritizing data safety. Let’s get started!

Security Roles

Security roles are a key aspect of Power Platform that help maintain data security and privacy. These roles control access to restricted data and functions and are customized based on the company’s security requirements. With security roles, admins can define permissions for their staff and have better control over what data they can access. This helps prevent data leaks and unauthorized data access.

In Microsoft Dataverse, the role-based security model is used to secure access to the database. This allows environment-wide access to all resources or to configure access to specific apps and data in the environment. Security roles determine a user’s access to the environment’s resources. This access is determined by a combination of access levels and permissions included in a specific security role. This controls the user’s view of apps, flows and data, as well as their interactions with that data.

More information:

• Configure user security in an environment – Power Platform
• Security roles and privileges – Power Platform

Pre-Defined Roles

Within the Power Platform, every environment comes with a set of predetermined security roles. These roles are designed around common user tasks and provide access levels that are aligned with the best practice of providing the minimum amount of business data needed to properly use the app. This helps maintain your data’s security while allowing users to execute their necessary job responsibilities.

More information: Configure user security in an environment – Power Platform

Least Privilege Principle

The principle of least privilege is an important consideration when assigning permissions to users in a security role. This principle specifies that when assigning permissions to users in a security role, they should only be granted access to the data and functionality that is necessary to perform their job duties. Custom security roles can be created to ensure that users only have access to the tools and data they need to do their job, and nothing more. This helps ensure compliance with regulations and prevent data breaches.

Customization of Security Roles for Power Automate for desktop (RPA)

The least privilege model is a best-practice security principle that emphasizes the importance of users only being granted the permissions necessary to complete their authorized tasks or roles. In this post we will cover custom role “RPA Reviewer”, for Power Automate for desktop (RPA)

RPA Reviewer: Read only access for Power Automate for desktop (RPA) artifacts.

Creating RPA Reviewer Custom Security Role

In many organizations, it is typical for makers not to be granted access to production environments. However, to be able to view the workflow run history and other data relevant to daily operational activities, makers need access to this data. By creating a custom security role called “RPA Reviewer,” platform administrators can allow these makers read-only access to important automation information that resides within a production environment.

While establishing the minimum privileges, we need to define what actions RPA Reviewer role can perform within the production environment.

1. In Power Automate portal,
   • View desktop flows created by the user
   • View desktop flow runs
   • View desktop flow activity
2. In Power Automate for desktop
   • View-only desktop flow in designer

Let’s look at what permissions and privileges can be enabled to support the above requirements for this role:

To implement this custom role in an environment, download the solution and import the security role to support the needs around having a read-only role for production environments.

Solution with Custom Security Role – RPA Reviewer

Download solution: PADCustomRoleReviewer_1_0_0_1

Below is a snapshot of the custom security role after importing the solution.

More information:

• Learn how to import a solution – Power Automate
• Create or edit a security role to manage access – Power Platform

Note: The current approach is to import a solution to use this custom role.

Disclaimer: While the essential features utilized in creating the custom role are completely supported, the provided solution itself serves as an example implementation of these features and does not include any support. Our customers and community members have the freedom to utilize and modify this solution to establish custom roles within their organizations.

In conclusion, creating custom security roles is an integral part of maintaining data security and privacy in the Power Platform. Adhering to the principle of least privilege ensures that users only have access to the resources required to fulfill their job responsibilities, minimizing the risk of data breaches, and maintaining compliance with regulations. Custom security roles tailored to user roles and responsibilities not only provide a secure environment for users but also enhance their productivity and efficiency. By following the steps provided in this guide, admins can confidently customize security roles for Power Automate for desktop (RPA), empowering their makers in development and production environments.

Happy automating!!!

The post Power Platform custom security role for Power Automate for desktop (RPA): The guide for admins appeared first on Microsoft Power Platform Blog.

With the introduction of Web APIs, you can manage desktop flows without the need of using UI – allowing administrators and Automation Center of Excellence teams to manage at scale.

In this post, we will walk through how you can use the Web API capabilities of Power Automate to manage the Power Automate Desktop flows.

Administering Power Automate flows

Before we dive into the Web APIs, here we will explain the existing capabilities that you can use via UI.

Initiate a cloud flow run

Ad hoc initiation of Cloud flows can be achieved by using the Run action on the top ribbon as shown below –

By navigating to the Monitor section of the Power Automate portal, cloud flow run activity, desktop flow runs, and desktop flow queue activity can be accessed.

