web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

Agent Academy Hackathon is happening now!
Welcome to the Power Platform Communities
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Apps / Is there a relation be...
Power Apps
Unanswered

Is there a relation between the business units hierarchy and the security roles

(0) ShareShare
ReportReport
Posted on by johnjohn123 3,514

Let say we have this business unit hierarchy, where we set Manager BU to have the its parent = root BU. and we defined Region-A & Region-B to have their parent BU = Managers:-

 

johnjohn123_0-1688339384178.png

 

 

and we granted Region-A business unit team read and write on all the records owned by region-A and same applies to region-B.. then will users inside the Managers business unit have automatically access to Region-A and Region-B records? or we need to explicitly set this?

 

 

Categories:
Microsoft Dataverse with Power Apps
I have the same question (0)
  • Drew Poggemann Profile Picture
    Drew Poggemann 9,287 Most Valuable Professional on at

    Hi @johnjohn123 ,

    You don't really need to have a Manager's business unit in place if you are doing this type of setup just for manager level security to work with records of their employees.  Dataverse has hierarchical security built in that can tie to Manager hierarchy or Position hierarchy that you can utilize for an individual to view records for their subordinates.

    https://learn.microsoft.com/en-us/power-platform/admin/hierarchy-security 

    Note: You will need to look at Modern business units for this setup as well if the manager has employees across two different business units.

  • johnjohn123 Profile Picture
    johnjohn123 3,514 on at

    @dpoggemann ok if i got your point correctly, you mean instead of defining parent BU for the Region-A and Region-B, i can simply add the Manager team to be assigned to the Region-A and Region-B BU using the modernized BU feature? is this what you mean? if this is the case, then under which BU the Manager team need to be defined?

  • Drew Poggemann Profile Picture
    Drew Poggemann 9,287 Most Valuable Professional on at

    Hi @johnjohn123 ,

    You don't need a Manager Team per se.  You can have the Managers belong to the root business unit or they could even belong to the appropriate child business unit if "geography based" or the like.  You utilize the management hierarchy and modern business unit structure to provide the ability for the managers to view their employee records across the business units.

  • johnjohn123 Profile Picture
    johnjohn123 3,514 on at

    @dpoggemann ok so you re saying that the users who are managers, do not need to have their own BU,, we can simply add them to the Region-A and Region-B BU's teams?? is this what you mean?

     

  • Drew Poggemann Profile Picture
    Drew Poggemann 9,287 Most Valuable Professional on at

    Hi @johnjohn123 ,

     

    See the following paragraph under this link that discusses this capability:   https://learn.microsoft.com/en-us/power-platform/admin/hierarchy-security#manager-hierarchy

     

    Note

With the Manager hierarchy security model, a manager has access to the records owned by the user or by the team that a user is a member of, and to the records that are directly shared with the user or the team that a user is a member of. When a record is shared by a user who is outside of the management chain to a direct report user with Read-only access, the direct report's manager only has Read-only access to the shared record.

When you enabled the Record ownership across business units, manager can have direct reports from different business units. You can use the following environment database settings to remove the business unit restriction.

ManagersMustBeInSameOrParentBusinessUnitAsReports

default = false

You can set it to true, and the manager's business unit does not need to be the same as the direct report's business unit.

In addition to the Manager hierarchy security model, a manager must have at least the user level Read privilege on a table, to see the reports’ data. For example, if a manager doesn’t have the Read access to the Case table, the manager won’t be able to see the cases that their reports have access to.

In order for the manager to see all the direct report's records, the direct report user must have an 'enabled' user status. The manager will not be able to see 'disabled' user's records.

     

  • johnjohn123 Profile Picture
    johnjohn123 3,514 on at

    @dpoggemann i am getting lost, so if the Managers does not have their own BU or Team, then who we can determine that a user is actually a mamager?

  • Drew Poggemann Profile Picture
    Drew Poggemann 9,287 Most Valuable Professional on at

    Hi @johnjohn123 ,

    It will utilize the management hierarchy in Azure AD.  The Manager field will be populated if it is populated in Azure AD on the User table in Dataverse and then this will be utilized to track multiple levels of management.    

    Screenshot 2023-07-03 at 8.43.55 AM.png

     

  • johnjohn123 Profile Picture
    johnjohn123 3,514 on at

    @dpoggemann so you mean in dataverse the manager in AD is understandable and will be taken into consideration? i attended many training courses never heard of such a thing, i mean dataverse consider a user as a manager based on the BU hierarchy inside data-verse and not the manager hierarchy inside AD.. not sure if i am correct? or dataverse works differently ?

  • Drew Poggemann Profile Picture
    Drew Poggemann 9,287 Most Valuable Professional on at

    Hi @johnjohn123 ,

    If you enable hierarchical security then yes, it will utilize the manager setup in Azure AD that is mapped to the manager field in Dataverse.  The BU hierarchy is different than a Manager setup, this is used for overall security of records at the User, BU, BU child, Organization levels.  This has nothing to do with Management or Position hierarchy.  To utilize this you need to utilize the Hierarchical security.

  • johnjohn123 Profile Picture
    johnjohn123 3,514 on at

    @dpoggemann ok thanks again for you detailed reply. but can you provide a simple example of when to use hierarchical security?

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Agent Academy Hackathon is happening now!
Welcome to the Power Platform Communities

Quick Links

Introducing the 2026 Season 1 community Super Users

Congratulations to our 2026 Super Users!

Kudos to our 2025 Community Spotlight Honorees

Congratulations to our 2025 community superstars!

Congratulations to the April Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Apps

#1
Vish WR Profile Picture

Vish WR 638

#2
Haque Profile Picture

Haque 317

#3
WarrenBelz Profile Picture

WarrenBelz 315 Most Valuable Professional

Last 30 days Overall leaderboard

Featured topics

Auto-Populate field Power Pages
Gallery Tabs - Show or Hide Tabs based on Field Value
How to patch multiple records at once
Enable Copilot for end users in model-driven apps
Question for everyone : How are you using Create Text GPT in AI Builder?
Community content - sample components, blogs etc. - Link to this page (http://aka.ms/PCFdemos)
Welcome to the Power Apps forum!

Product updates

Microsoft Power Platform Community release plans