Security group as a member of another security group

(0) Share

Report

Posted on by mrstian89

315

I have tried the following, and it does not work. Hopefully someone can explain why! 🙂

I have to security roles:

Read access
Edit data access

All accesses are set to "User level", which I have read also means "Team".

I have to AAD security groups:

Read access
Edit data access

The security group is set up as a Team, and read team has read access, and edit data has edit access.

The entire AAD group "Edit data" has been added as a member in the Read group.

I have a flow which sets the record owner to the "Read team".
In my mind this would mean that the "Edit data" group would be able to edit the data in PowerApps.

This does not work! Not unless I change the security level from user to "business unit" in the security role.

What am I missing or not understanding here?

Update:

The read permission definetely works as it should, because I am able to see all the values that is owned by "Read access". But I am not able to write to them unless write is sett to business unit.

Categories:

Microsoft Dataverse with Power Apps

I have the same question (0)

All responses (2)

Answers (1)

Verified answer

Drew Poggemann 9,287 Most Valuable Professional on at

Like (1)

Report
Copy link

Link copied!

Hi @mrstian89 ,

I would suggest looking at the Teams in Dataverse and seeing the roles and users assigned. Overall I don't know if the multiple layers of Group assignments carry down to Dataverse, I don't think they do. You can define a security group (SC A) and add users and these will be added to the team (SC A) in Dataverse. If you have another Security Group (SC B) that you add as a member of the First Group, this will not map the users to the (SC A) in Dataverse that I know of. These will map to Team (SC B) in Dataverse.

Things I would check:

1. Look at owner of record, assuming it is Team

2. Look at members of the Team in Dataverse after you did the SC-A and SC-B combine by adding the Group to the other Group. I think you will see that they users will not all be combined in Team SC-A

Hope this helps. Please accept if answers your question or Like if helps in any way.

Thanks,

Drew

Was this reply helpful? Yes No
mrstian89 315 on at

Like (0)

Report
Copy link

Link copied!
I actually got a partly working scenario now, I think.

A user who is part of the Maintainer role through a team, get read access to the right user/team records, but only write access to the same records if the write permission is set to business unit. Weird, but works for now.

I am using the following code to give access to the edit button for items:

If( (LookUp([@'Security Roles'], Name = "Maintainer", Role) in Concat(LookUp([@Users], 'Full Name' = User().FullName).'Security Roles (systemuserroles_association)', Role & ";") || LookUp([@'Security Roles'], Name = "Admin", Role) in Concat(LookUp([@Users], 'Full Name' = User().FullName).'Security Roles (systemuserroles_association)', Role & ";")),true,false )

This works if a user is directly assigned to the security role, but if they get the role through a Team, this does not work, as it is not set under "Manage permission" for specific users.

Is there any way to re-write this code to work when the user is not directly assigned? Would it have to be if he is a member of XXX team in stead?

Was this reply helpful? Yes No