Unanswered

How "Business Unit" scope would work for a CDS record?

(0) Share

Report

Posted on by Dave Wi

Hello,

My objective is When user named “User1” creates a record in "Users Entity" via "Users App", the same record’s write and delete permission should be assigned to “User 1”’s Team members.

Please find more information as follows "Users Entity":

"Users Entity" has Ownership as “User or Team” therefore, current user will be a default owner of the record.
User1,User2 and User3 are in the default Organization Team.
"Users App" is shared with User1,User2 and User3 with “Users Security Role” that has “Business Unit” scope for “Write and Delete” operations.

Question:

If User1 creates record “Test Record 1” in "Users Entity" , then Ownership value will be “User1” by default and User1 can update/delete the “Test Record 1”, However because of the “Business Unit” scope the same record can be updated by User1’ team meaning User2 and User3 can update “Test Record 1” which is currently the default Organization Team, does it mean that all users would be able to update the record with whom the app is shared ?
How can I make "User 1/2/3" only update the record with whom the app is shared in the current scenario? Should I create a new "Group Team" of "User 1/2/3" and remove them from "User 1/2/3"?

Thank you in advance!

Regards,

Categories:

Microsoft Dataverse with Power Apps

I have the same question (0)

All responses (11)

Answers (1)

v-bofeng-msft on at

Like (1)

Report

Hi @dave8 :
Q1:Does it mean that all users would be able to update the record with whom the app is shared ?
If all other users are assigned security role permissions that include read and write permissions to the specified entity "Business Unit" level and they are in the same business unit as User1, then they have read and write permissions to the records created by User1.
Q2:Should I create a new "Group Team" of "User 1/2/3" and remove them from "User 1/2/3"?
There are two options:
Option1:Reduce rights to other users
Give other users other security roles and limit their authority level to the specified entity to "User".
Option2:Create a new "Business unit" and set User1\User2\User3 put in this newly created "Business unit".
Best Regards,
Bof

Was this reply helpful? Yes No
Dave Wi on at

Like (0)

Report

Thank you so much @v-bofeng-msft for your help!

Option2:Create a new "Business unit" and set User1\User2\User3 put in this newly created "Business unit".
For this option - Does it mean I should remove User1\User2\User3 from Org Team?

Thanks and Regards,

Was this reply helpful? Yes No
Verified answer

v-bofeng-msft on at

Like (0)

Report

Hi @dave8 :
What I mean may not be very accurate.
I mean create some business units under the current organization and then put User1/2/3 in the same business unit.
I think these links will help you a lot:
https://docs.microsoft.com/en-us/power-platform/admin/create-edit-business-units
https://docs.microsoft.com/en-us/power-platform/admin/security-roles-privileges#security-roles
Best Regards,
Bof

Was this reply helpful? Yes No
Dave Wi on at

Like (0)

Report

Hi @v-bofeng-msft

Thank you for the links, however its all about teams/business units and security roles, It doesn't says, what will be considered as "Business Unit" if the owner is associated with more than 1 business unit in the same environment/organization while org team can not be deleted from the user?

Therefore, my question still remains same:
Option2:Create a new "Business unit" and set User1\User2\User3 put in this newly created "Business unit".
For this option - Does it mean I should remove User1\User2\User3 from Org Team?
Meaning, How cds record will consider current user's Business unit if the user is associated with "Custom BU" for "Users App" in addition to the "Org BU"? will that record consider owner's BU as "Custom BU" or "Org BU"?
Can you please help to understand here?
Thanks,

Was this reply helpful? Yes No
Joel CustomerEffective 3,224 on at

Like (1)

Report

Users cannot be associated with multiple business unit. Every user has one business unit.
Teams also have a primary business unit. The record is considered to be in the business unit of the owner of the record, either user or team.

Business units and teams are different things. but they are related. Each Business unit has a team that is automatically populated with people in the related business unit. Teams are in business units but can have members who are in different business units.

I made a video that explains all of this and should answer your questions. https://powerusers.microsoft.com/t5/Webinars-and-Video-Gallery/Security-in-Common-Data-Service-CDS/td-p/615512

Was this reply helpful? Yes No
Dave Wi on at

Like (0)

Report

Thank you @jlindstrom for your attention!

Regarding "Users cannot be associated with multiple business unit. Every user has one business unit." - By default all users are connected with "Org BU" which can not be deleted - does it mean user can have only one BU which is an "Org BU"?

Furthermore, I have created a "AAD Group Team" called "Users Group Team" which is an associated with "Users BU" Therefore, whenever the record is created in "Users Entity" - what will be the current user/owner's BU? "Org BU" or "Users BU"? Basically, how can I identify current user's Parent BU?

Thanks and Regards

Was this reply helpful? Yes No
Joel CustomerEffective 3,224 on at

Like (0)

Report

that last part has been a bit unusual--I've noticed that the users in the AAD team are not by default given the BU of the aad team but rather the BU of the administrator of the team. I haven't tested it enough to know the real answer to that.

You can move users to different business units on their user record.

My recommendation (which i state in the video) is never add users to the root business unit--I've seen too many times where people do that and then have a security requirement that requires those users to be segmented from visibility to some records, and moving a bunch of users business unit is no fun.

Was this reply helpful? Yes No
EricRegnier 8,720 Most Valuable Professional on at

Like (1)

Report

Was just gonna point them to your video @jlindstrom which BTW will be my future response to any security model related questions 😉

Was this reply helpful? Yes No
Joel CustomerEffective 3,224 on at

Like (0)

Report

Thanks--yes I answered that question multiple times

Was this reply helpful? Yes No
Dave Wi on at

Like (0)

Report

Hi @jlindstrom @EricRegnier

I agree there are multiple resources available, but I preferred to raise a question in forum to know and confirm my understanding for the specific scenario, for example this one -

https://powerusers.microsoft.com/t5/Common-Data-Service-for-Apps/If-user-is-associated-with-multiple-BUs-what-will-be-the-current/m-p/623434/highlight/false#M6229

It can be easier for the expert but not for the newbie to grasp everything at the first place in less time (unfortunately), which is why I preferred to discuss on the forum to save time as much as I can.

Thank you for your understanding!

Regards,

Was this reply helpful? Yes No