
Announcements
Hi all,
Once again I turn to this wonderful community for some advice.
I am modelling the security for our solution. We have various locations and in all of those locations multiple roles (the same in all locations). Users should only have access to the tables for their role and data from their location. We would like to control access through AAD Security Groups. I have come up with the following:
Teams linked to AAD groups: one team for each location and role ie. UK, USA, France, CEO, CTO, Manager
Each user will be a member of 2 teams: Location + Role
The location teams will have the business unit for their location, the role team will have the main BU
The role teams will be linked to security roles to manage the access to the tables
I would like to put the access at user level so that we can assign records to the location team and restrict access only to records from the correct location.
My questions are:
1) If a user is in multiple teams, how do you assign a record to their team? Which team is considered their main team?
2) If the user is in two AAD teams which both have different BUs, which is considered the users business unit?
3) Does the order in which a team is created/the order a user is added to an AAD group affect which BU/team is considered their BU/team?
Anything else I haven't thought about?
Thanks in advance.
Hi @HFG ,
1. The User has a business unit assigned outside of the teams. This is their primary business unit and when you setup security roles it will look at this business unit when the record is owned by the user.
2. User can be in multiple teams and these can be across business units which would give users in BU A access to records in BU B if the record is owned by a team they belong to. There is no "primary" team, whatever team you set ownership on the record is what is utilized for security.
3. This question is answered by #1 and #2.
Note, new functionality is in preview around Modern Business Units. Please check out Scott Durow's video here https://youtu.be/dVGklfmVr6s around this capability.
Also, you are setting up teams by position as well, you might want to look at the following (which might be useful) where you can have hierarchical security of records based on manager or position: https://docs.microsoft.com/en-us/power-platform/admin/hierarchy-security