@jlindstrom thank you for such a detailed response. I did mix up assigning a role to a BU. I think we are almost saying the same things and since I'm a bit new here, I apologize. 🙂 Let me go into more details and see if we are closer.
I will have 3 environments in the end. DEV, TEST, PROD.
I am restricting each of these via Security Group like you mentioned (365 since I'm not a AD Admin). This part is working perfectly, if you're not in our security group you can't see our env. That is what we want.
I have users with Power Apps and Power BI. Right now, I'm focusing on making sure our Power BI users can only see the entities they need and we are trying( as you can tell 🙂 ) to layout a standard that works for us.
On the business unit topic, this is basically what I have.
We have our root BU, Our Child BU, with a child team, we'll call this HR Team like the drawing. We then have a "custom" security role assigned to that team, with a couple people in it. We only want them to view a specific entity. We also won't have a ton of BU's, but we do have several divisions so I can see the Child BU's going horizontal if needed.
I was testing this yesterday and it was working nicely. You mentioned Admin roles being assigned here, we won't be doing that. Is that what you were referring to when you said "don't want to assign your roles to the BU team--that will give you unintended consequences." Aside from that, we will have people moving in and out and we didn't want to have to do role management an an individual level.
We do want what you mentioned, my BU's should segment for security purpose, but utilize the teams + security role to grant them access/permissions to data.
On the Power Apps side, I think we can manage this as you pointed out with our security group(s) that we have in place for our environments.
Thank you again for taking the time to help us get squared away!!
