web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Apps / Security roles -- rest...
Power Apps
Answered

Security roles -- restict assignment scope to intra Business Unit

(0) ShareShare
ReportReport
Posted on by matmeredith 22

Hi!  Does anyone know if it is possible to set up a security role so that users can assign ownership of records within their Businerolesss Unit, but cannot assign ownership to users in a different Business Unit?

 

I.e. a user in Business Unit A can assign ownership of a record to another user in Business Unit A, but cannot assign ownership to a user in Business Unit B?   

 

Or (possibly the same thing) make it so that they can update the Owning User for a record, but not the Owning Business Unit?

Categories:
Microsoft Dataverse with Power Apps
I have the same question (0)
  • Fubar Profile Picture
    Fubar 8,350 Super User 2025 Season 2 on at

    Yes, as long as the Tables in question have been defined as User/Team Owned.  You just need to configure the Security Role Permissions for the Table in question (not full green)

  • matmeredith Profile Picture
    matmeredith 22 on at

    Thanks, but that's not what I'm seeing.  

    I have a record called "Job", and my user has a security role which sets the assign privilege for job to "Business Unit" -- I think that's what you're suggesting?

    But this user is now able to assign job records to users in a different business unit which is what I want to prevent.  It seems that setting the scope of the assign privilege to Business Unit means that they can only assign records owned by their Business Unit, but it doesn't stop them assigning them to any Business Unit.

  • Fubar Profile Picture
    Fubar 8,350 Super User 2025 Season 2 on at

    a) make sure the users previous privileges have been removed, logout, close browser etc

    b) make sure the user does not have another security role that is giving them the permission either directly or inheriting it off a team they belong to. (privileges are additive, the user will get the highest privilege setting if multiple Security Roles with different privilege settings)

    c) you could also possibly try lowering the Append privilege on the Table that the owner is being changed on

     

  • matmeredith Profile Picture
    matmeredith 22 on at

    Thanks but I've done all of this and it very definitely doesn't work still.   I've also reduced their append to privileges for User / Team / Business Unit to be Business Unit scope, but they can still assign the record to users in a different BU 😞

  • Verified answer
    thomasfnorthrup Profile Picture
    thomasfnorthrup 252 on at

    Hi, Thanks for reaching out. Your experience is the correct functionality. The limit for Business Unit on a privilege limits the performance of the action, not the destination of the action. For assign, the user is limited to only be able to assign records owned by other users in their BU, but it does not limit who they can assign to. 

     

    You can try adjusting the Append To privilege to BU on the User table under Business Management tab in a security role. I would do a lot of testing to make sure this doesn't break any other table relationships.

     

    Please mark as a solution or give kudos if it helps. 

    Tom

  • Prakash4691 Profile Picture
    Prakash4691 1,332 on at

    Hi @matmeredith,

    User entity read will always be in org level and append to can be set only to minimum of BU level. So your requirement is bit difficult to achieve using OOB security role configuration.

     

    You can try creating a sync workflow that executes when record is assigned. Check if owning user BU does not equal to entity: owning business unit (dynamic value) then stop the workflow with cancelled status and throw an error message. This works only when record created by the same BU user not via sharing or assign if record created by different BU user.

     

    Attached SS for your reference.

    image.png

     

    If it answers your question, kindly give kudo and accept it as solution.

     

    Regards,

    Prakash

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!

Quick Links

Forum hierarchy changes are complete!

In our never-ending quest to improve we are simplifying the forum hierarchy…

Ajay Kumar Gannamaneni – Community Spotlight

We are honored to recognize Ajay Kumar Gannamaneni as our Community Spotlight for December…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Apps

#1
WarrenBelz Profile Picture

WarrenBelz 711 Most Valuable Professional

#2
Michael E. Gernaey Profile Picture

Michael E. Gernaey 319 Super User 2025 Season 2

#3
Power Platform 1919 Profile Picture

Power Platform 1919 268

Last 30 days Overall leaderboard

Featured topics

Auto-Populate field Power Pages
Gallery Tabs - Show or Hide Tabs based on Field Value
How to patch multiple records at once
Enable Copilot for end users in model-driven apps
Question for everyone : How are you using Create Text GPT in AI Builder?
Community content - sample components, blogs etc. - Link to this page (http://aka.ms/PCFdemos)
Welcome to the Power Apps forum!

Product updates

Microsoft Power Platform Community release plans