cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
dave8
Post Prodigy
Post Prodigy

How "Business Unit" scope would work for a CDS record?

Hello,

 

My objective is When user named “User1” creates a record in "Users Entity" via "Users App", the same record’s write and delete permission should be assigned to “User 1”’s Team members.

 

Please find more information as follows "Users Entity":

  • "Users Entity" has Ownership as “User or Team” therefore, current user will be a default owner of the record.
  • User1,User2 and User3 are in the default Organization Team.
  • "Users App" is shared with User1,User2 and User3 with “Users Security Role” that has “Business Unit” scope for “Write and Delete” operations.

Question:

  • If User1 creates record “Test Record 1” in "Users Entity" , then Ownership value will be “User1” by default and User1 can update/delete the “Test Record 1”, However because of the “Business Unit” scope the same record can be updated by User1’ team meaning  User2 and User3 can update “Test Record 1”  which is currently the default Organization Team, does it mean that all users would be able to update the record with whom the app is shared ?
  • How can I make "User 1/2/3" only update the record with whom the app is shared in the current scenario? Should I create a new "Group Team" of "User 1/2/3" and remove them from "User 1/2/3"?

Thank you in advance!

 

Regards,

1 ACCEPTED SOLUTION

Accepted Solutions

Hi @dave8 :

What I mean may not be very accurate.

I mean create some business units under the current organization and then put User1/2/3 in the same business unit.

I think these links will help you a lot:

https://docs.microsoft.com/en-us/power-platform/admin/create-edit-business-units

https://docs.microsoft.com/en-us/power-platform/admin/security-roles-privileges#security-roles

Best Regards,

Bof

View solution in original post

11 REPLIES 11
v-bofeng-msft
Community Support
Community Support

Hi @dave8 :

Q1:Does it mean that all users would be able to update the record with whom the app is shared ?

If all other users are assigned security role permissions that include read and write permissions to the specified entity "Business Unit" level and they are in the same business unit as User1, then they have read and write permissions to the records created by User1.

Q2:Should I create a new "Group Team" of "User 1/2/3" and remove them from "User 1/2/3"?

There are two options:

Option1:Reduce rights to other users

Give other users other security roles and limit their authority level to the specified entity to "User".

Option2:Create a new "Business unit" and set User1\User2\User3 put in this newly created "Business unit".

Best Regards,

Bof

Thank you so much @v-bofeng-msft for your help!

 

Option2:Create a new "Business unit" and set User1\User2\User3 put in this newly created "Business unit".

For this option - Does it mean I should remove User1\User2\User3 from Org Team?

 

Thanks and Regards,

 

 

Hi @dave8 :

What I mean may not be very accurate.

I mean create some business units under the current organization and then put User1/2/3 in the same business unit.

I think these links will help you a lot:

https://docs.microsoft.com/en-us/power-platform/admin/create-edit-business-units

https://docs.microsoft.com/en-us/power-platform/admin/security-roles-privileges#security-roles

Best Regards,

Bof

View solution in original post

Hi @v-bofeng-msft 

 

Thank you for the links, however its all about teams/business units and security roles, It doesn't says, what will be considered as "Business Unit" if the owner is associated with more than 1 business unit in the same environment/organization while org team can not be deleted from the user?

 

Therefore, my question still remains same:

Option2:Create a new "Business unit" and set User1\User2\User3 put in this newly created "Business unit".

For this option - Does it mean I should remove User1\User2\User3 from Org Team?

Meaning, How cds record will consider current user's Business unit if the user is associated with "Custom BU" for "Users App" in addition to the "Org BU"? will that record consider owner's BU as "Custom BU" or "Org BU"?

Can you please help to understand here?

Thanks,

Users cannot be associated with multiple business unit. Every user has one business unit.

Teams also have a primary business unit. The record is considered to be in the business unit of the owner of the record, either  user or team.

 

Business units and teams are different things. but they are related. Each Business unit has a team that is automatically populated with people in the related business unit. Teams are in business units but can have members who are in different business units.

 

I made a video that explains all of this and should answer your questions. https://powerusers.microsoft.com/t5/Webinars-and-Video-Gallery/Security-in-Common-Data-Service-CDS/t...

Thank you @jlindstrom for your attention!

 

Regarding "Users cannot be associated with multiple business unit. Every user has one business unit." - By default all users are connected with "Org BU" which can not be deleted - does it mean user can have only one BU which is an "Org BU"?

 

Furthermore, I have created  a "AAD Group Team" called "Users Group Team" which is an associated with "Users BU" Therefore, whenever the record is created in "Users Entity" - what will be the current user/owner's BU? "Org BU" or "Users BU"? Basically, how can I identify current user's Parent BU?

 

Thanks and Regards

that last part has been a bit unusual--I've noticed that the users in the AAD team are not by default given the BU of the aad team but rather the BU of the administrator of the team. I haven't tested it enough to know the real answer to that.

 

You can move users to different business units on their user record.

 

My recommendation (which i state in the video) is never add users to the root business unit--I've seen too many times where people do that and then have a security requirement that requires those users to be segmented from visibility to some records, and moving a bunch of users business unit is no fun.

Was just gonna point them to your video @jlindstrom which BTW will be my future response to any security model related questions 😉

Thanks--yes I answered that question multiple times

Helpful resources

Announcements
PA User Group

Welcome to the User Group Public Preview

Check out new user group experience and if you are a leader please create your group

MBAS Attendee Badge

Claim Your Badge & Digital Swag!

Check out how to claim yours today!

secondImage

Are Your Ready?

Test your skills now with the Cloud Skill Challenge.

secondImage

Demo Extravaganza is Back!

We are excited to announce that Demo Extravaganza for 2021 has started!

MBAS on Demand

Microsoft Business Applications Summit sessions

On-demand access to all the great content presented by the product teams and community members! #MSBizAppsSummit #CommunityRocks

Top Solution Authors
Users online (32,986)