cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
absoluteBeginer
Helper III
Helper III

Help with row level security model

I am looking for the best way to implement security/data access on my Dataverse table. My scenario is as follows.

 

Table: Run (Columns : Job No, Run No, Name, Raw data, Last Correction

RTOC user type:

                read       Job No, Run No, Name, Raw data, Last Correction

                write      Job No, Run No, Name, Last Correction

 *for certain records*

MWD User type :

                read       Job No, Run No, Name, Raw data, Last Correction

                write     Col Raw data

 *for certain records*

Field User type:

                read       Job No, Run No, Name, Raw data, Last Correction

 

RTOC users can only access certain data from the table. More than 1 RTOC user can access the same record, but they need to be in the same group.  RTOC user creates record - assigns access (according to user type) to that record to certain MWD and Field users. At the same time other RTOC users that are in the same group as this RTOC user have the same level of access as that user.  A MWD or Field user can only access 1 Run record at a time. When the job is finished, the access is removed from the user.

 

absoluteBeginer_1-1672862753928.png

 

 

RTOC1 and RTOC2 can only access records 1, 2 and 3.

MWD1 can only access record 1

Field 1 can only access record 1

MWD2 can only access record 3

RTOC3 can only access record 4.

MWD3 can only access record 4

 

So I need to dynamically assign different access to certain records to different users.

 

I was wondering whether you could model this scenario just using business units - or if there is a better way.

 

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
EricRegnier
Most Valuable Professional
Most Valuable Professional

Hi @absoluteBeginer, yes with Access Teams Templates there are automatically created, but they are created when the first user is added to the team and unfortunately this is only supported with model-driven apps and wouldn't work in your scenario (ie canvas apps).
With user-created access team like in my previous example, all users within that team will have access to all records you grant it access to unless you create seperate teams and share the Run record with that team. This can be automated with Power Automate where you can auto-create the access teams and share when the Run is created. Effectively, re-produce the logic of Access Team Templates...
Hope this clarifies. I can appreciate that security modelling is an advance topic and there's lots of capabilities to solve different needs. Try to keep it simple at first I would say.

View solution in original post

17 REPLIES 17
EricRegnier
Most Valuable Professional
Most Valuable Professional

Hi @absoluteBeginer,
If I understand your security requirements, there are several security concepts/capabilities you'll need to leverage to satisfy the requirements. Here's are my quick answers and links for further info:

 Hope this helps!

dpoggemann
Most Valuable Professional
Most Valuable Professional

Hi @absoluteBeginer 

 

Overall you have a pretty complicated security model here.  @EricRegnier did a great job articulating many of the key areas you will need to dig into here.  I would suggest keeping all in the same business unit as mentioned in Eric's "Another option..." or I think you will run into challenges.

 

Access Teams will give you the ability to assign users with specific access team templates to each row in the Run table.  Note you can utilize Workflow and Power Automate to automate the assignment of users to the Access Teams if you have business rules on who gets assigned based on the groups etc.

 

The field security profiles will give you the ability to control field level security but it is not "record per record" but overall for the table.  This means the user will not have the ability to write to the Raw Data field on some records and not others, just wanted to make you aware of this.

 

With all this said...  I would really determine if the security environment you are putting in place here is really required?  You might look at enabling auditing of records and reducing the need for the security controls.   Just my 2 cents as many times I am involved in complex projects like this around security and then everything changes because it is too hard to manage and the business needs change 😁.  

Hope this helps. Please accept if answers your question or Like if helps in any way.
Thanks,
Drew
absoluteBeginer
Helper III
Helper III

Thank you for your replies. Can access teams be created on the fly?

 

For example, a job is created and an access team created just for that job? Then users assigned to that access team. When the job is done, the access team can be deleted (though the RTOC users should still be able to access the job data).

 

@dpoggemann you also mentioned auditing of records to reduce the need for security controls. Can you expand on that? Anything to make things simpler is always a good idea.

 

I have also tied with the idea of using filtering to restrict data access within my apps - but then of course users could (but why would they) go directly to the Dataverse table and be able to look at/change data that they perhaps shouldn't. An extra consideration is that while RTOC and MWD users are all within the organisation, then Field users could be either within it or not.

dpoggemann
Most Valuable Professional
Most Valuable Professional

Hi @absoluteBeginer ,


Access Team Templates are created in advance and identity the security permissions for the template tied to a specific table and then you can assign these templates to the records on the fly therefore creating the access team for the specific record.  So the access team would be specific to a job.   Think of this as a list of users that are assigned the access team template for a specific Job, a little different from static Owner Teams or teams you would think of otherwise.

 

You could remove the members from the Access Team when the job is done through Power Automate, yes.  https://www.mibar.net/blog/how-to-add-users-to-an-access-team-with-power-automate/#:~:text=To%20use%...

