Answered

Difference between "Team privileges only" and "Direct user access level and teams privileges" configuration in Secuirty Role

(0) Share

Report

Posted on by Dave Wi

Hello,

I have created a custom security role "Security Role A", however I am struggling understanding following configuration in the role:

Security Role member inheritance.png

Now, "Team A" is assigned with "Security Role A" and My experience says as follows:

Team Privileges only: When new member is added in the "Team A", then user will not be able to view his/her record Or create a record, even if user level “Create” and “Read” access is configured in "Security Role A". Meaning, Team privileges are not really assigned to team members with this configuration.

Direct User access level and Team privileges:When new member is added in the "Team A", then user will be able to view his/her record Or create a record, even if user level “Create” and “Read” access is configured in "Security Role A".Meaning, Team privileges are immidetly assigned to team members with this configuration and user behaviour will be as per the Team's privileges, however it's members are not explicitly assigned with the "Security Role A"

can you please share if my understanding is correct? If not, what I am missing here?

Thanks,

Categories:

Microsoft Dataverse with Power Apps

I have the same question (0)

All responses (3)

Answers (1)

Verified answer

Joel CustomerEffective 3,224 on at

Like (0)

Report

With team privileges only the user must still have security roles directly applied to the user. Team privileges only gives the user privileges in context of the records owned or shared with the team but not permission on the broader database or the privileges needed to log in to the system. This is really useful when you want a team to grant users permission on a subset of records that is more than their normal permission. For years this was the only option for team based security. See https://www.google.com/amp/s/blog.crmguru.co.uk/2013/06/25/security-roles-and-teams-in-crm-2011-an-inconvenient-half-truth/amp/ for a full explanation of this option.

option 2 gives the users on the team the privileges of the team at the full user level. It is equivalent to directly assigning the role to the user directly.

my recommendation is you should not start using aad security group teams or team roles until you fully understand security roles and user security. @dave8 If this answers your question please mark it a solution

Was this reply helpful? Yes No
Dave Wi on at

Like (0)

Report

Hi @jlindstrom

Just to clarify my understanding:

Option 1 : "User A" of "Team A" will have permission on the records which are shared with "Team A", however "Security Role A" will not be assigned to "User A"

Option 2:"User A" of "Team A" will have permission on CDS as per the "Team A"'s security role, however if we look at "User A"'s role under "Manage Roles" - "Security role A" would not be checked against "User A" - Is this correct?

Can you please confirm my understanding as above?

Thanks,

Was this reply helpful? Yes No
Joel CustomerEffective 3,224 on at

Like (1)

Report

team security does not assign roles directly to users. It's more like this:

Option 1: User's standard roles give them read and no edit privileges to accounts. when they open an account they can view it but not edit it. You put them on a team with a role with write privileges and then the can read and write account records owned by the team but not accounts not owned or shared with the team. This option is the way to create exceptions to the main security model.

Option 2: Team role gives user privilege to edit all account records, not just the ones owned by the team. The team role can also give them base permissions to log in to the application without having to have any roles directly applied to the user record.

Make sense? that is the difference between team only security and inherited security. there is a use case for both scenarios. for example, create a base role (https://crmtipoftheday.com/2/use-a-base-security-role the first tip of the day I ever wrote) and apply this role to the AAD security group team. set this role to option 2.
Then if you have some records for which you need to grant the user higher level permissions, create an owner team, grant the owner team a role set to team only and assign the records that the user needs higher permission on to the user team.

See how these options are non exclusive and work together?

Another big thing to keep in mind--never assign a user and a team that the user is on the same security role--that makes all kind of weird stuff happen.

Was this reply helpful? Yes No