cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
lgpower
Helper II
Helper II

Dataverse Access teams / owner teams

‎11-26-2020 12:03 AM

So I have read the documentation on access / owner teams but a few practical things for my use case remain unclear. 

Scenario: I have an hour registration app. Dataverse has been set-up as a back-end for our apps (we do not use other Dataverse related products other than 365). CRUD operations are triggered from the powerapp to Dataverse. User that creates the record owns the record. However, some users should be able to create/update for one another. Also, managers should be able to update/delete the records with regards to their approval responsibilities. 


In another screen I have an interface set-up for some users to control the Team Table (create access teams/owners teams, assign users to the teams etc. 

1. Say I have an Access team with User X and Y in the same team. The users have owner based security roles (CRUD on own records only) on the Hour Registration Table. The Hour Registration Table is Team or User owned. Would user X be able to edit records of user Y? If not how would user Y provide access to user X through the access team Table mechanism?

2. Say the same scenario as above would occur but the users would be in a Owner team, this would give both users Owner privilges on all their records, right? 

3. What are the privilges of team administrators? In my case would they automatically be privilged to perform operations on the teams' records? 

 

Would be really appreciated to get some guidance on these security/collaboration topics 

 

Thanks

Message 1 of 5
1,388 Views
3 ACCEPTED SOLUTIONS

Accepted Solutions
EricRegnier
Super User
Super User

‎11-26-2020 12:22 AM

Hi @lgpower, answers to your questions below:

  1. If user X and Y has write user-level access only on Hour Registration table, then by default they can only edit the records they owned. If they're added to an access team where the access team's template has Write privilege then they will have access to edit those records even if they are now owned by them,
  2. Only if the record is assigned to that Owner team. 
  3. Good question, it doesn't effect the privileges for the administrator. It's only to support business functionality, such as if you want to notify the team admin when something occurs or to let users know the the point of contact for that team.

BTW: here's a good video explain security concepts in CDS/Dataverse: https://powerusers.microsoft.com/t5/Webinars-and-Video-Gallery/Security-in-Common-Data-Service-CDS/t... 

Hope this helps!

View solution in original post

Message 2 of 5
1,369 Views
0 Kudos
EricRegnier
Super User
Super User
In response to lgpower

‎11-29-2020 03:09 PM

Now if in the Team Table/Entity I would set the teamtemplateid Lookup field to the created Access Team Template

Do you mean to add the template template subgrid to the form so user can add/remove users? https://docs.microsoft.com/en-us/power-platform/admin/create-team-template-add-entity-form#add-a-tea...

 

Should both users be able to perform operations on each other's record as long as they are part of the same team?

Yes, assuming they have the privilege to either gain by the access team membership of security roles assigned.


However: Since I create and manage the teams from the Powerapp directly in the Team entity, I believe I am creating user-created access teams. I believe this fits the requirement I have of flexible teams and the temporary nature of access to each other's records. I think the team template mechanism is applicable for auto-created access teams, correct? 

If I understand your question is about deploying access teams? Teams are considered as data so unfortunately they are solution aware. You can deploy/import access team with data import such as the Config Migration Tool:  https://docs.microsoft.com/en-us/power-platform/admin/manage-configuration-data. There's also the Access Team Template Mover tool from XrmToolBox: https://www.xrmtoolbox.com/plugins/DynamicsCode.AccessTeamTemplateMover/ 

So how would user X get access to the records of user Y if the team they are both in is User-Created? 

Assume you are using Access Teams, after you added the subgrid on the form, by adding that user to the access team of that record

 

Hope this helps

View solution in original post

Message 4 of 5
1,343 Views
0 Kudos
Fubar
Solution Sage
Solution Sage

‎11-29-2020 03:50 PM

Access Teams are a way to share records (in a simpler format than using the traditional record Share mechanism).  You are sharing the record that the subgrid is on (and that records Child records if the relationships to the child records has cascade set), you are not giving access to other records owned by other users in the subgrid.  When the share occurs the privileges of the access team are given to the user in the subgrid where that user has at least user level privileges on the same privilege corresponding privilege.

 

Owner teams are traditional teams and are used to facilitate access by other users based on Team membership (and record ownership) and the underlying Security Role privileges and Business Unit structure implemented.

 

https://docs.microsoft.com/en-us/dynamics365/customerengagement/on-premises/developer/use-access-tea...