 

Here is a quick video on auditing and how to setup:  https://youtu.be/OX5rpRA1ofQ 

 

 

Hope this helps. Please accept if answers your question or Like if helps in any way.
Thanks,
Drew
absoluteBeginer
Helper III
Helper III

Could I do something like this.

 

Have 1 business unit in which all users belong to.

 

When an RTOC user creates a run, they do the following

 

1. Create an access team for the run

2. Assign users to that access team

3. These users are given specific security roles which determine what they can do with the record (Field users just read, MWD read + write for specific field, RTOC read and write access)

4. Run is created and ownership is set to the access team just created

5. When run is closed ownership of the run passes to another team (archive team) and the team created in 1 is deleted

 

so users will only get access to certain records and what they can do with that record is determined by the security role they have been given.

 

All of the above is driven/done through a canvas app and power automate.

dpoggemann
Most Valuable Professional
Most Valuable Professional

Hi @absoluteBeginer ,

#3 is actually covered by assigning them to the appropriate Access Team Template

#5 this is where it is not exactly a "team" but a list of users that are assigned to the Access Team Template.  You could remove these when the record's ownership changes or status or whatever trigger is applicable.

 

Hope this helps. Please accept if answers your question or Like if helps in any way.
Thanks,
Drew
absoluteBeginer
Helper III
Helper III

Hi,

 

Would I be creating a system managed access team? I have created a access template and followed the steps in

 

Create a team template and add to an entity form - Power Platform | Microsoft Learn

 

The only thing I'm not sure of is how I can specify users to add to the team in my canvas app when I'm creating the record in my edit form.

 

Thanks

EricRegnier
Most Valuable Professional
Most Valuable Professional

Hi @absoluteBeginer, that would depend on your logic for MWD and Field users. If it's adhoc than the user owning or managing the record will need to add manually the MWDor Field users. IF there's some kind of pattern or logic, for example based on the user's job title then this is something that you can automate in your flow. Cheers

absoluteBeginer
Helper III
Helper III

The person creating the run will need to select a number of users (maybe different for different runs). It does not necessarily depend on any characteristic of the user (e.g. job title). So will the creator need to select users and add them to what exactly? I'm a little confused.

 

Thanks

Helpful resources

Announcements

Celebrating the May Super User of the Month: Laurens Martens

  @LaurensM  is an exceptional contributor to the Power Platform Community. Super Users like Laurens inspire others through their example, encouragement, and active participation. We are excited to celebrated Laurens as our Super User of the Month for May 2024.   Consistent Engagement:  He consistently engages with the community by answering forum questions, sharing insights, and providing solutions. Laurens dedication helps other users find answers and overcome challenges.   Community Expertise: As a Super User, Laurens plays a crucial role in maintaining a knowledge sharing environment. Always ensuring a positive experience for everyone.   Leadership: He shares valuable insights on community growth, engagement, and future trends. Their contributions help shape the Power Platform Community.   Congratulations, Laurens Martens, for your outstanding work! Keep inspiring others and making a difference in the community!   Keep up the fantastic work!        

Check out the Copilot Studio Cookbook today!

We are excited to announce our new Copilot Cookbook Gallery in the Copilot Studio Community. We can't wait for you to share your expertise and your experience!    Join us for an amazing opportunity where you'll be one of the first to contribute to the Copilot Cookbook—your ultimate guide to mastering Microsoft Copilot. Whether you're seeking inspiration or grappling with a challenge while crafting apps, you probably already know that Copilot Cookbook is your reliable assistant, offering a wealth of tips and tricks at your fingertips--and we want you to add your expertise. What can you "cook" up?   Click this link to get started: https://aka.ms/CS_Copilot_Cookbook_Gallery   Don't miss out on this exclusive opportunity to be one of the first in the Community to share your app creation journey with Copilot. We'll be announcing a Cookbook Challenge very soon and want to make sure you one of the first "cooks" in the kitchen.   Don't miss your moment--start submitting in the Copilot Cookbook Gallery today!     Thank you,  Engagement Team

Announcing Power Apps Copilot Cookbook Gallery

We are excited to share that the all-new Copilot Cookbook Gallery for Power Apps is now available in the Power Apps Community, full of tips and tricks on how to best use Microsoft Copilot as you develop and create in Power Apps. The new Copilot Cookbook is your go-to resource when you need inspiration--or when you're stuck--and aren't sure how to best partner with Copilot while creating apps.   Whether you're looking for the best prompts or just want to know about responsible AI use, visit Copilot Cookbook for regular updates you can rely on--while also serving up some of your greatest tips and tricks for the Community. Check Out the new Copilot Cookbook for Power Apps today: Copilot Cookbook - Power Platform Community.  We can't wait to see what you "cook" up!      

