The Environment Maker security role grants users the ability to create new resources within an environment, such as canvas and model-driven apps, flows, and custom connectors. However, it does not grant permissions to modify existing system entities, system forms, or system views that they did not create. The issue reported by the interns likely stems from an attempt to perform customizations that exceed these permissions. The System Customizer role is required for such tasks, as it provides full permissions to customize all components of the environment, including system-level tables and columns.

A. The System Customizer role has a superset of the customization privileges of the Environment Maker role. If interns had System Customizer, they would not need Environment Maker.

B. The Common Data Service User (now Basic User) role is for running apps and working with data, not for creating or customizing them. This would be a cause if they couldn't run an app, not if they had issues customizing it.

C. The Environment Maker role's permissions generally include the ability to use apps. Needing the more basic Common Data Service User role in addition is illogical and would not solve a customization issue.

E. The Delegate security role is a specific privilege that allows code to run under the security context of another user (impersonation). It is not a general-purpose role for app customization.

1. Microsoft Learn | Predefined security roles: This document explicitly defines the capabilities of the key security roles.

Environment Maker: "Can create new resources associated with an environment, including apps, connections, custom APIs, gateways, and flows... However, this role doesn't have any privileges to access data within an environment."

System Customizer: "Has full permission to customize the environment. Users with this role can view all customizable data in the environment."

Section: "Predefined security roles"

2. Microsoft Learn | Configure user security in an environment: This guide details the distinction between roles for creating versus customizing. It reinforces that Environment Maker is for creating new assets, while System Customizer is for modifying existing system components.

Section: "Environment Maker"

Section: "System Customizer"

3. Microsoft Learn | Security concepts in Microsoft Dataverse: This document provides foundational knowledge on the security model, explaining how privileges for actions like creating (prvCreate...) and writing (prvWrite...) are assigned to roles and how they apply to different tables (entities). The System Customizer has organization-level write privileges on metadata entities, which the Environment Maker lacks.

Section: "Security roles"