web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Apps / Security Groups, Busin...
Power Apps
Unanswered

Security Groups, Business Units, Teams and Roles

(1) ShareShare
ReportReport
Posted on by 83

We are building out 3 new environments at my company and we have created a DEV, TEST and PROD env. I created Security groups to match, let's call them DEV_SG, TEST_SG and PROD_SG. This is working as expected, I have the developers in the DEV_SG and they can only see the DEV env. It works as expected across the other 2 SG's as well. Now, I have been reading the documentation on Business Units and it seems that you can create a Business Unit to segregate data from users. For example HR data. I have some entities that are HR data. I think a Business Unit would work for these entities to restrict the data only for my HR employees.

 

Questions:
Is that correct, use a Business Unit to complete that separation? Would that also work if someone went in through another tool(i.e. Power Query, or Power BI)?

Where do I add users to the Business Unit? I created a TESTBU, but I don't see where I can add users?

Should a TEAM be created within that Business Unit? What's the benefit?

Roles, I know I can add a role to a security group so all my users inherit those permissions, but what about Business Units?

I have the same question (0)
  • danman71 Profile Picture
    83 on at

    @jlindstrom  thank you for such a detailed response. I did mix up assigning a role to a BU. I think we are almost saying the same things and since I'm a bit new here, I apologize. 🙂 Let me go into more details and see if we are closer.

     

    I will have 3 environments in the end. DEV, TEST, PROD.

    I am restricting each of these via Security Group like you mentioned (365 since I'm not a AD Admin). This part is working perfectly, if you're not in our security group you can't see our env. That is what we want.

     

    I have users with Power Apps and Power BI. Right now, I'm focusing on making sure our Power BI users can only see the entities they need and we are trying( as you can tell 🙂 ) to layout a standard that works for us.

     

    On the business unit topic, this is basically what I have.

    Screen Shot 2020-06-30 at 9.31.57 AM.png

     

    We have our root BU, Our Child BU, with a child team, we'll call this HR Team like the drawing. We then have a "custom" security role assigned to that team, with a couple people in it. We only want them to view a specific entity. We also won't have a ton of BU's, but we do have several divisions so I can see the Child BU's going horizontal if needed.

     

    I was testing this yesterday and it was working nicely. You mentioned Admin roles being assigned here, we won't be doing that. Is that what you were referring to when you said "don't want to assign your roles to the BU team--that will give you unintended consequences." Aside from that, we will have people moving in and out and we didn't want to have to do role management an an individual level.

     

    We do want what you mentioned, my BU's should segment for security purpose, but utilize the teams + security role to grant them access/permissions to data.

    On the Power Apps side, I think we can manage this as you pointed out with our security group(s) that we have in place for our environments.

     

    Thank you again for taking the time to help us get squared away!!

  • Joel CustomerEffective Profile Picture
    3,224 on at

    @danman71  I made a video explaining this in more detail https://www.youtube.com/watch?v=pb2--BvZYrE

  • Joel CustomerEffective Profile Picture
    3,224 on at

    You are mixing concepts. Users and teams can have roles. Users have business units. Business units do segment users for security purposes, as a user's role can give them permission at the "BU level."

     

    But you don't want to assign your roles to the BU team--that will give you unintended consequences.

     

    Your options with roles:

    1. give them directly to users--this will grant the permission to the user.

    2. Give the role to an AAD or O365 security group team (after changing the setting I mentioned earlier). This gives the users on the ad security group the ability to log in

    3. Security roles linked to Owner teams (like the BU team) do not function exactly like user roles or aad security roles. they just give the user record permissions in context of the team owned records.

     

    Is that clear? BU's segment users for security purposes, but they don't give them their roles or control login to the application. The roles can however restrict permission to the user's business unit level.

  • danman71 Profile Picture
    83 on at

    ok.. I'm confused then...

     

    It was my understanding I could create a BU to organize my users. Assign those users to a team, then assign a custom security role to that team so that they could only access what entities/data I want them too. This way I can move individuals in and out of the team, and I wouldn't have to spend time assigning/unassigning roles per individual.  Is this not how it's supposed to work?

  • Joel CustomerEffective Profile Picture
    3,224 on at

    so there isn't really security roles at the BU level. You can assign the BU team a role, but that won't get them the ability to log in.

     

    You can set up a different type of team called AAD security group team, that is linked to an ad security group. If you grant that team a role (and you have to change the drop-down on the first tab of the security role record) then members of that team will be able to log in.

     

    Otherwise you do have to grant users roles directly.

     

     

  • danman71 Profile Picture
    83 on at

    ok, I was just curious if we "always" had to give a new user that role when we set them up. Or if we can just add our new users to our BU, that has the security role assigned and they would be good to go.

     

    Anyhow, my setup still isn't working. A little more context, this one user is running a Power BI report off our custom entity. He has been added to our security group, so he can see our environment. I checked and I don't see any related fields, aside form an Option Set, which I found under Customization on the Role and turned that on for "Read".  I'm not sure what else I need to try regarding the role. Do I need to adjust anything at the BU level vs the security role?

  • Joel CustomerEffective Profile Picture
    3,224 on at

    common data service user is a user role. It has access to the standard entities, but not access to your custom entities.

    Here is the instructions for creating roles

    https://docs.microsoft.com/en-us/power-platform/admin/security-roles-privileges

     

    CDS user is fine for base system access, but you need to make sure that users have a role that gives them access to whatever entities they want to see.

     

    One option is to make a copy of the CDs user role, then add the additional entities needed to that role.

     

     

  • danman71 Profile Picture
    83 on at

    What about assigning the user Common Data service user at the user level? Does that "have" to happen?

  • Joel CustomerEffective Profile Picture
    3,224 on at

    If you get that error, likely you have a related entity in your view that you don't have access to. Say you have  a view for entity X and that view has fields from entity Y. You also need access to the related entity to see the records in view.

     

    If the error gives you the ability to download a log, then paste that here. 

     

  • danman71 Profile Picture
    83 on at

    so I'm finally back to working on this solution and I have some questions..

     

    I have the following now

     

    Custom Entity - DailyStatusRecords


    BU config

           Root
             |
    Child A

    Security Role: Daily Status Access

    Added my test user to Child A/default team in this BU

    my Security Role is assigned to my Child A BU

    I added organization as the level of access on my custom entity in my security role.

    My test user can "See" the entity, but no data. He receives "Access to the resource is forbidden"

    So I assume I'm missing some other permission that needs to be set within my role?
    Also does every user need to have the "Common Data Service User" assigned at the User level?

     

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Forum hierarchy changes are complete!

In our never-ending quest to improve we are simplifying the forum hierarchy…

Ajay Kumar Gannamaneni – Community Spotlight

We are honored to recognize Ajay Kumar Gannamaneni as our Community Spotlight for December…

Leaderboard > Power Apps

#1
Kalathiya Profile Picture

Kalathiya 403

#2
WarrenBelz Profile Picture

WarrenBelz 338 Most Valuable Professional

#3
MS.Ragavendar Profile Picture

MS.Ragavendar 320 Super User 2025 Season 2

Last 30 days Overall leaderboard