web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Apps / Security Groups, Busin...
Power Apps
Unanswered

Security Groups, Business Units, Teams and Roles

(1) ShareShare
ReportReport
Posted on by 83

We are building out 3 new environments at my company and we have created a DEV, TEST and PROD env. I created Security groups to match, let's call them DEV_SG, TEST_SG and PROD_SG. This is working as expected, I have the developers in the DEV_SG and they can only see the DEV env. It works as expected across the other 2 SG's as well. Now, I have been reading the documentation on Business Units and it seems that you can create a Business Unit to segregate data from users. For example HR data. I have some entities that are HR data. I think a Business Unit would work for these entities to restrict the data only for my HR employees.

 

Questions:
Is that correct, use a Business Unit to complete that separation? Would that also work if someone went in through another tool(i.e. Power Query, or Power BI)?

Where do I add users to the Business Unit? I created a TESTBU, but I don't see where I can add users?

Should a TEAM be created within that Business Unit? What's the benefit?

Roles, I know I can add a role to a security group so all my users inherit those permissions, but what about Business Units?

I have the same question (0)
  • EricRegnier Profile Picture
    8,720 Most Valuable Professional on at

    Hi @danman71,

    That is correct. Business Units are used to satisfy security requirements as apposed to hierarchical representation of the organisation. As you said, business units are used to segregate data between different groups of users and teams. Security as a whole, not just business units, but also roles, field level security, etc are at the API level and not just for the UI.  So a user without the right privileges to a certain entity (or not in the right business unit) will not be able to access/update/manage/etc the respective entity from the UI, API, SDK, Power Query and so on, even with the new SQL queries. For your other questions:

    1. You can assign users to a business unit via the user form. Here's the doc: https://docs.microsoft.com/en-us/power-platform/admin/create-edit-business-units#change-the-business-unit-for-a-user
    2. Teams just like users are always part of a business unit. You can change/assign a business unit via the team form. Which BU should the team be part of depends on your security requirements. For example, a user can be part of BU A, but also needs to access records from BU B. BU B can have a team X which the user from BU A is a member of. This would grant that user access to records in BU B (based on the security role(s) assigned to that team X).
      Security modelling is one of the most important design elements in my opinion, so suggest not to take it lightly and understand CDS security model thoroughly... Here's more info on security concepts and teams:
      1. https://docs.microsoft.com/en-us/power-platform/admin/wp-security-cds
      2. https://docs.microsoft.com/en-us/power-platform/admin/manage-teams#add-a-team-administrator
    3. Each business unit have their default related team. Members are automatically added/removed based on their BU assigned. It can be achieved by having a security role assigned that BU team, and that role mapped to a security group.

    Hope this all makes sense...

  • danman71 Profile Picture
    83 on at

    thank you for the response, that helps. Just to clarify, I have a DEVELOPMENT ENV, if I go in to create a business unit and create a parent that BU is based on environment correct?

     

    Also, do you really need to create a team within a BU? let's say I have 10 people in HR and I assign them to my HR BU. To talk through this I assume they only have access to the entities/data that Security role & BU have. If they are in a TEAM, I can add that team to other BU's, easier than adding each user to other BU's. So again, it's simply logical blocks/groups that are easier to move around?

  • EricRegnier Profile Picture
    8,720 Most Valuable Professional on at

    Yep, business units and teams are considered data so they are solution unaware. You'll have to import those (if you want to keep the same GUIDs) to the target environments. I typically import with the Configuration Migration Tool: https://docs.microsoft.com/en-us/power-platform/admin/manage-configuration-data#:~:text=The%20Configuration%20Migration%20tool%20enables,typically%20stored%20in%20custom%20entities.

     

    You don't necessarily need teams, it will depend on your requirements. When you assign a user to a BU, they will automatically be part of the BU team. Privileges are additive so the access will depend on the cumulative privileges they gain through security role(s) assigned, any teams (which have a role assigned) they belong to, records that got shared with them and access teams.

     

    Hope this clarifies...

  • Joel CustomerEffective Profile Picture
    3,224 on at

    the business unit team is automatically created and managed for the business unit, and it is helpful if you need the whole BU to own a reacord.

  • danman71 Profile Picture
    83 on at

    so I'm finally back to working on this solution and I have some questions..

     

    I have the following now

     

    Custom Entity - DailyStatusRecords


    BU config

           Root
             |
    Child A

    Security Role: Daily Status Access

    Added my test user to Child A/default team in this BU

    my Security Role is assigned to my Child A BU

    I added organization as the level of access on my custom entity in my security role.

    My test user can "See" the entity, but no data. He receives "Access to the resource is forbidden"

    So I assume I'm missing some other permission that needs to be set within my role?
    Also does every user need to have the "Common Data Service User" assigned at the User level?

     

  • Joel CustomerEffective Profile Picture
    3,224 on at

    If you get that error, likely you have a related entity in your view that you don't have access to. Say you have  a view for entity X and that view has fields from entity Y. You also need access to the related entity to see the records in view.

     

    If the error gives you the ability to download a log, then paste that here. 

     

  • danman71 Profile Picture
    83 on at

    What about assigning the user Common Data service user at the user level? Does that "have" to happen?

  • Joel CustomerEffective Profile Picture
    3,224 on at

    common data service user is a user role. It has access to the standard entities, but not access to your custom entities.

    Here is the instructions for creating roles

    https://docs.microsoft.com/en-us/power-platform/admin/security-roles-privileges

     

    CDS user is fine for base system access, but you need to make sure that users have a role that gives them access to whatever entities they want to see.

     

    One option is to make a copy of the CDs user role, then add the additional entities needed to that role.

     

     

  • danman71 Profile Picture
    83 on at

    ok, I was just curious if we "always" had to give a new user that role when we set them up. Or if we can just add our new users to our BU, that has the security role assigned and they would be good to go.

     

    Anyhow, my setup still isn't working. A little more context, this one user is running a Power BI report off our custom entity. He has been added to our security group, so he can see our environment. I checked and I don't see any related fields, aside form an Option Set, which I found under Customization on the Role and turned that on for "Read".  I'm not sure what else I need to try regarding the role. Do I need to adjust anything at the BU level vs the security role?

  • Joel CustomerEffective Profile Picture
    3,224 on at

    so there isn't really security roles at the BU level. You can assign the BU team a role, but that won't get them the ability to log in.

     

    You can set up a different type of team called AAD security group team, that is linked to an ad security group. If you grant that team a role (and you have to change the drop-down on the first tab of the security role record) then members of that team will be able to log in.

     

    Otherwise you do have to grant users roles directly.

     

     

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Introducing the 2026 Season 1 community Super Users

Congratulations to our 2026 Super Users!

Kudos to our 2025 Community Spotlight Honorees

Congratulations to our 2025 community superstars!

Leaderboard > Power Apps

#1
wolenberg_ Profile Picture

wolenberg_ 119 Super User 2026 Season 1

#2
WarrenBelz Profile Picture

WarrenBelz 107 Most Valuable Professional

#3
Haque Profile Picture

Haque 103

Last 30 days Overall leaderboard