cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
Chris1969
Helper II
Helper II

Configuring Dataverse Security for Temporary Access to Specific Rows

‎03-29-2021 10:59 AM

Summary.  What is the recommended best practice for configuring row-level security in an environment having strict need-to-know information barriers which change month by month (for example, I'm allowed to see a row this month but not next month).

 

Business RequirementsA group of users in the same business unit ("Enforcement Division") requires temporary, constantly changing, need-to-know-only access to a subset of rows (10-15 at a time) within a table of "Incidents" having ~1,000 rows.

 

For example, in May, user "David" requires access to rows R1 and R2 (and their descendent rows in another table in a "mater-detail" relationship); user "Eve" requires access to rows R2 and R3 (and their descendent rows); and user "Fred" requires access to row R4 (and its descendent row).

 

In June, user "David" keeps access to row R1, loses access to row R2, and is granted access to row R3.  "Eve's" access remains unchanged.  "Fred" loses access to row R4 and gains access to row R2 and R5.

 

Question

  1. Is the best approach to create a Dataverse Team for each row R1, R2, R3, R4, and R5, and then associate or unassociate relevant users to such teams as the users' access requirements evolve? 
  2. If so, how can a row become owned by a team? (For example, how can row R1 become owned by team "Team for R1" ?)

Related Online Resources

In researching this topic, I reviewed the following online resources:

Thank you for any guidance!

Message 1 of 4
200 Views
0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
EricRegnier
Super User
Super User

‎03-30-2021 12:49 AM

Hi @Chris1969,

There's no right/wrong and depends, but an approach I would recommend is to configure your security roles for these tables as user-level owned. That way users will only be able to see what is owned by them or their team(s). Then with the help of Power Automate or manual business processes to update the owner when required. The owner of the records can be a team. User can also change team as need be, but would suggest to try to keep the teams as intact as possible and segregate them. Business Units (BUs) might help but not require to achieve that scenario. Especially if users need to move BUs often will create unnecessary complexity. 

The other way is with Access Teams as per the previous post or sharing/unsharing the records, but this require one key owner/admin of the record that manages the accesses and might have a performance impact depending on volume of data and users.

Hope this helps!

View solution in original post

Message 3 of 4
159 Views
0 Kudos
3 REPLIES 3
ChrisPiasecki
Dual Super User
Dual Super User

‎03-29-2021 11:41 AM

Hi @Chris1969,

 

With Access Teams, which provides the unique explicit access per record, it cannot own a record. Owner teams can own a record. If you only intend to control access via Access Teams, then set the Owner as some generic owner team or a service account in the business unit. Ensure that the security role for the users that will be part of an Access Team have just user level privileges on the table.

 

---
Please click Accept as Solution if my post answered your question. This will help others find solutions to similar questions. If you like my post and/or find it helpful, please consider giving it a Thumbs Up.

Message 2 of 4
171 Views
0 Kudos
EricRegnier
Super User
Super User

‎03-30-2021 12:49 AM

Hi @Chris1969,

There's no right/wrong and depends, but an approach I would recommend is to configure your security roles for these tables as user-level owned. That way users will only be able to see what is owned by them or their team(s). Then with the help of Power Automate or manual business processes to update the owner when required. The owner of the records can be a team. User can also change team as need be, but would suggest to try to keep the teams as intact as possible and segregate them. Business Units (BUs) might help but not require to achieve that scenario. Especially if users need to move BUs often will create unnecessary complexity. 

The other way is with Access Teams as per the previous post or sharing/unsharing the records, but this require one key owner/admin of the record that manages the accesses and might have a performance impact depending on volume of data and users.

Hope this helps!

Message 3 of 4
160 Views
0 Kudos
Chris1969
Helper II
Helper II

‎03-30-2021 07:29 AM

@ChrisPiasecki and @EricRegnier , thank you so much for your guidance on this topic -- very helpful !

Message 4 of 4
147 Views
0 Kudos

Helpful resources

Announcements
Power Platform Conf 2022 768x460.jpg

Join us for Microsoft Power Platform Conference

The first Microsoft-sponsored Power Platform Conference is coming in September. 100+ speakers, 150+ sessions, and what's new and next for Power Platform.

May UG Leader Call Carousel 768x460.png

June User Group Leader Call

Join us on June 28 for our monthly User Group leader call!

PA Virtual Workshop Carousel 768x460.png

Register for a Free Workshop

This training provides practical hands-on experience in creating Power Apps solutions in a full-day of instructor-led App creation workshop.

PA.JPG

New Release Planning Portal (Preview)

Check out our new release planning portal, an interactive way to plan and prepare for upcoming features in Power Platform.

View All
Users online (2,942)