So I have read the documentation on access / owner teams but a few practical things for my use case remain unclear.
Scenario: I have an hour registration app. Dataverse has been set-up as a back-end for our apps (we do not use other Dataverse related products other than 365). CRUD operations are triggered from the powerapp to Dataverse. User that creates the record owns the record. However, some users should be able to create/update for one another. Also, managers should be able to update/delete the records with regards to their approval responsibilities.
In another screen I have an interface set-up for some users to control the Team Table (create access teams/owners teams, assign users to the teams etc.
1. Say I have an Access team with User X and Y in the same team. The users have owner based security roles (CRUD on own records only) on the Hour Registration Table. The Hour Registration Table is Team or User owned. Would user X be able to edit records of user Y? If not how would user Y provide access to user X through the access team Table mechanism?
2. Say the same scenario as above would occur but the users would be in a Owner team, this would give both users Owner privilges on all their records, right?
3. What are the privilges of team administrators? In my case would they automatically be privilged to perform operations on the teams' records?
Would be really appreciated to get some guidance on these security/collaboration topics
Thanks
Solved! Go to Solution.
Hi @Anonymous, answers to your questions below:
BTW: here's a good video explain security concepts in CDS/Dataverse: https://powerusers.microsoft.com/t5/Webinars-and-Video-Gallery/Security-in-Common-Data-Service-CDS/td-p/615512
Hope this helps!
Now if in the Team Table/Entity I would set the teamtemplateid Lookup field to the created Access Team Template
Do you mean to add the template template subgrid to the form so user can add/remove users? https://docs.microsoft.com/en-us/power-platform/admin/create-team-template-add-entity-form#add-a-tea...
Should both users be able to perform operations on each other's record as long as they are part of the same team?
Yes, assuming they have the privilege to either gain by the access team membership of security roles assigned.
However: Since I create and manage the teams from the Powerapp directly in the Team entity, I believe I am creating user-created access teams. I believe this fits the requirement I have of flexible teams and the temporary nature of access to each other's records. I think the team template mechanism is applicable for auto-created access teams, correct?
If I understand your question is about deploying access teams? Teams are considered as data so unfortunately they are solution aware. You can deploy/import access team with data import such as the Config Migration Tool: https://docs.microsoft.com/en-us/power-platform/admin/manage-configuration-data. There's also the Access Team Template Mover tool from XrmToolBox: https://www.xrmtoolbox.com/plugins/DynamicsCode.AccessTeamTemplateMover/
So how would user X get access to the records of user Y if the team they are both in is User-Created?
Assume you are using Access Teams, after you added the subgrid on the form, by adding that user to the access team of that record
Hope this helps
Access Teams are a way to share records (in a simpler format than using the traditional record Share mechanism). You are sharing the record that the subgrid is on (and that records Child records if the relationships to the child records has cascade set), you are not giving access to other records owned by other users in the subgrid. When the share occurs the privileges of the access team are given to the user in the subgrid where that user has at least user level privileges on the same privilege corresponding privilege.
Owner teams are traditional teams and are used to facilitate access by other users based on Team membership (and record ownership) and the underlying Security Role privileges and Business Unit structure implemented.
Hi @Anonymous, answers to your questions below:
BTW: here's a good video explain security concepts in CDS/Dataverse: https://powerusers.microsoft.com/t5/Webinars-and-Video-Gallery/Security-in-Common-Data-Service-CDS/td-p/615512
Hope this helps!
Hi @EricRegnier,
Thanks again for your reply!
Based on your comment:
1. Along the Link you sent I updated the Table/Entity settings to allow for Access teams.
2. Created an Access Team Template with the required privileges
3. Now if in the Team Table/Entity I would set the teamtemplateid Lookup field to the created Access Team Template, should both users be able to perform operations on each other's record as long as they are part of the same team?
However: Since I create and manage the teams from the Powerapp directly in the Team entity, I believe I am creating user-created access teams. I believe this fits the requirement I have of flexible teams and the temporary nature of access to each other's records. I think the team template mechanism is applicable for auto-created access teams, correct?
4. So how would user X get access to the records of user Y if the team they are both in is User-Created?
Now if in the Team Table/Entity I would set the teamtemplateid Lookup field to the created Access Team Template
Do you mean to add the template template subgrid to the form so user can add/remove users? https://docs.microsoft.com/en-us/power-platform/admin/create-team-template-add-entity-form#add-a-tea...
Should both users be able to perform operations on each other's record as long as they are part of the same team?
Yes, assuming they have the privilege to either gain by the access team membership of security roles assigned.
However: Since I create and manage the teams from the Powerapp directly in the Team entity, I believe I am creating user-created access teams. I believe this fits the requirement I have of flexible teams and the temporary nature of access to each other's records. I think the team template mechanism is applicable for auto-created access teams, correct?
If I understand your question is about deploying access teams? Teams are considered as data so unfortunately they are solution aware. You can deploy/import access team with data import such as the Config Migration Tool: https://docs.microsoft.com/en-us/power-platform/admin/manage-configuration-data. There's also the Access Team Template Mover tool from XrmToolBox: https://www.xrmtoolbox.com/plugins/DynamicsCode.AccessTeamTemplateMover/
So how would user X get access to the records of user Y if the team they are both in is User-Created?
Assume you are using Access Teams, after you added the subgrid on the form, by adding that user to the access team of that record
Hope this helps
Access Teams are a way to share records (in a simpler format than using the traditional record Share mechanism). You are sharing the record that the subgrid is on (and that records Child records if the relationships to the child records has cascade set), you are not giving access to other records owned by other users in the subgrid. When the share occurs the privileges of the access team are given to the user in the subgrid where that user has at least user level privileges on the same privilege corresponding privilege.
Owner teams are traditional teams and are used to facilitate access by other users based on Team membership (and record ownership) and the underlying Security Role privileges and Business Unit structure implemented.
User | Count |
---|---|
20 | |
11 | |
9 | |
5 | |
5 |
User | Count |
---|---|
33 | |
32 | |
15 | |
14 | |
7 |