cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
michael-w
Frequent Visitor

A Design Flaw in Security Role: Create Privilege should only has two options instead of five

Create Privilege actually only has two options: can not create, allow to create.

But the interface give me five options: can not create, user,bu,parent-child bu,organization. The later four options behave same, so these four options should be merged into one option to avoid misleading. It really a big issue to understand this counter intuitive design! 

 

michael-w_0-1611838630282.png

 

1 ACCEPTED SOLUTION

Accepted Solutions
HSheild
Super User
Super User

Hi @michael-w ,

 

All of the 5 options are valid for the Create Privilege and they do result in a difference in behaviour. For example, Create User means that the user can only create records where they are the owner. They cannot create records and set someone as the owner.  The other levels of Create dictate who a user can create a record on behalf of.

 

 

View solution in original post

5 REPLIES 5
bilal684
Frequent Visitor

Hello Michael,

 

I believe you should read this article: https://docs.microsoft.com/en-us/power-platform/admin/security-roles-privileges and familiarize yourself with the different access levels.

 

If you want more details, I suggest you the following PDF document, created by Microsoft, explaining key security concepts (which did not change much these past years) around Dynamics CRM: https://download.microsoft.com/download/D/6/6/D66E61BA-3D18-49E8-B042-8434E64FAFCA/Scalable%20Securi... 

 

Hope that helps,

HSheild
Super User
Super User

Hi @michael-w ,

 

All of the 5 options are valid for the Create Privilege and they do result in a difference in behaviour. For example, Create User means that the user can only create records where they are the owner. They cannot create records and set someone as the owner.  The other levels of Create dictate who a user can create a record on behalf of.

 

 

EricRegnier
Super User
Super User

Hi @michael-w, this is as designed and will have different create behaviors depending on how complex your security model is in your system. To supplement on the other posts, here's another nice short video explaining some security aspects if you don't have the chance to go through the other links: https://powerusers.microsoft.com/t5/Webinars-and-Video-Gallery/Security-in-Common-Data-Service-CDS/t...

Hope this helps...

Thanks, i have found these different behaviors: 

If prvCreate==Not Set, then I can not create a record.

If prvCreate==User, then I can create a record but can not change owner field.

If prvCreate==BU, then I can change owner field to a user who has same bu with me

If prvCreate==Parent-Child BU, then I can change owner field to a user who has a lower bu than me or same bu with me.

If prvCreate==Global, then I can change owner field to any user.

 

 

Xander
Frequent Visitor

l am happy to you solved this qustions

Helpful resources

Announcements
Power Platform Conf 2022 768x460.jpg

Join us for Microsoft Power Platform Conference

The first Microsoft-sponsored Power Platform Conference is coming in September. 100+ speakers, 150+ sessions, and what's new and next for Power Platform.

May UG Leader Call Carousel 768x460.png

June User Group Leader Call

Join us on June 28 for our monthly User Group leader call!

PA Virtual Workshop Carousel 768x460.png

Register for a Free Workshop

This training provides practical hands-on experience in creating Power Apps solutions in a full-day of instructor-led App creation workshop.

PA.JPG

New Release Planning Portal (Preview)

Check out our new release planning portal, an interactive way to plan and prepare for upcoming features in Power Platform.

Users online (2,474)