web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Apps / Assigning ownership of...
Power Apps
Unanswered

Assigning ownership of records to a team and using membership of the team for access to data

(1) ShareShare
ReportReport
Posted on by Hematon 6
Hi,
 
Does anyone know how to assign ownership of a Dataverse record to a team that we've setup in our environment (other than the default team for a business unit)? My guess is that this can be of use for securing data in a shared table.
 
We have two apps in one environment. It seems that by default records are created in the business unit of the user. The user and the business unit have ownership of the record. 
 
Both apps share the tables Contact. However, we do not want that users of the first app see contacts added by users of the other one.
 
Is there a way to limit the acces to records by ownership of a team (based on Entra ID security grope) so only members of that team have acces to these records?
 
If that is so how can we assign ownership to this kind of team. If we open a record in an app and try to adjust the ownership, we can change business unit, user or team and user.  But with the teams options only standard teams (of a business unit) appear. We have several teams added that are based on Microsoft Entra ID security groups and we want to use these.
 
I know one way to separate data is by the use of business units, but that is not a solution for us. A user can only be a member of one business unit. Since some of our users need have more roles and need to use both apps. 
 
Any ideas how we can use team ownership?
 
This is our set-up:

Shared Environment

Business units

  • shared-environment

App 1 : Q&A

Tables:
  • Question 
  • Reaction
  • Contact

App 2 : VolunteersAdmin

Tables:
  • Volunteer
  • Contact
  • Account

Business units

  • shared-environment

Security roles

  • Assigned to the app Q&A:
    • basic-user qa: has acces to the tables question, reaction, contact on 'User' level
    • qa-administrator: has acces to the tables question, reaction, contact on  'Business unit' level
       
  • Assigned to the app Volunteers:
    • basic-user volunteer: has acces to volunteer, contact, account on 'User' level
    • volunteers-administrator: has acces to volunteer, contact, account on 'Business unit' level

Teams

  • shared-environment:
    • no roles assigned
  • basic-users qa:
    • Related to an Entra ID security team (BG_qa)
    • has role basic-user qa
  • qa-administrators: has role qa-administrators
    • Related to an Entra ID security team (BG_qa-admin)
    • has role qa-administrators
  • basic-users volunteer: has role basic-users volunteer
    • Related to an Entra ID security team (BG_volunteers)
    • has role basic-users volunteer
  • volunteers-administrators: has role volunteers-administrators
    • Related to an Entra ID security team (BG_volunteers-admin)
    • has role volunteers-administrator
 
Categories:
Microsoft Dataverse with Power Apps
I have the same question (0)
  • Suggested answer
    Gabriel G. Profile Picture
    Gabriel G. 831 Super User 2025 Season 2 on at
    As I understand, you want to use a 'records owner' team, which is a good practice to maintain your security roles clean :). Unfortunately, except if you use plugin with the 'pre-operation' method, you need to configure something to change the owner on your records.

    -You create an owner team for each active business unit you have in your system (I suggest you name the team with prefix like -> OWNER_<teamname>);
    -You create a 'readonly' security role which contains readonly on 'organization' level as privileges, I suggest to name it like 'Owner Team Role'. (You need this since your owning team needs to be able to read records to be the owner);
    -You assign that security role to owner teams;
    -Now, you can use a cloud flow to assign the records, when created, to the owner team of your choice (related to business unit if needed);
    ---On last step, you can use a workflow if you want it synchronous and if you have only 1 owner team. You can also use plugin if you want. Well, you need a process to change the records ownership---
    -Then, users privileges gonna apply properly without the 'user ownership' privilege.
     
    ***Warning, if you need more business units, you gonna probably need to activate 'Record ownership across business units' to be able to change the owningbusinessunit field across forms in your app***

    I hope you understand the meaning of this :)

    -----------------------------------------------------------

    Please click Does this answer your question if my post helped you solve your issue. This will help others find it more readily. It also closes the item. If the content was useful in other ways, please consider giving it a Like.
  • Hematon Profile Picture
    Hematon 6 on at
    Hi Gabgadou, thank you so much for your reply. Really appreciate it.
     
