Dataverse Permissions - Cross-Team Membership

(0) Share

Report

Posted on by pp365

402

Hi everyone,

To try and explain my question I've drawn a basic diagram and description, attached.

Originally, I was planning to divide the record ownership simply between the Team boundaries (A, B and C) but a requirement has now been raised by the customer which needs to allow for selective cross-Team record visibility as described.

I'm looking for the optimum way to achieve this at the data layer (IE not use Power FX in a Canvas App, but enforce within Dataverse).

Thank you very much for your assistance!

Categories:

General Questions

All responses (7)

Answers (0)

pp365 402 on at

Like (0)

Report

Dataverse Permissions - Cross-Team Membership

In case this is beneficial to anyone reading this post in the future, I have opened a related post, about the use of Access Team here. This is likely the solution I'm going to work with to solve for this.
pp365 402 on at

Like (0)

Report

Dataverse Permissions - Cross-Team Membership

Hello again,

I have spent several hours trying to rethink this issue and am still at a barrier. I'm hoping my updated rationale here may be able to assist someone to recommend a solution. Please use this in reference to the diagram above.

Please note: I am trying to achieve this in the optimum technical way at the data layer, in Dataverse. I want to avoid having a 'hybrid' approach of getting ~50% there in Dataverse and having to do the other ~50% in Power FX.

Rationale, starting from the User perspective this time:

1. The most important association is that the records of user M3 are owned by M3 and are not associated to a Team. This is to ensure that only M3 can view M3's records when M3's "View" Security Role is set to User/Team.

2. Due to the requirement of (1), my understanding is the record cannot be owned by a User and a Team at the same time. Given this, the 'Team' concept is not of any value here, as it doesn't set a record ownership boundary. (In Group A, M1 and M2 should not be able to see M3's records. Therefore, it would be of no value assigning M3s records to a Team).

3. Due to (1) and (2), I thought about creating Group A as a Business Unit. AL (Group Leader for Group A) should be set as having Business Unit level access to Group A's records so that AL can view all of Group A's records.

4. I then considered that in the Modernised Business Units, it is possible to assign Security Roles from multiple Business Units to an individual user who can then view the records in other BUs. For example, AL could be given a Security Role from the Business Unit for Group C to view M3's records in Group C. But yet again, I'm back at the problem of how can I "filter" the BU records from Group C to only show records pertaining to members of Group C who are also members of Group A, IE M3 in the above example?

Again, the concept of a Team is useless as M3 needs to own their records so they can't see anyone else's records, but then this deprecates the value of a Team as a object container/boundary, so I can't use a Team as the record owner and then assign AL a 'User/Team' View Security Role for Business Unit for Group C.

Summary

I know that I will have an oversight here somewhere because this is so fundamental, the functionality must exist but I'm just not seeing it/knowing how to implement it. The way this appears is there is a "missing hierarchy level" between User, Team and BU. Because if a record cannot be owned by a User AND a Team at the same time, the next level up is BU. But in that case, how can you have a situation where you want to supress the record to only be viewable by the owning user in one case, but ALSO have that record SELECTIVELY viewable by another security role when you cannot use the "Team Unit" to segment the records in line with a Security Role?

If anyone has any indication of how to solve this, please do share, I have wasted hours on this and it is disheartening to not receive any meaningful responses from this huge community who have been very helpful in the past. Thank you very much for your time, it is very much appreciated.
pp365 402 on at

Like (0)

Report

Dataverse Permissions - Cross-Team Membership

I'm replying again to hopefully raise the profile of this question in the hope someone can help.

@WarrenBelz , @RandyHayes , @Pstork1 sorry to at mention you but as the top three on the Leaderboard is there any chance you'd have the solution for this or can recommend anyone from the community that can help?

Thank you very much in advance.
pp365 402 on at

Like (1)

Report

Dataverse Permissions - Cross-Team Membership

Just posting again to flag this post, could really do with some pointers here please, if anyone can assist?

@ronaldwalcott do you have any additional comments?

Thanks again.
pp365 402 on at

Like (1)

Report

Dataverse Permissions - Cross-Team Membership

Hello everyone, is anyone able to provide some suggestions for this? Thank you!
pp365 402 on at

Like (1)

Report

Dataverse Permissions - Cross-Team Membership

Hi @ronaldwalcott,

Thanks for your reply. Yes, I've looked at the documentation and am reasonably familiar with the core concepts, but the scenario presented I've not needed to build for previously.

Originally, the reason for the Groups was that these would be Teams within Dataverse, and record access would be set via Security Roles such that the Teams would be the natural boundaries. (In reality it would have gone further than that, where the Group Leader could access all the records within the Group, and individual members, e.g. M1, could only access their own records. The plan was to do some additional work around filtering by the user for that).

Now the requirement is (as presented) a single user can be a Member of more than one Group (Team), and the Group Leader can see the records related to that Member no matter which Group (Team) they are a member of, whether that's the same Group (Team) they are the Leader for, or, another Group (Team).

I'm sure this is quite a common requirement in Dataverse but I want to establish the best way to architecturally structure this, and have not experimented with record ownership outside of the scopes of User/Team or Organization yet. For instance, is this a 'Business Unit' requirement perhaps?

Thank you for your help!
ronaldwalcott 3,256 on at

Like (1)

Report

Dataverse Permissions - Cross-Team Membership

Have you looked at Security concepts in Microsoft Dataverse - Power Platform | Microsoft Learn

In your use case does each member only have access to their records and the grouping serves as some form of category?