cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
Chris1969
Helper II
Helper II

Configuring Dataverse Security for Temporary Access to Specific Rows

‎03-29-2021 10:59 AM

Summary.  What is the recommended best practice for configuring row-level security in an environment having strict need-to-know information barriers which change month by month (for example, I'm allowed to see a row this month but not next month).

 

Business RequirementsA group of users in the same business unit ("Enforcement Division") requires temporary, constantly changing, need-to-know-only access to a subset of rows (10-15 at a time) within a table of "Incidents" having ~1,000 rows.

 

For example, in May, user "David" requires access to rows R1 and R2 (and their descendent rows in another table in a "mater-detail" relationship); user "Eve" requires access to rows R2 and R3 (and their descendent rows); and user "Fred" requires access to row R4 (and its descendent row).

 

In June, user "David" keeps access to row R1, loses access to row R2, and is granted access to row R3.  "Eve's" access remains unchanged.  "Fred" loses access to row R4 and gains access to row R2 and R5.

 

Question

  1. Is the best approach to create a Dataverse Team for each row R1, R2, R3, R4, and R5, and then associate or unassociate relevant users to such teams as the users' access requirements evolve? 
  2. If so, how can a row become owned by a team? (For example, how can row R1 become owned by team "Team for R1" ?)

Related Online Resources

In researching this topic, I reviewed the following online resources:

Thank you for any guidance!

Message 1 of 4
128 Views
0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
EricRegnier
Super User II
Super User II

‎03-30-2021 12:49 AM

Hi @Chris1969,

There's no right/wrong and depends, but an approach I would recommend is to configure your security roles for these tables as user-level owned. That way users will only be able to see what is owned by them or their team(s). Then with the help of Power Automate or manual business processes to update the owner when required. The owner of the records can be a team. User can also change team as need be, but would suggest to try to keep the teams as intact as possible and segregate them. Business Units (BUs) might help but not require to achieve that scenario. Especially if users need to move BUs often will create unnecessary complexity. 

The other way is with Access Teams as per the previous post or sharing/unsharing the records, but this require one key owner/admin of the record that manages the accesses and might have a performance impact depending on volume of data and users.

Hope this helps!

View solution in original post

Message 3 of 4
87 Views
0 Kudos
3 REPLIES 3
ChrisPiasecki
Super User
Super User

‎03-29-2021 11:41 AM

Hi @Chris1969,

 

With Access Teams, which provides the unique explicit access per record, it cannot own a record. Owner teams can own a record. If you only intend to control access via Access Teams, then set the Owner as some generic owner team or a service account in the business unit. Ensure that the security role for the users that will be part of an Access Team have just user level privileges on the table.

 

---
Please click Accept as Solution if my post answered your question. This will help others find solutions to similar questions. If you like my post and/or find it helpful, please consider giving it a Thumbs Up.

Message 2 of 4
99 Views
0 Kudos
EricRegnier
Super User II
Super User II

‎03-30-2021 12:49 AM

Hi @Chris1969,

There's no right/wrong and depends, but an approach I would recommend is to configure your security roles for these tables as user-level owned. That way users will only be able to see what is owned by them or their team(s). Then with the help of Power Automate or manual business processes to update the owner when required. The owner of the records can be a team. User can also change team as need be, but would suggest to try to keep the teams as intact as possible and segregate them. Business Units (BUs) might help but not require to achieve that scenario. Especially if users need to move BUs often will create unnecessary complexity. 

The other way is with Access Teams as per the previous post or sharing/unsharing the records, but this require one key owner/admin of the record that manages the accesses and might have a performance impact depending on volume of data and users.

Hope this helps!

View solution in original post

Message 3 of 4
88 Views
0 Kudos
Chris1969
Helper II
Helper II

‎03-30-2021 07:29 AM

@ChrisPiasecki and @EricRegnier , thank you so much for your guidance on this topic -- very helpful !

Message 4 of 4
75 Views
0 Kudos

Helpful resources

Announcements
PA_User Group Leader_768x460.jpg

Manage your user group events

Check out the News & Announcements to learn more.

Power Query PA Forum 768x460.png

Check it out!

Did you know that you can visit the Power Query Forum in Power BI and now Power Apps

Carousel 2021 Release Wave 2 Plan 768x460.jpg

2021 Release Wave 2 Plan

Power Platform release plan for the 2021 release wave 2 describes all new features releasing from October 2021 through March 2022.

View All
Users online (2,897)