cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
deni
Frequent Visitor

Dataverse environment - BU, security roles issue and Ad security groups

Dear all, 

it seems I can't find the right configuration and I'm hitting my head in the wall :S.

I have an environment protected by Container AD group. In this container group i have 3 AD security groups with different members. 

I created a custom dataverse table and 2 security roles (copied form the basic one)

-> 1. child security role that gives permissions only on BU level and

->2. parent, that is with permissions parent-child BU level for this table.

I created 3 BU: 1 parent (europe) and 2 children (spain, italy). 

I created 3 teams (type AD security) in this 3 BU and assigned the corresponding custom roles to them.

Finally i created canvas app with form and gallery for this custom table and shared the canvas directly with the nested security groups, assigning again the correct security role.

As a result (unfortunately) all the users are seeing all the records. When I check users bu there are all assigned to the environment main business unit (so its normal to see the records). If i reassign the BU manually user by user ->the security roles are working as expected.

I sow that there is no automated way to assign AD security group to BU. My question is ->what do i do wrong? Is there a way to put all my users from AD security group directly in the right BU so i can protect the records?

 

All the answers will be very appreciated!

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
dpoggemann
Super User
Super User

Hi @deni ,

 

There is nothing out of the box that will automatically set the business unit of the user based on assignment to a team or a security group.  It looks possible to utilize Power Automate to accomplish what you are trying to do here systematically.  

 

I know the following is not accomplishing exactly what you were wanting to do but it has many of the Power Automate actions you would want to do (although utilizing older connector).

https://ryanmaclean365.com/2020/06/03/change-a-users-business-unit-and-retain-their-security-roles-u... 

 

You could run a regular scheduled flow that would search for any users that belong to the specific teams you are synchronizing for the countries and if the users that are on the team do not belong to the same business unit as the team, update the business unit and then remember you have to reset the roles (and in my past experiences you need to make sure the manager is set appropriately as well as this can be cleared in the manager is not in the same hierarchy of business units).

Hope this helps. Please accept if answers your question or Like if helps in any way.
Thanks,
Drew

View solution in original post

5 REPLIES 5
Mira_Ghaly
Dual Super User II
Dual Super User II

@deni 

You can try what is described here:

https://community.dynamics.com/365/f/dynamics-365-general-forum/396225/how-to-dynamically-update-use...

1. You can create a new Team and set the team to a specific AD group as below 

Mira_Ghaly_1-1653080357616.png

 

2. Assign Business unit and security roles

 

 

https://docs.microsoft.com/en-us/power-platform/admin/manage-teams

 

 

Mira_Ghaly_2-1653080460020.png

 

If this post helps you with your problem, please mark your as Accepted solution.If you like my response, please give it a Thumbs Up.

Blog: here
deni
Frequent Visitor

Hi @Mira_Ghaly thank you for taking the time answering me but your answer contains the steps i followed and described in my question.

What is clear: Create AD security team inside child bu and assign security role to the team ->ok

 Not clear: I see that when a member from this security team access the environment his BU is the main environment BU and not his teams BU. Therefore he sees all the records to everybody. Si in order to finish my config i have to move him manually to the right child bu. 

Is there a way my team member , when he access the environment to be moved automatically to the right business unit as he is a member of team in a child bu? 

dpoggemann
Super User
Super User

Hi @deni ,

 

There is nothing out of the box that will automatically set the business unit of the user based on assignment to a team or a security group.  It looks possible to utilize Power Automate to accomplish what you are trying to do here systematically.  

 

I know the following is not accomplishing exactly what you were wanting to do but it has many of the Power Automate actions you would want to do (although utilizing older connector).

https://ryanmaclean365.com/2020/06/03/change-a-users-business-unit-and-retain-their-security-roles-u... 

 

You could run a regular scheduled flow that would search for any users that belong to the specific teams you are synchronizing for the countries and if the users that are on the team do not belong to the same business unit as the team, update the business unit and then remember you have to reset the roles (and in my past experiences you need to make sure the manager is set appropriately as well as this can be cleared in the manager is not in the same hierarchy of business units).

Hope this helps. Please accept if answers your question or Like if helps in any way.
Thanks,
Drew
cchannon
Super User
Super User

It may seem a bit odd, but you can kinda scope permissions of users to a BU they aren't in by granting them team memebership in a team that is in that BU with their role inherited through the team. So:

 

IF User X is in BU A and is also a member of a Team Y in BU B, and

IF Team Y has the "child" role you mentioned (BU privs),

THEN user X can see records in BU B.

deni
Frequent Visitor

Hi @dpoggemann thank you for confirming me the process. I wanted to avoid the "manual" work assigning BU. I will try with power automate 🙂

Helpful resources

Announcements
Power Platform Conf 2022 768x460.jpg

Join us for Microsoft Power Platform Conference

The first Microsoft-sponsored Power Platform Conference is coming in September. 100+ speakers, 150+ sessions, and what's new and next for Power Platform.

Power Platform Call June 2022 768x460.png

Power Platform Community Call

Join us for the next call on June 15, 2022 at 8am PDT.

PA Virtual Workshop Carousel 768x460.png

Register for a Free Workshop

This training provides practical hands-on experience in creating Power Apps solutions in a full-day of instructor-led App creation workshop.

PA.JPG

New Release Planning Portal (Preview)

Check out our new release planning portal, an interactive way to plan and prepare for upcoming features in Power Platform.

Users online (1,956)