cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
raj7474
Frequent Visitor

Dataverse Security Business Unit, Team & Ownership

If an user is part of BU1Team and BU2Team , if he creates a record, then will that data be accessible by exclusive members of both BU1Team and BU2Team?, basically, which business unit would be the owner of the record created by the user.

 

thanks

1 ACCEPTED SOLUTION

Accepted Solutions

Hi @raj7474,

 

Yes a user can be part of multiple Teams that are in different business units.

 

  1. BU1 owns the record.
  2. BU2Team members will not have access. 
  3. If a user moves business units, the records the user directly owns come with them and are now owned by the new business unit (e.g BU2), but records owned by a team will not be impacted. If the user is deactivated then that means they no longer belong to a business unit and team. Users that have  a security role with only user/team level access will lose access to the deactivated user's records. If they have business unit or organization level access then they should still have access as the owning business unit still remains the same. Having records owned by a Team instead of a user is recommended wherever possible to lessen the impact of a disabled user. 

 

---
Please click Accept as Solution if my post answered your question. This will help others find solutions to similar questions. If you like my post and/or find it helpful, please consider giving it a Thumbs Up.

 

View solution in original post

4 REPLIES 4
ChrisPiasecki
Super User
Super User

Hi @raj7474,

 

Any user or team can only belong to one business unit. It would be the business unit that the record owner (user or team) belongs to that the record would also belong to.

 

Here are a few different possible scenarios. This assumes that the relevant security roles on a specific table are set to "user level access" only.

  • Record owned by BU1Team. Members of BU1Team will have access BU2Team will have no access. 
  • Record owned by a user that belongs to BU1Team. 
    • If Team member privilege inheritance is enabled, then members of the BU1Team will have access. BU2Team will have no access
    • If Team member privilege inheritance is NOT enabled, then only the owning user will have access.

---
Please click Accept as Solution if my post answered your question. This will help others find solutions to similar questions. If you like my post and/or find it helpful, please consider giving it a Thumbs Up.

 

Hi @ChrisPiasecki,

 

Thank you for your reply, much appreciated, just a follow on question, 

 

I presume though the user or team can only belong to one business unit, one user can be a member to 2 different teams which are again part of  different business units. In this specific example below, BU1User is part of both BU1Team as well as BU2Team. In this scenario, if BU1User creates a record in an entity (user or team owned),  Q:

1. Which business unit will have ownership of the record?

2. Will the BU2Team members have access to the record

3. What is the impact on the ownership of the record. if the user is moved to a different business unit or completely deactivated.

Please correct me, if my assumption is incorrect , 

raj7474_1-1621666332230.png

 

 

 

 

 

Regards,

Raj

Hi @raj7474,

 

Yes a user can be part of multiple Teams that are in different business units.

 

  1. BU1 owns the record.
  2. BU2Team members will not have access. 
  3. If a user moves business units, the records the user directly owns come with them and are now owned by the new business unit (e.g BU2), but records owned by a team will not be impacted. If the user is deactivated then that means they no longer belong to a business unit and team. Users that have  a security role with only user/team level access will lose access to the deactivated user's records. If they have business unit or organization level access then they should still have access as the owning business unit still remains the same. Having records owned by a Team instead of a user is recommended wherever possible to lessen the impact of a disabled user. 

 

---
Please click Accept as Solution if my post answered your question. This will help others find solutions to similar questions. If you like my post and/or find it helpful, please consider giving it a Thumbs Up.

 

View solution in original post

dpoggemann
Super User
Super User

Hi @raj7474,

 

For #2 in my experience it depends on the roles assigned to the Team.  If you have "Deep" or "Local" at (https://docs.microsoft.com/en-us/power-platform/admin/security-roles-privileges) role assigned to the Team in BU2 hen the team members in BU2 will have access to the records based on this security for the Create, Read, Update, Delete, etc. even if owned by the user in BU1.

 

Hope this helps.  Please accept if answers your question or Like if helps in some way.

 

Thanks,


Drew 

Hope this helps. Please accept if answers your question or Like if helps in any way.

Helpful resources

Announcements
UG GA Amplification 768x460.png

Launching new user group features

Learn how to create your own user groups today!

Community Connections 768x460.jpg

Community & How To Videos

Check out the new Power Platform Community Connections gallery!

M365 768x460.jpg

Microsoft 365 Collaboration Conference | December 7–9, 2021

Join us, in-person, December 7–9 in Las Vegas, for the largest gathering of the Microsoft community in the world.

Users online (2,747)