Hi all,
I am trying to replace our current security set up and use Azure AD groups to provide access to a Model Driven App and data in Dataverse. I am seeing some very strange behaviour and need your help.
The current set up is as follows:
Root BU with two sub business units
Security roles which give access to the data at BU unit level
Users are in one of the sub BUs and assigned a security role directly
This allows us to manage the access to the tables through the security role and access to the data through the BU.
What we would like to do is use Azure AD groups to assign the security role so that we don't need to assign a role to each person individually. This is the current test model:
Root BU with two sub business units
Azure AD group(s) which are in the root BU and each have a role attached. The role has Direct User/Basic access level and Team privileges
User is in a sub BU and has no individual role attached to them
This is the strange behaviour I am seeing:
When user access is given to a table, the user sees only records that they own - correct
When organisation level is given the user sees all records - correct
However, when BU level is given, the user doesn't see anything! (Why would they lose access to their own records when a higher access level has been given?!)
When the security role with BU level access is assigned directly to the user, we see the desired effect: the user has access to the table, but only the records for their BU.
Can anyone shed any light on what is going on? It would be hugely appreciated!
Solved! Go to Solution.
OK I think I figured it out. I'm going to post my findings rather than just deleting the thread.
When the user has basic level given, the role acts like the user directly so they are able to see any records that belong to them directly.
When the user is given a higher level, the role looks at the team rather than the user. In this case, the team and user were in different divisions so when the division level access was given, the user only saw records that were owned by their team or anyone in the same division as the team.
A bit of further information:
When we assign records directly to the Azure AD Group Team, the users in the team are able to see them.
OK I think I figured it out. I'm going to post my findings rather than just deleting the thread.
When the user has basic level given, the role acts like the user directly so they are able to see any records that belong to them directly.
When the user is given a higher level, the role looks at the team rather than the user. In this case, the team and user were in different divisions so when the division level access was given, the user only saw records that were owned by their team or anyone in the same division as the team.
Hi @HFG ,
Thanks for your sharing.
Glad to see you solved the problem.
You might consider marking your answer as a 'solution' so that it will be useful for others.
Best Regards,
Charlie Choi
A Security Role assigned to a Team: the Privileges inherited are relative to the BU for that Team
A Security Role assigned to a User : the Privileges are relative to the BU for that User
Traditionally a User/Basic level privilege inherited from a Team is not the same as a User/Basic assigned directly against the User - but there is now an inheritance variation, based on the setting on the Security Role itself "Member's privilege inheritance" dropdown.
(and then there's hierarchy and position based models)
User | Count |
---|---|
19 | |
9 | |
8 | |
5 | |
5 |
User | Count |
---|---|
32 | |
29 | |
18 | |
18 | |
6 |