When we want to restrict model-driven applications in Dynamics 365 to specific Users, we can easily apply Security Role based restrictions in the applications page and select which Security Role a User needs to have in order to have access to this application.
For example, we want to restrict the model-driven application “Test App” to Users with any of the Marketing Manager, System Administrator or System Customizer security roles.
This is the case in most situations, where a User with the Marketing Manager role can access the application but is unable to when the role is removed.
One of our deployments involved setting up restrictions in this way, but we found that Users could see all applications, despite not having any of the security roles these applications are specifically enabled for.
We found that this was due to a particular security role that they had, a Base security role that all Users had assigned to them. When this role was removed, they were correctly restricted from applications again.
After continual testing with that security role, we found that the privilege associated with system-wide access to all applications are the following combination: Create and Write access to the Model-Driven App entity, found under the Customizations Tab.
Removal of either of two privileges will remove the system-wide access from applications. Note that the Read privilege is required for Users to be able to access applications at all, regardless of whether their security role/s is enabled for the application.