 

View solution in original post

Message 5 of 5
1,337 Views
0 Kudos
4 REPLIES 4
EricRegnier
Super User
Super User

‎11-26-2020 12:22 AM

Hi @lgpower, answers to your questions below:

  1. If user X and Y has write user-level access only on Hour Registration table, then by default they can only edit the records they owned. If they're added to an access team where the access team's template has Write privilege then they will have access to edit those records even if they are now owned by them,
  2. Only if the record is assigned to that Owner team. 
  3. Good question, it doesn't effect the privileges for the administrator. It's only to support business functionality, such as if you want to notify the team admin when something occurs or to let users know the the point of contact for that team.

BTW: here's a good video explain security concepts in CDS/Dataverse: https://powerusers.microsoft.com/t5/Webinars-and-Video-Gallery/Security-in-Common-Data-Service-CDS/t... 

Hope this helps!

Message 2 of 5
1,370 Views
0 Kudos
lgpower
Helper II
Helper II

‎11-26-2020 02:31 AM

Hi @EricRegnier,

Thanks again for your reply!

Based on your comment: 

1. Along the Link you sent I updated the Table/Entity settings to allow for Access teams. 

2. Created an Access Team Template with the required privileges 
3. Now if in the Team Table/Entity I would set the teamtemplateid Lookup field to the created Access Team Template, should both users be able to perform operations on each other's record as long as they are part of the same team? 

However: Since I create and manage the teams from the Powerapp directly in the Team entity, I believe I am creating user-created access teams. I believe this fits the requirement I have of flexible teams and the temporary nature of access to each other's records. I think the team template mechanism is applicable for auto-created access teams, correct? 

4. So how would user X get access to the records of user Y if the team they are both in is User-Created? 









Preview file
109 KB
Message 3 of 5
1,358 Views
0 Kudos
EricRegnier
Super User
Super User
In response to lgpower

‎11-29-2020 03:09 PM

Now if in the Team Table/Entity I would set the teamtemplateid Lookup field to the created Access Team Template

Do you mean to add the template template subgrid to the form so user can add/remove users? https://docs.microsoft.com/en-us/power-platform/admin/create-team-template-add-entity-form#add-a-tea...

 

Should both users be able to perform operations on each other's record as long as they are part of the same team?

Yes, assuming they have the privilege to either gain by the access team membership of security roles assigned.


However: Since I create and manage the teams from the Powerapp directly in the Team entity, I believe I am creating user-created access teams. I believe this fits the requirement I have of flexible teams and the temporary nature of access to each other's records. I think the team template mechanism is applicable for auto-created access teams, correct? 

If I understand your question is about deploying access teams? Teams are considered as data so unfortunately they are solution aware. You can deploy/import access team with data import such as the Config Migration Tool:  https://docs.microsoft.com/en-us/power-platform/admin/manage-configuration-data. There's also the Access Team Template Mover tool from XrmToolBox: https://www.xrmtoolbox.com/plugins/DynamicsCode.AccessTeamTemplateMover/ 

So how would user X get access to the records of user Y if the team they are both in is User-Created? 

Assume you are using Access Teams, after you added the subgrid on the form, by adding that user to the access team of that record

 

Hope this helps

Message 4 of 5
1,344 Views
0 Kudos
Fubar
Solution Sage
Solution Sage

‎11-29-2020 03:50 PM

Access Teams are a way to share records (in a simpler format than using the traditional record Share mechanism).  You are sharing the record that the subgrid is on (and that records Child records if the relationships to the child records has cascade set), you are not giving access to other records owned by other users in the subgrid.  When the share occurs the privileges of the access team are given to the user in the subgrid where that user has at least user level privileges on the same privilege corresponding privilege.

 

Owner teams are traditional teams and are used to facilitate access by other users based on Team membership (and record ownership) and the underlying Security Role privileges and Business Unit structure implemented.

 

https://docs.microsoft.com/en-us/dynamics365/customerengagement/on-premises/developer/use-access-tea...

 

Message 5 of 5
1,338 Views
0 Kudos

Helpful resources

Announcements
Power Platform Conf 2022 768x460.jpg

Join us for Microsoft Power Platform Conference

The first Microsoft-sponsored Power Platform Conference is coming in September. 100+ speakers, 150+ sessions, and what's new and next for Power Platform.

May UG Leader Call Carousel 768x460.png

June User Group Leader Call

Join us on June 28 for our monthly User Group leader call!

PA Virtual Workshop Carousel 768x460.png

Register for a Free Workshop

This training provides practical hands-on experience in creating Power Apps solutions in a full-day of instructor-led App creation workshop.

PA.JPG

New Release Planning Portal (Preview)

Check out our new release planning portal, an interactive way to plan and prepare for upcoming features in Power Platform.

View All
Users online (2,304)