Announcements
We have been tasked to setup security so that a user can only see data based on region. The region column/field is listed in all tables for the model-driven application.
We have also users that must still be able to see all records no matter what region.What is the best business unit/security role design to accomplish this requirement?
Hi @Keharrin1
You'd need one BU wherein users will have all access and then child BUs underneath for every region wherein users will have access to records in their own BU only.
Kind regards
Gulshan
Please give it a thumbs up 👍🏻 if you appreciate my efforts.
If my answer helped you resolve your issue then please also mark it as a solution ✅ so that it helps others experiencing the same problem.
Thank you for the reply. how do you setup the table so that only records with NA in the region field are accessible for the BU for that region?
I believe it is dependent on the owner of the record being in the same team as the region bu. however records are created via an automated process so owner is always system
Access to records will be dependent on the ownership of the record and the BU in which that owner/user is in. I presume each record will have an owner (owninguser) so depending on which BU the owning user belong to will determine who else has access to that record.
If you want a record to be accessible to 'user with all access' then the owner of that record should be a user who is in the parent BU where you would have given all access.
If ownership is with the 'System' then BU based record segregation and access won't work. You'd need to achieve this through code with which I cannot help further as I am not a pro dev.
If we are talking about visibility (access) to records, the system takes into account the owner of the records.
Note that the record owner does not have to be a specific user - it can be a team. You can create as many teams as the different user groups you need, and then set the record owner as a team. Then you assign users to teams. One user can belong to several teams at the same time. Remember to set the appropriate security role that will allow access at the read/user level (and assign this role to the team!).
If the records you want to manage are created automatically, you can create a workflow or a power automate that will assign the appropriate team to the record based on e.g. the picklist value.
I answered this question on my latest video here: https://youtu.be/tNOA5aG1wa4?si=uBAGnWQA2ei5xyu6
Under review
Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.
Congratulations to our 2026 Super Users!
Congratulations to our 2025 community superstars!
These are the community rock stars!
Stay up to date on forum activity by subscribing.
11manish 536
WarrenBelz 426 Most Valuable Professional
Haque 305
