Sharing model-driven apps is slightly different to sharing canvas apps. In this post I’m going to briefly cover what you need to be aware of, together with some supplementary info that will help make the process clearer.
How is Sharing Model-Driven Apps Different from a Canvas App?
There are a lot of similarities and a couple of differences. The main difference between sharing a model-driven app and canvas apps is in how security roles are assigned. The other relates to Dataverse teams.
Canvas Apps
Canvas apps allow individual assignment of roles.
When a Canvas app is shared, users can be assigned any security role in an environment, including the System Administrator and System Customizer roles.
Model-Driven Apps
Model-driven apps are more integrated into the Dynamics 365 environment and rely on predefined security roles and access levels.
This requires that security roles be first assigned to a model-driven app. Then, when the app is shared with users, one or more of the roles assigned to the app can also be assigned to users. Any security roles not assigned to the app aren’t available for sharing with users.
In most other ways, sharing the two types of Power App are the same. They can be shared with security groups and assigned security roles, or the security roles can be pre-assigned to the security group via a Dataverse team. For detailed information on this subject, see my earlier post App Sharing – Power Platform Environments
Sharing a Model-Driven App for the First Time
When a solution containing a model-driven app has been imported into another environment, and the app is shared for the first time, the System Administrator and System Customizer roles are already assigned to the app but greyed out.
This is because these roles inherently grant access to all apps within the environment. The greyed-out state indicates that their access cannot be modified or removed from the app settings since it is enforced at the environment level.
Importing a Later Solution Containing a Model Driven App
When importing a later version of the same solution, those users with the System Administrator or System Customizer roles that could be seen earlier are no longer visible.
Users with the System Customizer or System Administrator roles still retain access due to their overarching permissions in the environment. However, after the initial install and the app is shared with users, they don’t appear in the sharing settings list because their access is not granted directly through the app’s sharing settings.
Why Can’t the System Customizer Role be Assigned to a Model Driven App?
It’s not possible to assign the System Customizer role to a model-driven app because, like the System Administrator role, it is automatically granted access to all apps within the environment. Both roles are intended for users who need broad customization capabilities across the entire environment. As such, it can only be assigned to a user at the environment level (in the Power Platform Admin Center) and not at the app level. The greyed-out state confirms that this role is managed at a higher level.
This is a difference between model-driven and canvas apps because System Customizer and System Administrator roles can be assigned to users of canvas apps.
Sharing a Model-Driven App with a Security Group
Model-driven apps can be shared with security groups and assigned security roles. Additionally, security roles can be pre-assigned to the security group via a Dataverse team. In this way, the process for a model-driven app is the same as a canvas app.
Any security roles assigned to the security group when sharing a model-driven app must already have been assigned to the model-driven app itself.
After sharing a model-driven app with a security group via a Dataverse team, you can see that the app has been shared with the team too. This is also different from a Canvas App.
Adding Users to a Dataverse Team
As just mentioned, when a model-driven app is shared with a security group linked to a Dataverse team, it is also shared with the team, and the team appears on the app’s sharing screen.
This is because model-driven apps are closely integrated with Dataverse, and sharing is managed through Dataverse security roles. Teams in Dataverse inherit permissions assigned to the security group.
Canvas apps have a different sharing mechanism that does not automatically propagate to Dataverse teams. Sharing a canvas app with a security group does not inherently share it with the linked Dataverse team.
Therefore, if you add a user to a Dataverse team that has been given access to a model-driven app, the user will automatically gain access to the app. This is not the case with a canvas app.
Assigning Security Roles at the Environment Level
It is possible to grant a Dataverse team/security group the System Customizer security role in the Power Platform Admin Center and then share a model-driven app with that group.
The only time I have done this is when I wanted to temporarily give users full access to the app. This was because a new table had been added to a model-driven app, and the new table privileges had not been added to the custom security role!
This should have been identified in testing but wasn’t, and I needed to quickly restore user access while the custom security role was updated. This was a short-term emergency action, as over-granting permissions in this way is definitely not recommended!
Summary
I hope this info on sharing model-driven apps and the difference to sharing a canvas app is useful.
For more information on managing Power platform environments, check out my earlier posts:
Power Platform Environments Demystified