I'm designing a high-scale Dataverse environment (1M+ Users / 10M+ Records) and want to validate a 3-Tier Security Model to avoid POA table bloat and performance degradation.
The Proposed Structure:
* Vertical Access: Manager Hierarchy Security (Depth: 3) for all internal management visibility.
* Internal Collaboration: Access Teams on individual records for cross-functional staff access.
* External/Group Access: Company Owner Teams (one per Account). We use Power Automate to GrantAccess (Sharing) to the Team rather than individual users.
* Relationship Behavior: Cascade: None on Share; Cascade: All on Assign.
Questions:
Is this "Hybrid" model (Manager Hierarchy + Company-Team Ownership + Automated Sharing) considered a "Real-World Best Practice" for 1M+ user environments?
Specifically:
* Ownership Scaling: Does owning records via Company Owner Teams (potentially thousands of records per team) pose any known performance risks during high-frequency data entry?
* At a 1 million user scale, is sharing with a Company Owner Team (single POA row per company) the most efficient way to grant bulk access to external contacts?
* Are there known risks with using Access Teams for internal collaboration alongside Hierarchy Security at this volume?
* Does Cascade: All on Assign create significant locking issues if the record is being moved between Owner Teams frequently?
I'd love to hear from anyone who has hit the limits of the POA table. Thanks!
___________________________________________
Use Case example for more reference:
Logistics Company wants to develop this solution for its internal and external users.
1. Record Ownership & Internal Access
* Trip Ownership: A Trip is owned by either a Sales Personal Owner Team or a Customer Company Owner Team (One team per Customer account).
* Internal Staff (Procurement/Sales): For cross-functional access (Procurement), we use Access Teams on the Trip record.
* Child Records: Customer Invoices are child records of Trips. To prevent performance "locking," all relationships are set to Cascade: None for Share/Unshare/Assign.
2. External Partner Access (The "Hybrid" Sharing)
* Transport Companies: Each Transporter has a Company Owner Team containing all their contacts.
* Automation: When a Procurement user assigns a Transporter to a Trip, a Power Automate flow executes a GrantAccess action to that Transporter's Company Team (AccessMask: 23).
* Dynamics: This ensures that any contact associated with that Transport Company can see/edit the Trip immediately without manual sharing for every individual.
3. Data Isolation
* Sales & Customers: Roles are set to User-Level (Deep) on their respective tables.
* External Users: No access to "opposite side" tables (e.g., Customers cannot see Transporter-specific negotiation tables).

Report
All responses (
Answers (