Power Platform Community Forum Thread Details

Hello everyone, I am a solution architect and currently working on a design for a business application that is built using the Power Platform. We will be making use of Dataverse for data storage, Power Apps for the application (with some Power Automate features) and Power Bi for additional visualization features.

My goal is to have a secure, simple and efficient User Access Management set-up for this product, but I am struggling to find all the necessary answers that I am looking for by referring to Microsoft's documentation. That's why I am looking for your advice.

For some of the requirements I have a possible idea that needs to be verified but others I simply do not know the options.

Let's assume we have a very simple design where the Dataverse has only one Entity where records are stored. There are three user roles: (1) Administrator with privileged access, (2) Creator with "Create" and "Read" privileges and (3) Reviewer with "Write" and "Read" privileges. The so-called "Privilege Access Level" should remain on "User". The Power Apps will require some permissions to control what users can do within the UI and the functionality (e.g., hide/show certain features and business logic). Imagine that these permissions could be classified using the same three user profiles as mentioned above. Both Power Apps and Power BI should inherit the data security from the Dataverse.

Requirements/assumptions:

I don't think that setting up Business Units would help this use-case as we are not working really doing segmentation and the focus is user-owned records.
The three user profiles can be managed using security roles: use out-of-the-box security rules and if needed create a copy and modify the copied role for each of the three roles (as explained above)
Efficiency: I want to know if Group Teams (e.g., Azure AD Group Teams, Ownership Teams and Access Teams) can be used so that instead of granting each individual user a security role, an administrator will only have to add the user to an Azure Activity Directory Group which is paired to a Group Team (which is paired to a security role). The ideal scenario is that this integrates with both Power Apps and Power Bi, so that a UAM can almost completely be managed through three Azure AD Security Groups.
I have doubts whether teams work for this use-case because I read the following in MS's documentation "manage group teams": "While teams provide access to a group of users, you must still associate individual users with security roles that grant the privileges that they need to create, update, or delete user-owned records."
Wouldn't this be a problem? For example, the Creator "Read" privileges are then automatically valid for everyone in the Group Team. This is unwanted.
What would be a good way to align the permission control (UI/functionality) of Power Apps with the Dataverse UAM set-up? Again, with the goal in mind to make UAM as efficient, simple and secure as possible. Could you use the same AD Groups for this purpose?
The three security groups also have to be added to the Dataverse Environment. Hopefully it accepts more than one SG? I don't know whether Power Apps is within the same environment (i.e., Power Platform) or if you have to do it for a separate Power Apps environment as well?

The ultimate goal is that UAM (more specifically the user provisioning) of the entire product can be operated through the use of the three Azure AD Security Groups because they are directly tied to the security of the data and the permission of the application's user interface and functionality. The data security from the Dataverse are inherited by Power Apps and Power BI.

I added a sketch of design.

Feedback on individual components of this use-case is also welcome. Once I have a decided on a final approach, I will repost a consolidated answer so that it can be used by others as well. Thanks in advance!