Unanswered

Model-driven app security model for multi level records in relationship

(0) Share

Report

Posted on by obartonek1

I need advice or help regarding the security model for my model-driven app.
As an example, I will use a list of companies, their shops and products.

I have 3 tables that have a relationship (Lookup) 1:n:
1. Companies - list of companies and their addresses, etc.

2. Shops - Every company has its own shops over the world

3. Products - a list of products that are in the shop

The goal is to share a record with a users or teams, and these users should see all related records in other tables.

So when I share "Company A" with the CEO (in Test Team) of this company, so this CEO should see all records that are in a relationship with this company (Shop A1, Shop A2, Product A11, A22, etc.).

Now when I check the access for Shop A1 or A2, I see that the CEO has access to these shops that are in relationship to "Company A".

The problem is when I check access for Products. Here we can see that the CEO has no access to products which are related to Shop A1, A2.

This means that this "shared related records" access is only for "1 level" (Company -> Shop).

The question is, if is possible to set/configure "depth" of this sharing somewhere?
Can be this solved in another way?

I tried use "Business Units" and Team, but the problem is that I would have to set a BU for each record in all tables, so in my case there may be more than thousands of records. Therefore, I would like to have it it with the this hereditary share.

Thanks for any advice.

Categories:

Microsoft Dataverse with Power Apps

I have the same question (0)

All responses (5)

Answers (0)

MarioRing 541 Super User 2024 Season 1 on at

Like (0)

Report

Hi,
The missing piece of the solution you are looking for is called the Parental table relationship behavior.

This is the setting of the 1:N relationship between two tables, where you can choose what to do with the "child" records when their parent record is changed. For instance, you can choose to automatically share all the child records automatically when you share their parent:

Go to make.powerapps, navigate to your solution, find your table, navigate to Relationships, find the proper one(s), change "Type of behavior" to "Custom", and set "Share" as "Cascade All". Save all, publish all, and test if it works;)

Was this reply helpful? Yes No
obartonek1 4 on at

Like (0)

Report

Hi @MarioRing ,

Oh... I miss this. I played with that before, but I did not realized that it can affect this sharing function.
Now it is working as expecting, so thank you so much for help.

However if I have another table "Components" which is 1:n to Products, so I am not able to change this "Type of behavior" to "Custom", because it is already set for "Shop" (which make sense), so how can I make it that the CEO can see the Components that are assigned to the Products of Comapny A?

Thank you in advance!

Was this reply helpful? Yes No
Devvj 1,132 Super User 2024 Season 1 on at

Like (0)

Report

Hi @obartonek1
An alternativ to maybe check out is the "new" Matrix based BU model

Record ownership across business units (aka “matrix data access structure”) – it’s here now (dynamics.com)

Security concepts in Microsoft Dataverse - Power Platform | Microsoft Learn

Basicly what it does is to allow ownership across BUs, so you define on a user level which Security roles he should have on each individual BU, and the BU owns the records instead of the User/Team (via the Owning Business User-field).

I could be a thing to consider atleast, since it kinda mad for solving complex sharing models such as your.

-------------------------------------------------------------------------
If this is the answer for your question, please mark the post as Solved.
If this answer helps you in any way, please give it a like.

Was this reply helpful? Yes No
obartonek1 4 on at

Like (0)

Report

Hi @Devvj

thanks for your suggestion.

I already tried use BU, but problem is that "Components" table is managed / generated automatically via importing (Dataflow) from another systems and all records are by default under one BU, so I am not able to manage there BU manually.

Thats why I wanted to use Sharing.

Thnaks

Was this reply helpful? Yes No
Linn Zaw Win 2,996 on at

Like (0)

Report

@obartonek1

Even the "Components" table is managed / generated automatically via importing (Dataflow) from another system, you can automatically assign the record to the same as the Owner of the parent Product using some sort of automation (like Power Automate cloud flow). In that way, the Product and the Component will be in the same BU.

If possible, I recommend revisiting your original "Business Units" and Team solution.

I prefer to avoid sharing functionality unless it is only shared for very few records because it can cause performance issues in the long run if there are a lot of records being shared.

https://crmtipoftheday.com/969/the-problem-with-sharing/

Was this reply helpful? Yes No