Tuesday Tip | How to Report Spam in Our Community

It's time for another TUESDAY TIPS, your weekly connection with the most insightful tips and tricks that empower both newcomers and veterans in the Power Platform Community! Every Tuesday, we bring you a curated selection of the finest advice, distilled from the resources and tools in the Community. Whether you’re a seasoned member or just getting started, Tuesday Tips are the perfect compass guiding you across the dynamic landscape of the Power Platform Community.   As our community family expands each week, we revisit our essential tools, tips, and tricks to ensure you’re well-versed in the community’s pulse. Keep an eye on the News & Announcements for your weekly Tuesday Tips—you never know what you may learn!   Today's Tip: How to Report Spam in Our Community We strive to maintain a professional and helpful community, and part of that effort involves keeping our platform free of spam. If you encounter a post that you believe is spam, please follow these steps to report it: Locate the Post: Find the post in question within the community.Kebab Menu: Click on the "Kebab" menu | 3 Dots, on the top right of the post.Report Inappropriate Content: Select "Report Inappropriate Content" from the menu.Submit Report: Fill out any necessary details on the form and submit your report.   Our community team will review the report and take appropriate action to ensure our community remains a valuable resource for everyone.   Thank you for helping us keep the community clean and useful!

Community Roundup: A Look Back at Our Last 10 Tuesday Tips

As we continue to grow and learn together, it's important to reflect on the valuable insights we've shared. For today's #TuesdayTip, we're excited to take a moment to look back at the last 10 tips we've shared in case you missed any or want to revisit them. Thanks for your incredible support for this series--we're so glad it was able to help so many of you navigate your community experience!   Getting Started in the Community An overview of everything you need to know about navigating the community on one page!  Community Links: ○ Power Apps ○ Power Automate  ○ Power Pages  ○ Copilot Studio    Community Ranks and YOU Have you ever wondered how your fellow community members ascend the ranks within our community? We explain everything about ranks and how to achieve points so you can climb up in the rankings! Community Links: ○ Power Apps ○ Power Automate  ○ Power Pages  ○ Copilot Studio    Powering Up Your Community Profile Your Community User Profile is how the Community knows you--so it's essential that it works the way you need it to! From changing your username to updating contact information, this Knowledge Base Article is your best resource for powering up your profile. Community Links: ○ Power Apps ○ Power Automate  ○ Power Pages  ○ Copilot Studio    Community Blogs--A Great Place to Start There's so much you'll discover in the Community Blogs, and we hope you'll check them out today!  Community Links: ○ Power Apps ○ Power Automate  ○ Power Pages  ○ Copilot Studio    Unlocking Community Achievements and Earning Badges Across the Communities, you'll see badges on users profile that recognize and reward their engagement and contributions. Check out some details on Community badges--and find out more in the detailed link at the end of the article! Community Links: ○ Power Apps  ○ Power Automate  ○ Power Pages  ○ Copilot Studio    Blogging in the Community Interested in blogging? Everything you need to know on writing blogs in our four communities! Get started blogging across the Power Platform communities today! Community Links: ○ Power Apps  ○ Power Automate  ○ Power Pages  ○ Copilot Studio   Subscriptions & Notifications We don't want you to miss a thing in the community! Read all about how to subscribe to sections of our forums and how to setup your notifications! Community Links: ○ Power Apps  ○ Power Automate  ○ Power Pages  ○ Copilot Studio   Getting Started with Private Messages & Macros Do you want to enhance your communication in the Community and streamline your interactions? One of the best ways to do this is to ensure you are using Private Messaging--and the ever-handy macros that are available to you as a Community member! Community Links: ○ Power Apps  ○ Power Automate  ○ Power Pages  ○ Copilot Studio   Community User Groups Learn everything about being part of, starting, or leading a User Group in the Power Platform Community. Community Links: ○ Power Apps  ○ Power Automate  ○ Power Pages  ○ Copilot Studio   Update Your Community Profile Today! Keep your community profile up to date which is essential for staying connected and engaged with the community. Community Links: ○ Power Apps  ○ Power Automate  ○ Power Pages  ○ Copilot Studio   Thank you for being an integral part of our journey.   Here's to many more Tuesday Tips as we pave the way for a brighter, more connected future! As always, watch the News & Announcements for the next set of tips, coming soon!

Hear what's next for the Power Up Program

Hear from Principal Program Manager, Dimpi Gandhi, to discover the latest enhancements to the Microsoft #PowerUpProgram, including a new accelerated video-based curriculum crafted with the expertise of Microsoft MVPs, Rory Neary and Charlie Phipps-Bennett. If you’d like to hear what’s coming next, click the link below to sign up today! https://aka.ms/PowerUp  

Users online (2,777)