web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Apps / Row level security on ...
Power Apps
Unanswered

Row level security on Dataverse Table

(1) ShareShare
ReportReport
Posted on by Sylv1 73

Hello !

I need to  create a table with Row Level Security (basically a person from a client company can onlys access the rows concerning his company). 

 

The Ms documentations presents this info : 

"combination of all their security roles, the business unit they are associated with, the teams they are members of and the records that are shared with them. "

 

It's a first project for me on Dataverse and tables. Do you know how this can be done ?  (Are Access Teams designed for this option ? )

 

Thanks

 

Categories:
Microsoft Dataverse with Power Apps
I have the same question (0)
  • Drew Poggemann Profile Picture
    Drew Poggemann 9,287 Most Valuable Professional on at

    Hi @Sylv1,

     

    The Dataverse provides a very robust security model for Tables.  You can control record access in many different ways.  

     

    Some key concepts are the following:

    1.  Roles - Roles can be defined that provide access at multiple levels to tables (i.e. records) within the Dataverse.  This is usually the first place to start...  You can setup security on the tables for multiple actions (create, read, write, etc.)  to be "User" level which means the user that owns the record will only be able to utilize.  You can then step up from their to business unit, parent / child business units, and overall organization.  

     

    Please check out the following article:  Security concepts in Microsoft Dataverse - Power Platform | Microsoft Docs

     

    There are a number of other security items past this when needed including:

    1.  Hierarchical Security - This can be setup at Manager or Position level.  Hierarchy security - Power Platform | Microsoft Docs

    2.  Access Teams - This is focused on sharing (with specific rights with access team profiles) to specific records.  You can setup an Access team and add individuals to the record in the Access Team and they will have the rights that you identify.  Good article:  Manage teams - Power Platform | Microsoft Docs

    3.  Share - Of course you can specifically share records with others as well...

     

    Hopefully this helps!


    Thanks,


    Drew

  • EricRegnier Profile Picture
    EricRegnier 8,720 Most Valuable Professional on at

    Hi @Sylv1,

    To quickly answer your question:

    1. The table needs to be configured as User or Team ownership. If you already created as a different ownership. You'll need to delete and create it.
    2. Need to configure a security role with user-level create/write/read privileges to that custom table. If you don't have a security role yet you can create a new one based on the "Basic User" role(create a copy of it). By default, the user will only be able to view/edit the records that they create.

    In addition to the previous links shared by @dpoggemann, here's a nice video summarizing security in Davaterse/CDS: https://powerusers.microsoft.com/t5/Webinars-and-Video-Gallery/Security-in-Common-Data-Service-CDS/td-p/615512

    Hope this helps!

  • Sylv1 Profile Picture
    Sylv1 73 on at

    Thank you very much!  That's very useful to understand better the security concepts in Dataverse .
    I still have to determine how to organize my contents, and which Teams to use 
    In my case : 
    Main Table : Transactions
    A transaction concerns 1 Customer- 


    An Employee is in charge of 1 or Many customers
    His roles determines what he can do on customers (Account Op, Relationship mgr ) Read / Write .

    So i guess -
    Roles should be Security Roles 
    Clients Should be teams 

    But how do i set automatically the teams to the transaction when created ? 




     

  • EricRegnier Profile Picture
    EricRegnier 8,720 Most Valuable Professional on at

    I would say clients are just another table. If they are individual clients then use OOB contact table or a company then OOB account.

    The role you’ll will create, copy it from the OOB “basic role” to get all the minimum required privileges.  Make sure the role then has user-level read/write on account/contact.  The user who creates that client will be the only person who automatically can manage that client. If you want to automate and change the ownership so that other users can manage that client, have some power automate flows or classic workflows to change the owner. To further advise, I’ll need to know more about how you want those clients to be reassigned and elaborate on transaction concerns, what are those?
    Thanks!

  • Sylv1 Profile Picture
    Sylv1 73 on at

    Thanks Eric for the answer.  


    A transaction is a relation between a product and a client (a client can buy or sell products )

    Clients of course, can only see their own transactions. The difficulty here is we currently have subsidiaries or affiliates (who have their own transactions).

