Unanswered

Dataverse environment - BU, security roles issue and Ad security groups

(0) Share

Report

Posted on by Community Power Pla...

Dear all,

it seems I can't find the right configuration and I'm hitting my head in the wall :S.

I have an environment protected by Container AD group. In this container group i have 3 AD security groups with different members.

I created a custom dataverse table and 2 security roles (copied form the basic one)

-> 1. child security role that gives permissions only on BU level and

->2. parent, that is with permissions parent-child BU level for this table.

I created 3 BU: 1 parent (europe) and 2 children (spain, italy).

I created 3 teams (type AD security) in this 3 BU and assigned the corresponding custom roles to them.

Finally i created canvas app with form and gallery for this custom table and shared the canvas directly with the nested security groups, assigning again the correct security role.

As a result (unfortunately) all the users are seeing all the records. When I check users bu there are all assigned to the environment main business unit (so its normal to see the records). If i reassign the BU manually user by user ->the security roles are working as expected.

I sow that there is no automated way to assign AD security group to BU. My question is ->what do i do wrong? Is there a way to put all my users from AD security group directly in the right BU so i can protect the records?

All the answers will be very appreciated!

Categories:

Microsoft Dataverse with Power Apps

I have the same question (0)

All responses (7)

Answers (1)

Mira Ghaly 11,413 Moderator on at

Like (0)

Report

@Anonymous

You can try what is described here:

https://community.dynamics.com/365/f/dynamics-365-general-forum/396225/how-to-dynamically-update-user-s-business-unit-and-security-roles

1. You can create a new Team and set the team to a specific AD group as below

2. Assign Business unit and security roles

https://docs.microsoft.com/en-us/power-platform/admin/manage-teams

Was this reply helpful? Yes No
Community Power Pla... on at

Like (0)

Report

Hi @Mira_Ghaly thank you for taking the time answering me but your answer contains the steps i followed and described in my question.
What is clear: Create AD security team inside child bu and assign security role to the team ->ok
Not clear: I see that when a member from this security team access the environment his BU is the main environment BU and not his teams BU. Therefore he sees all the records to everybody. Si in order to finish my config i have to move him manually to the right child bu.
Is there a way my team member , when he access the environment to be moved automatically to the right business unit as he is a member of team in a child bu?

Was this reply helpful? Yes No
Verified answer

Drew Poggemann 9,287 Most Valuable Professional on at

Like (1)

Report

Hi @Anonymous ,

There is nothing out of the box that will automatically set the business unit of the user based on assignment to a team or a security group. It looks possible to utilize Power Automate to accomplish what you are trying to do here systematically.

I know the following is not accomplishing exactly what you were wanting to do but it has many of the Power Automate actions you would want to do (although utilizing older connector).

https://ryanmaclean365.com/2020/06/03/change-a-users-business-unit-and-retain-their-security-roles-using-power-automate/

You could run a regular scheduled flow that would search for any users that belong to the specific teams you are synchronizing for the countries and if the users that are on the team do not belong to the same business unit as the team, update the business unit and then remember you have to reset the roles (and in my past experiences you need to make sure the manager is set appropriately as well as this can be cleared in the manager is not in the same hierarchy of business units).

Was this reply helpful? Yes No
cchannon 4,702 Moderator on at

Like (1)

Report

It may seem a bit odd, but you can kinda scope permissions of users to a BU they aren't in by granting them team memebership in a team that is in that BU with their role inherited through the team. So:

IF User X is in BU A and is also a member of a Team Y in BU B, and

IF Team Y has the "child" role you mentioned (BU privs),

THEN user X can see records in BU B.

Was this reply helpful? Yes No
Community Power Pla... on at

Like (0)

Report

Hi @dpoggemann thank you for confirming me the process. I wanted to avoid the "manual" work assigning BU. I will try with power automate 🙂

Was this reply helpful? Yes No
carl1to 208 on at

Like (0)

Report

@Anonymous did you find a solution for your requirement? I'm also thinking about 'improving' my security setup with the help of business units and so far, the best solution I could think of is to assign the business units to users according to membership of special purpose AAD-Group Teams ( 1 Group Team per BU).

nb. it is possible to grant users the rigth to access data to BU-records without moving them from the root BU with the help of Group-Teams in the desired BU and SecRole assigned to the Group-Teams (Owner / AAD). But of course, the records this users will create will be assigned to the root business unit by default....

Was this reply helpful? Yes No
Community Power Pla... on at

Like (0)

Report

Hi @carl1to nope I didn't find a good solution. I ended doing all manually.

Was this reply helpful? Yes No