cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
HFG
Helper V
Helper V

Issue (bug?) with inherited team privileges Azure AD Group Dataverse

‎04-04-2022 08:33 AM

Hi all, 

 

I am trying to replace our current security set up and use Azure AD groups to provide access to a Model Driven App and data in Dataverse. I am seeing some very strange behaviour and need your help.

 

The current set up is as follows:

 

Root BU with two sub business units 

Security roles which give access to the data at BU unit level

Users are in one of the sub BUs and assigned a security role directly

 

This allows us to manage the access to the tables through the security role and access to the data through the BU. 

 

What we would like to do is use Azure AD groups to assign the security role so that we don't need to assign a role to each person individually. This is the current test model:

 

Root BU with two sub business units

Azure AD group(s) which are in the root BU and each have a role attached. The role has Direct User/Basic access level and Team privileges

User is in a sub BU and has no individual role attached to them

 

This is the strange behaviour I am seeing:

When user access is given to a table, the user sees only records that they own - correct
When organisation level is given the user sees all records - correct
However, when BU level is given, the user doesn't see anything! (Why would they lose access to their own records when a higher access level has been given?!)

When the security role with BU level access is assigned directly to the user, we see the desired effect: the user has access to the table, but only the records for their BU.

 

Can anyone shed any light on what is going on? It would be hugely appreciated!

 

 

 

Labels:
Message 1 of 5
192 Views
0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
HFG
Helper V
Helper V

‎04-05-2022 02:53 AM

OK I think I figured it out. I'm going to post my findings rather than just deleting the thread. 

When the user has basic level given, the role acts like the user directly so they are able to see any records that belong to them directly. 

When the user is given a higher level, the role looks at the team rather than the user. In this case, the team and user were in different divisions so when the division level access was given, the user only saw records that were owned by their team or anyone in the same division as the team. 

 

View solution in original post

Message 3 of 5
129 Views
0 Kudos
4 REPLIES 4
HFG
Helper V
Helper V

‎04-05-2022 01:42 AM

A bit of further information: 

When we assign records directly to the Azure AD Group Team, the users in the team are able to see them. 

Message 2 of 5
135 Views
0 Kudos
HFG
Helper V
Helper V

‎04-05-2022 02:53 AM

OK I think I figured it out. I'm going to post my findings rather than just deleting the thread. 

When the user has basic level given, the role acts like the user directly so they are able to see any records that belong to them directly. 

When the user is given a higher level, the role looks at the team rather than the user. In this case, the team and user were in different divisions so when the division level access was given, the user only saw records that were owned by their team or anyone in the same division as the team. 

 

Message 3 of 5
130 Views
0 Kudos
v-yujincui-msft
Community Support
Community Support

‎04-05-2022 10:36 PM

Hi @HFG ,

 

Thanks for your sharing.

 

Glad to see you solved the problem.
You might consider marking your answer as a 'solution' so that it will be useful for others.

 

Best Regards,
Charlie Choi

Message 4 of 5
124 Views
Fubar
Solution Sage
Solution Sage
In response to HFG

‎04-05-2022 10:57 PM

A Security Role assigned to a Team: the Privileges inherited are relative to the BU for that Team

A Security Role assigned to a User : the Privileges are relative to the BU for that User

 

Traditionally a User/Basic level privilege inherited from a Team is not the same as a User/Basic assigned directly against the User - but there is now an inheritance variation, based on the setting on the Security Role itself "Member's privilege inheritance" dropdown. 

https://docs.microsoft.com/en-gb/power-platform/admin/security-roles-privileges#team-members-privile...

 

(and then there's hierarchy and position based models)

Message 5 of 5
120 Views

Helpful resources

Announcements
Power Apps News & Annoucements carousel

Power Apps News & Announcements

Keep up to date with current events and community announcements in the Power Apps community.

Community Call Conversations

Introducing the Community Calls Conversations

A great place where you can stay up to date with community calls and interact with the speakers.

Power Apps Community Blog Carousel

Power Apps Community Blog

Check out the latest Community Blog from the community!

View All
Users online (4,069)