Power Automate Flows are executed as an asynchronous background execution. It is important to understand the execution context being used for all the steps/actions designed in the flow for audit purposes.
Prior to this setting being made available, you needed to associate a connection with every action and the action was executed under the context of that user irrespective of who performed the initial action that triggered the flow in the first place.
This way the context was always hardcoded at design time and it wasn’t very helpful for audit tracking and enforcing privileges.
Let us take an example to understand this better. Say we create a flow that triggers on the create/update of a record and is supposed to create an audit log entry to record the details of the user that performed the changes.
With the above setting, the record will be created but the owner of the record would always be set to user specified in the connection i.e., Roohi even though the action was triggered by another user “Sam” in the below example.
With the Run as option added to the trigger of CDS (Current Environment) connector, now you are able to specify the user context under which the following actions should be performed.
The options available are:-
1) Triggering user – You want the actions to be executed in the context of the user that invoked the trigger. For this you need to ensure that the Triggering user has the privileges to perform the action.
In our example the triggering user should have privileges to create record in Audit Log entity.
For this setting on the trigger to be honored make sure that every action is set to use Invokers connection as shown below:
With the Run as set to “Triggering User”, when a contact is updated by user Sam, the results now show up as:
2) Record Owner – In this case the actions are executed under the context of the owner of the record for which the flow was invoked.
Even though user Sam edited the record as can be identified from the user lookup set, the owner of the record continues to be David, who was set as the owner of the record that was edited.
3) Process Owner – The actions will be executed under the context of the user whose connection has been selected for the trigger.
Here is what the flow looks like:
Flow was created by the user Soul S. There are 2 connections:
- Using Soul s credentials
- Using Roohi credentials
Within the flow, used the following connection for the trigger:
Added 2 parallel actions both creates the audit log record but are set to Use Invokers connection, and one was set to use Roohi connection and the other Soul connection.
The result is – both records are created under the context of Roohi, the user that was setup at the trigger and not Soul who is the flow owner or creator.
4) If you leave the Run as blank – it picks up the credentials and is executed under the context of the user/connection set for each action if the Use Invoker’s connection is unchecked.
In our example since one action was set to run under connection Roohi and the other Soul, the records created had the owners set accordingly.
5) If you leave the Run as blank and the Use Invoker’s connection is checked on every action;
then it is executed under the context of the user that invoked the action similar to Triggering User.
Depending on the scenarios you can now choose the execution context under which the flow actions should be executed. For anything to be executed under admin privileges, you could go for “Process Owner” and set up the credentials of Super User, or if you need actions to be performed under the context of logged-in user choose the “Triggering User” option.
Your article is really good and explained me so much. Something is still unclear to me:
if the “RunAs” setting specifies under which context a task is executed, why do you have to give your consent for the connectors to connect when you run a flow for the first time? It doesn’t matter if I give my consent or not, the RunAs setting takes control in the flow.
You have to give your consent for the connectors to connect when you run a flow for the first time in order to allow connectors to connect and access data from Dynamics CRM. After connectors are able to connect and access data from CRM, then the flow runs under “RunAs” user’s context.