Hello again,
I have spent several hours trying to rethink this issue and am still at a barrier. I'm hoping my updated rationale here may be able to assist someone to recommend a solution. Please use this in reference to the diagram above.
Please note: I am trying to achieve this in the optimum technical way at the data layer, in Dataverse. I want to avoid having a 'hybrid' approach of getting ~50% there in Dataverse and having to do the other ~50% in Power FX.
Rationale, starting from the User perspective this time:
1. The most important association is that the records of user M3 are owned by M3 and are not associated to a Team. This is to ensure that only M3 can view M3's records when M3's "View" Security Role is set to User/Team.
2. Due to the requirement of (1), my understanding is the record cannot be owned by a User and a Team at the same time. Given this, the 'Team' concept is not of any value here, as it doesn't set a record ownership boundary. (In Group A, M1 and M2 should not be able to see M3's records. Therefore, it would be of no value assigning M3s records to a Team).
3. Due to (1) and (2), I thought about creating Group A as a Business Unit. AL (Group Leader for Group A) should be set as having Business Unit level access to Group A's records so that AL can view all of Group A's records.
4. I then considered that in the Modernised Business Units,
it is possible to assign Security Roles from multiple Business Units to an individual user who can then view the records in other BUs. For example,
AL could be given a Security Role from the Business Unit for Group C to view
M3's records in Group C. But yet again, I'm back at the problem of how can I "filter" the BU records from Group C to only show records pertaining to members of Group C who are also members of Group A, IE
M3 in the above example?
Again, the concept of a Team is useless as M3 needs to own their records so they can't see anyone else's records, but then this deprecates the value of a Team as a object container/boundary, so I can't use a Team as the record owner and then assign AL a 'User/Team' View Security Role for Business Unit for Group C.
Summary
I know that I will have an oversight here somewhere because this is so fundamental, the functionality must exist but I'm just not seeing it/knowing how to implement it. The way this appears is there is a "missing hierarchy level" between User, Team and BU. Because if a record cannot be owned by a User AND a Team at the same time, the next level up is BU. But in that case, how can you have a situation where you want to supress the record to only be viewable by the owning user in one case, but ALSO have that record SELECTIVELY viewable by another security role when you cannot use the "Team Unit" to segment the records in line with a Security Role?
If anyone has any indication of how to solve this, please do share, I have wasted hours on this and it is disheartening to not receive any meaningful responses from this huge community who have been very helpful in the past. Thank you very much for your time, it is very much appreciated.
