Unanswered

Confusion about Teams, group Teams, Business Units, AAD Group, Security Roles - Security and Governance

(0) Share

Report

Posted on by DB2NV

Hi there,

I have been building Canvas apps for a while and never really thought about security. I am now making an app on Dataverse and would like to use security roles and the like. Reading online/videos have lead me to much confusion.

I understand that when you make an environment, a root business unit is made where all the users live. Then child business units can be made below these. Then Dataverse Teams and be made under these child units and these are called 'Dataverse group Teams'?

So for example, the Contoso Group would be a root BU, Contoso West and Contoso East could be child BUs under these, and under these I could have Sales East, and Sales West DV Group Teams all as a hierarchical structure?

How does this tie into an AAD Group? Are they the same thing?

In my scenario, I have an app where users should be able to approve an application based on what step that application is in. Eg Site Manager should not be able to approve for the General Manager. My thought was to make these different 'Dataverse group Teams' and base the approval on that. Is this the correct way?

For context, in other more simple apps (using Sharepoint), I've created AAD groups and then looked up the user's email (or ID) with the Office365Groups connector.

Thank you,

Categories:

Microsoft Dataverse with Power Apps

I have the same question (0)

All responses (4)

Answers (0)

DB2NV 44 on at

Like (0)

Report

Any takers?

Was this reply helpful? Yes No
Jonathan Manrique 2,687 on at

Like (0)

Report

Hi @DB2NV

A little bit to understand conceptually, they will be like teams or user containers, to which you can apply common security.

Now, a business unit by default creates a team as well, in this team there can be n users, then it can create another team where there can be m users and these will be different from each other, now up to this point it is understood that in the end they are containers of users, but where the real difference is in the security role and its depth levels since from there you can interact with the registry depending on your need.

As for ADD groups, these can be used to give access to the environment, but then you must give access to the application through security roles, and these are assigned to users or teams. They seem conceptually the same but they are different, one acts to access the environment and the other to the application.

https://learn.microsoft.com/en-us/power-platform/admin/wp-security-cds

Was this reply helpful? Yes No
DB2NV 44 on at

Like (0)

Report

What are you thoughts on the scenario I've described above?

Was this reply helpful? Yes No
Jonathan Manrique 2,687 on at

Like (0)

Report

Hi @DB2NV

The approach may be correct at the business unit level, but with ADD groups it is not the same as teams in dataverse security

Was this reply helpful? Yes No