cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
Chris1969
Helper I
Helper I

Configuring Dataverse Security for Temporary Access to Specific Rows

‎03-29-2021 10:59 AM

Summary.  What is the recommended best practice for configuring row-level security in an environment having strict need-to-know information barriers which change month by month (for example, I'm allowed to see a row this month but not next month).

 

Business RequirementsA group of users in the same business unit ("Enforcement Division") requires temporary, constantly changing, need-to-know-only access to a subset of rows (10-15 at a time) within a table of "Incidents" having ~1,000 rows.

 

For example, in May, user "David" requires access to rows R1 and R2 (and their descendent rows in another table in a "mater-detail" relationship); user "Eve" requires access to rows R2 and R3 (and their descendent rows); and user "Fred" requires access to row R4 (and its descendent row).

 

In June, user "David" keeps access to row R1, loses access to row R2, and is granted access to row R3.  "Eve's" access remains unchanged.  "Fred" loses access to row R4 and gains access to row R2 and R5.

 

Question

  1. Is the best approach to create a Dataverse Team for each row R1, R2, R3, R4, and R5, and then associate or unassociate relevant users to such teams as the users' access requirements evolve? 
  2. If so, how can a row become owned by a team? (For example, how can row R1 become owned by team "Team for R1" ?)

Related Online Resources

In researching this topic, I reviewed the following online resources:

Thank you for any guidance!

Message 1 of 4
98 Views
0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
EricRegnier
Super User II
Super User II

‎03-30-2021 12:49 AM

Hi @Chris1969,

There's no right/wrong and depends, but an approach I would recommend is to configure your security roles for these tables as user-level owned. That way users will only be able to see what is owned by them or their team(s). Then with the help of Power Automate or manual business processes to update the owner when required. The owner of the records can be a team. User can also change team as need be, but would suggest to try to keep the teams as intact as possible and segregate them. Business Units (BUs) might help but not require to achieve that scenario. Especially if users need to move BUs often will create unnecessary complexity. 

The other way is with Access Teams as per the previous post or sharing/unsharing the records, but this require one key owner/admin of the record that manages the accesses and might have a performance impact depending on volume of data and users.

Hope this helps!

View solution in original post

Message 3 of 4
57 Views
0 Kudos
3 REPLIES 3
ChrisPiasecki
Super User
Super User

‎03-29-2021 11:41 AM

Hi @Chris1969,

 

With Access Teams, which provides the unique explicit access per record, it cannot own a record. Owner teams can own a record. If you only intend to control access via Access Teams, then set the Owner as some generic owner team or a service account in the business unit. Ensure that the security role for the users that will be part of an Access Team have just user level privileges on the table.

 

---
Please click Accept as Solution if my post answered your question. This will help others find solutions to similar questions. If you like my post and/or find it helpful, please consider giving it a Thumbs Up.

Message 2 of 4
69 Views
0 Kudos
EricRegnier
Super User II
Super User II

‎03-30-2021 12:49 AM

Hi @Chris1969,

There's no right/wrong and depends, but an approach I would recommend is to configure your security roles for these tables as user-level owned. That way users will only be able to see what is owned by them or their team(s). Then with the help of Power Automate or manual business processes to update the owner when required. The owner of the records can be a team. User can also change team as need be, but would suggest to try to keep the teams as intact as possible and segregate them. Business Units (BUs) might help but not require to achieve that scenario. Especially if users need to move BUs often will create unnecessary complexity. 

The other way is with Access Teams as per the previous post or sharing/unsharing the records, but this require one key owner/admin of the record that manages the accesses and might have a performance impact depending on volume of data and users.

Hope this helps!

View solution in original post

Message 3 of 4
58 Views
0 Kudos
Chris1969
Helper I
Helper I

‎03-30-2021 07:29 AM

@ChrisPiasecki and @EricRegnier , thank you so much for your guidance on this topic -- very helpful !

Message 4 of 4
45 Views
0 Kudos

Helpful resources

Announcements
PA User Group

Welcome to the User Group Public Preview

Check out new user group experience and if you are a leader please create your group

MBAS Attendee Badge

Claim Your Badge & Digital Swag!

Check out how to claim yours today!

secondImage

Are Your Ready?

Test your skills now with the Cloud Skill Challenge.

secondImage

Demo Extravaganza is Back!

We are excited to announce that Demo Extravaganza for 2021 has started!

MBAS on Demand

Microsoft Business Applications Summit sessions

On-demand access to all the great content presented by the product teams and community members! #MSBizAppsSummit #CommunityRocks

View All
Top Solution Authors
View All
Users online (37,983)