    I'm not sure though if I understand your suggestions correctly. 
     
    You suggest we make an owner-team for the business unit. But we already have one, in fact we have several owning teams for each app related to several Entra ID security teams to be able to manage acces in the Microsoft 365 Admin environment.

    There is a default team associated with the business unit of the environment. Every user is in the business-unit and in that team. We did not assign a security role to this one. Since we have several apps in the environment we've created teams and security roles for each app.
     
    For App One we have:
    1. an owning team "basic-users volunteer" with a security role "basic-user volunteer" assigned to it with reading rights on user level (I don't see why this should be organization level since we only want to give acces to the records of an user)
    2.  an owning team "volunteers administrators" with a security role "volunteers-administrator" assigned to it with all the rights on business unit level and sharing on organisation level
    For App Two we have something similar
     
    We've share App One with both teams of App One
    We've shared App Two with both teams of App Two
     
    So acces to the apps and data is secured so is creation and reading options on the custom tables for each app, I guess.
     
    But both apps share the standard table Contacts. We need to restrict access to records in this table to the ones that have been created in each app. So that is why we want to use team ownership. 
    We've tried to assign a team in a flow by using the action create/update Dataverse record and using the field "owner (owners)" and use the team-id in this way teams(teamid). But we did not succeed.
     
    We also would like to show in the form and the view the team that owns the record. But did not find a way to show them since they don't appear in the form and view designer as an option.
     
    We've noticed that every table has a column for team (owner of the record) but how can we use this one?
     
     
    The reason why we do not use several business units to secury data is that users can only be assigned to one business unit and by doing so only have access to the data in one business unit. Some users need to use both apps so need acces to the data in both business unit.
     
    You suggested we could activate 'record ownership across business units but where can we activate it and how does this help? 
     
    If all the users are assigned to the root business unit and data are stored in separate business units is it possible to give users acces to data in a child business unit by adding them to a team that lives in that child business unit?
     
  • Verified answer
    Gabriel G. Profile Picture
    Gabriel G. 831 Super User 2025 Season 2 on at
    Forget about system team based on businessunit already set up.
     
    Records have 2 major values to set privileges: owning business unit and ownerid.
     
    Records ownership can be of 2 types: team or user. If you want to set a team owner, you simply set the owner with a ‘owning team’. To make an owning team, you need to create a Team and set his type to ‘Owning team’.
     
    If you let a user own records, you consider setting privileges based on this user’s businessunit and you will not be able to remove the ‘user’ level on privileges for that user.
     
    Then, you should use team to make users inherit privileges from them. You create ‘Access team’, give it business unit (if needed, you keep default one otherwise), you give it security roles based on the need, and you add user to the team as request. Users gonna inherit privileges from roles on the team.
     
    Sorry, I know it is hard to visualize. I will try to make some screenshots to help you understand.
  • Hematon Profile Picture
    Hematon 6 on at
    Thank you so much, Gabgadou.
     
    It is hard to visualize. But this was really helpful.
     

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!

Quick Links

Forum hierarchy changes are complete!

In our never-ending quest to improve we are simplifying the forum hierarchy…

Ajay Kumar Gannamaneni – Community Spotlight

We are honored to recognize Ajay Kumar Gannamaneni as our Community Spotlight for December…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Apps

#1
WarrenBelz Profile Picture

WarrenBelz 717 Most Valuable Professional

#2
Michael E. Gernaey Profile Picture

Michael E. Gernaey 329 Super User 2025 Season 2

#3
Power Platform 1919 Profile Picture

Power Platform 1919 268

Last 30 days Overall leaderboard

Featured topics

Auto-Populate field Power Pages
Gallery Tabs - Show or Hide Tabs based on Field Value
How to patch multiple records at once
Enable Copilot for end users in model-driven apps
Question for everyone : How are you using Create Text GPT in AI Builder?
Community content - sample components, blogs etc. - Link to this page (http://aka.ms/PCFdemos)
Welcome to the Power Apps forum!

Product updates

Microsoft Power Platform Community release plans