Cloud flow run

Desktop flow run

For more details, refer: Monitor desktop flow runs

Desktop flow queue

For more details, refer: Monitor desktop flow queues

How to use the web APIs to manage your Desktop Flows

Until recently, you had to go to these setup pages and views to access key information like Desktop flow queues etc. To streamline and optimize the management of Power Automate Desktop flows, additional capabilities were added to the Power Automate Web API.

For more details, refer: Work with desktop flows using code

Below is the list of Desktop Flows related actions enabled by the Power Automate Web API

• List available desktop flows
• Get the schema for desktop flows
• Get the status of a desktop flow run
• Get desktop flow outputs
• Trigger a desktop flow run
• Cancel a desktop flow run

In order to explore these API actions, the first step is to gather details for setting up the authentication with Dataverse.

For more details, refer: Use OAuth authentication with Microsoft Dataverse

For this walkthrough we will use Postman and connect to the web APIs with OAuth authentication. To do so, you need to register the application in Azure AD tenant. Follow the instructions listed in the tutorial: Register an app with Azure Active Directory on how to create application registration for Dataverse.

For more details on using Postman, refer: Use Postman to perform operations with the Web API

To gather the Access Token in Postman, gather below information to populate into the Authorization section of the Request.

Examples of Desktop Flow management actions via Web APIs

1. List available desktop flows

Description: Get a list of desktop flows sorted by name

URL: https://[OrganizationURI]/api/data/v9.2/workflows?$filter=category+eq+6&$select=name,workflowid&$orderby=name

Operation: GET

Request:

Response:

2. Get the input schema for desktop flows

Description: For a given desktop flow (Workflow Id), retrieve the flow schema for inputs

URL: https://[OrganizationURI]/api/data/v9.2/workflows([WorkflowId])/inputs/$value

Operation: GET

Request:

Response:

NOTE: Input schema value is valid only if desktop flow has defined input variables.

3. Get the Output Schema for Desktop Flows

Description: For a given desktop flow (Workflow Id), retrieve the flow schema for outputs

URL: https://[OrganizationURI]/api/data/v9.2/workflows([WorkflowId])/outputs/$value

Operation: GET

Request:

Response:

NOTE: Output schema value is valid only if desktop flow has defined output variables.

4. Trigger a desktop flow run

In order to trigger a desktop flow run, ID of the desktop flow and name of the desktop flow connection (targeting a machine/machine group) are required.

ID of the desktop flow can be looked up using the List available desktop flows action and filter it by name.

Name of the desktop flow connection can be found in the URL of the connection.

Description: Trigger to run a given desktop flow (Workflow Id)

URL:https://[OrganizationURI]/api/data/v9.2/workflows([Workflow ID])/Microsoft.Dynamics.CRM.RunDesktopFlow

Operation: POST

Request:

NOTE: This action requires a to send request variables as JSON body as shown above.

Response:

NOTE: The response contains the flowsessionId that can be used to get the status of the desktop flow run.

5. Get the status of a desktop flow run

Description: Get the status of a desktop flow run for given flow session (FlowsessionID)

URL:https://[OrganizationURI]/api/data/v9.2/flowsessions([Flowsession ID])?$select=statuscode,statecode,startedon,completedon

Operation: GET

Request:

Response:

6. Get the desktop flow outputs

Description: Get the outputs of a desktop flow run for given flow session (FlowsessionID)

URL:https://[OrganizationURI]/api/data/v9.2/flowsessions([Flowsession ID])/outputs/$value

Operation: GET

Request:

Response:

NOTE: Output value is valid only if the desktop flow has produced any outputs, else the response will be empty.

7. Cancel a desktop flow run

Description: Cancel a desktop flow run for given flow session (FlowsessionID)

URL:https://[OrganizationURI]/api/data/v9.2/flowsessions(d9687093-d0c0-ec11-983e-0022480b428a)/Microsoft.Dynamics.CRM.CancelDesktopFlowRun

Operation: GET

Request:

Response:

When you have the flow in running state, Response will be as below:

HTTP/1.1 204 No Content

In case if the flow is not in running state, below response message is shown –

We hope this post helped in providing information to manage Power Automate desktop flows from an external context.

Postman Collection for the above actions is available here.

Happy Automating!!!

The post Manage your Power Automate Desktop flows using Web APIs appeared first on Microsoft Power Platform Blog.