    "The user who creates that client will be the only person who automatically can manage that client." 
    Actually, there is not only one person who can manage a client an internal team do that (Ex - John and Peter can Manage Microsoft Client,  John and Sarah can manage Apple Client   )

    So basically transactions can be accessed and managed (created / deleted / modified) either by the client, either by the team managing that client.  Is that clearer ? 

  • Fubar Profile Picture
    Fubar 8,350 Super User 2025 Season 2 on at

    As you mentioned 'person from a client company' need to be clear about how it is intended that the person is accessing the data - e.g. Canvas App, Model Driven App, PowerApps Portal - as the answer may be different depending on the user interface.

     

    The underlying User or Team entity definition and Security Role Permissions is for users that are in your Dataverse 'Users' (systemusers) table i.e. part of your Azure AD (internal or as Guest) and are Licenced.  The PowerApps Portal has a slightly different permissions structure and is more Contacts based (rather than systemuser based).

  • EricRegnier Profile Picture
    EricRegnier 8,720 Most Valuable Professional on at

    Thanks for clarifying understand the data model better now. As mentioned previously, there's a few ways to do this:

    1. Teams - in Dataverse you'll need to have Teams representing the subsidiaries/affiliates. Assuming you do, your internal users (e.g. John) will need to assign the client to the proper team when creating a new client to give access to that client to his/her subsidiaries/affiliates. You can also find a way to automatically assign to the right team based on some logic. What would that logic be is the question....
    2. Business units - you can configure a BU per subsidiary/affiliate and then your roles to business unit level. With this method, only users within that BU will have access to those clients  (clients whos ownership is by a user within that BU). Maybe this method would be simpler for you to manage.

    Then how can the client manage their details/transactions? Do you have Power Apps portal?

     

  • Sylv1 Profile Picture
    Sylv1 73 on at

    Thanks a lot for answers .

    For the moment the Database is MySQL and interface is PHP. The goal is to migrate that. We will use Power BI and Canvas PowerApps (and Power Automates) at first to manage the internal part, as a first Level and then a Power Apps Portal for client part ultimately. 

    2) What i fear with the Business Units is that, if i remember what i've read, a user can only be in only one Business Unit.  So it will be impossible for an employee to manage differents clients in 2 different business units or for a client to be part of 2 business units right ? 


  • EricRegnier Profile Picture
    EricRegnier 8,720 Most Valuable Professional on at

    Yes that’s right for BUs, but users can be part of teams from other BUs. 


    For your external customers, you will not solve that with Dataverse security model. You’ll have to implement the custom logic to retrieve the right data (via a service account or SPN connection) to expose on the custom portal.

  • Sylv1 Profile Picture
    Sylv1 73 on at

    "Yes that’s right for BUs, but users can be part of teams from other BUs. "
    Sorry i do not understant that. How can you be in A team in a BU if you cannot be in  a BU ? 

    If i have  Client A and Client B as BUS.
    I can have "Team Client Managers" with Same people in both ? 

    Thanks a lot for the portal information. 


Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!

Quick Links

Forum hierarchy changes are complete!

In our never-ending quest to improve we are simplifying the forum hierarchy…

Ajay Kumar Gannamaneni – Community Spotlight

We are honored to recognize Ajay Kumar Gannamaneni as our Community Spotlight for December…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Apps

#1
WarrenBelz Profile Picture

WarrenBelz 721 Most Valuable Professional

#2
Michael E. Gernaey Profile Picture

Michael E. Gernaey 320 Super User 2025 Season 2

#3
Power Platform 1919 Profile Picture

Power Platform 1919 268

Last 30 days Overall leaderboard

Featured topics

Auto-Populate field Power Pages
Gallery Tabs - Show or Hide Tabs based on Field Value
How to patch multiple records at once
Enable Copilot for end users in model-driven apps
Question for everyone : How are you using Create Text GPT in AI Builder?
Community content - sample components, blogs etc. - Link to this page (http://aka.ms/PCFdemos)
Welcome to the Power Apps forum!

Product updates

Microsoft Power Platform Community release plans