Solved: Re: Dataverse Access teams / owner teams

Anonymous · ‎11-26-2020

So I have read the documentation on access / owner teams but a few practical things for my use case remain unclear.

Scenario: I have an hour registration app. Dataverse has been set-up as a back-end for our apps (we do not use other Dataverse related products other than 365). CRUD operations are triggered from the powerapp to Dataverse. User that creates the record owns the record. However, some users should be able to create/update for one another. Also, managers should be able to update/delete the records with regards to their approval responsibilities.

In another screen I have an interface set-up for some users to control the Team Table (create access teams/owners teams, assign users to the teams etc.

1. Say I have an Access team with User X and Y in the same team. The users have owner based security roles (CRUD on own records only) on the Hour Registration Table. The Hour Registration Table is Team or User owned. Would user X be able to edit records of user Y? If not how would user Y provide access to user X through the access team Table mechanism?

2. Say the same scenario as above would occur but the users would be in a Owner team, this would give both users Owner privilges on all their records, right?

3. What are the privilges of team administrators? In my case would they automatically be privilged to perform operations on the teams' records?

Would be really appreciated to get some guidance on these security/collaboration topics

Thanks

EricRegnier · ‎11-26-2020

Hi @Anonymous, answers to your questions below:

If user X and Y has write user-level access only on Hour Registration table, then by default they can only edit the records they owned. If they're added to an access team where the access team's template has Write privilege then they will have access to edit those records even if they are now owned by them,
Only if the record is assigned to that Owner team.
Good question, it doesn't effect the privileges for the administrator. It's only to support business functionality, such as if you want to notify the team admin when something occurs or to let users know the the point of contact for that team.

BTW: here's a good video explain security concepts in CDS/Dataverse: https://powerusers.microsoft.com/t5/Webinars-and-Video-Gallery/Security-in-Common-Data-Service-CDS/td-p/615512

Hope this helps!

View solution in original post

EricRegnier · ‎11-29-2020

Now if in the Team Table/Entity I would set the teamtemplateid Lookup field to the created Access Team Template

Do you mean to add the template template subgrid to the form so user can add/remove users? https://docs.microsoft.com/en-us/power-platform/admin/create-team-template-add-entity-form#add-a-tea...

Should both users be able to perform operations on each other's record as long as they are part of the same team?

Yes, assuming they have the privilege to either gain by the access team membership of security roles assigned.

However: Since I create and manage the teams from the Powerapp directly in the Team entity, I believe I am creating user-created access teams. I believe this fits the requirement I have of flexible teams and the temporary nature of access to each other's records. I think the team template mechanism is applicable for auto-created access teams, correct?

If I understand your question is about deploying access teams? Teams are considered as data so unfortunately they are solution aware. You can deploy/import access team with data import such as the Config Migration Tool: https://docs.microsoft.com/en-us/power-platform/admin/manage-configuration-data. There's also the Access Team Template Mover tool from XrmToolBox: https://www.xrmtoolbox.com/plugins/DynamicsCode.AccessTeamTemplateMover/

So how would user X get access to the records of user Y if the team they are both in is User-Created?

Assume you are using Access Teams, after you added the subgrid on the form, by adding that user to the access team of that record

Hope this helps

View solution in original post

Fubar · ‎11-29-2020

Access Teams are a way to share records (in a simpler format than using the traditional record Share mechanism). You are sharing the record that the subgrid is on (and that records Child records if the relationships to the child records has cascade set), you are not giving access to other records owned by other users in the subgrid. When the share occurs the privileges of the access team are given to the user in the subgrid where that user has at least user level privileges on the same privilege corresponding privilege.

Owner teams are traditional teams and are used to facilitate access by other users based on Team membership (and record ownership) and the underlying Security Role privileges and Business Unit structure implemented.

https://docs.microsoft.com/en-us/dynamics365/customerengagement/on-premises/developer/use-access-tea...

View solution in original post

EricRegnier · ‎11-26-2020

Hi @Anonymous, answers to your questions below:

If user X and Y has write user-level access only on Hour Registration table, then by default they can only edit the records they owned. If they're added to an access team where the access team's template has Write privilege then they will have access to edit those records even if they are now owned by them,
Only if the record is assigned to that Owner team.
Good question, it doesn't effect the privileges for the administrator. It's only to support business functionality, such as if you want to notify the team admin when something occurs or to let users know the the point of contact for that team.

BTW: here's a good video explain security concepts in CDS/Dataverse: https://powerusers.microsoft.com/t5/Webinars-and-Video-Gallery/Security-in-Common-Data-Service-CDS/td-p/615512

Hope this helps!

Anonymous · ‎11-26-2020

Hi @EricRegnier,

Thanks again for your reply!

Based on your comment:

1. Along the Link you sent I updated the Table/Entity settings to allow for Access teams.

2. Created an Access Team Template with the required privileges
3. Now if in the Team Table/Entity I would set the teamtemplateid Lookup field to the created Access Team Template, should both users be able to perform operations on each other's record as long as they are part of the same team?

However: Since I create and manage the teams from the Powerapp directly in the Team entity, I believe I am creating user-created access teams. I believe this fits the requirement I have of flexible teams and the temporary nature of access to each other's records. I think the team template mechanism is applicable for auto-created access teams, correct?

4. So how would user X get access to the records of user Y if the team they are both in is User-Created?

EricRegnier · ‎11-29-2020

Now if in the Team Table/Entity I would set the teamtemplateid Lookup field to the created Access Team Template

Do you mean to add the template template subgrid to the form so user can add/remove users? https://docs.microsoft.com/en-us/power-platform/admin/create-team-template-add-entity-form#add-a-tea...

Should both users be able to perform operations on each other's record as long as they are part of the same team?

Yes, assuming they have the privilege to either gain by the access team membership of security roles assigned.

However: Since I create and manage the teams from the Powerapp directly in the Team entity, I believe I am creating user-created access teams. I believe this fits the requirement I have of flexible teams and the temporary nature of access to each other's records. I think the team template mechanism is applicable for auto-created access teams, correct?

If I understand your question is about deploying access teams? Teams are considered as data so unfortunately they are solution aware. You can deploy/import access team with data import such as the Config Migration Tool: https://docs.microsoft.com/en-us/power-platform/admin/manage-configuration-data. There's also the Access Team Template Mover tool from XrmToolBox: https://www.xrmtoolbox.com/plugins/DynamicsCode.AccessTeamTemplateMover/

So how would user X get access to the records of user Y if the team they are both in is User-Created?

Assume you are using Access Teams, after you added the subgrid on the form, by adding that user to the access team of that record

Hope this helps

Fubar · ‎11-29-2020

Access Teams are a way to share records (in a simpler format than using the traditional record Share mechanism). You are sharing the record that the subgrid is on (and that records Child records if the relationships to the child records has cascade set), you are not giving access to other records owned by other users in the subgrid. When the share occurs the privileges of the access team are given to the user in the subgrid where that user has at least user level privileges on the same privilege corresponding privilege.

Owner teams are traditional teams and are used to facilitate access by other users based on Team membership (and record ownership) and the underlying Security Role privileges and Business Unit structure implemented.

https://docs.microsoft.com/en-us/dynamics365/customerengagement/on-premises/developer/use-access-tea...