cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
AmirBakht
Helper IV
Helper IV

Record level sharing

Hi,

 

I have entities that do not make sense to be shared with just roles and teams. For example, tasks assigned would require a dynamic set of users to have the record shared with, doesn't fall under a role or team. I am using Power Automate to share individual records with the related users. 

 

My question is, what is the pound of flesh I will have to pay for this? SharePoint for example had limitations on item level broken permissions. What are the limitations here? 

 

Thanks in advance.

3 ACCEPTED SOLUTIONS

Accepted Solutions

There's no specific limit, but you can get some performance degradation of a lot of records are shared. For each record that is shared with a principal (user or team), a record is created in the PrincipalObjectAccess table. This is referenced whenever data is queried, to check what records a user can access. 

I used to have a rule of thumb that having under 1 million records in the PrincipalObjectAccess table shouldn't cause any siginificant issues, but once you get into the millions, then you may see slower performance, especially for more complex queries (based on the number of entities they reference). This table will also count towards you space utilisation, and that can mount up if you share many records to multiple principals

View solution in original post

ben-thompson
Solution Sage
Solution Sage

There is no actual limit but there may be an issue were sufficient records shared to overload the PrincipalObjectAccess  table but the cross over point is usually somewhere in the high millions.

 

One thing to note is that if the PrincipalObjectAccess  is large it will slow the entire system down as all queries (retrieve, retrievemultiple) hit that table potentially multiple times in the same query...

---
If this post has answered your question please consider it for "Accept as Solution" or if it has been helpful give it a "Thumbs Up".

View solution in original post

Thanks @ben-thompson and @DavidJennaway, didn't realize is what actually concerning out-of-the-box sharing..

 

@AmirBakht, When you share, try to unshare when it's no longer required to keep the POA (PrincipalObjectAccess) table a minimum because not only sharing affects that table, but parental relationships and access teams, etc. Here's an old tip, but still very valid about sharing: https://crmtipoftheday.com/969/the-problem-with-sharing/

Cheers!

View solution in original post

7 REPLIES 7
EricRegnier
Super User
Super User

Hi @AmirBakht,

CDS security model is not binary, meaning privileges are not just access to all records or no access. You can set privilege at user level and users will be only able to access records "owned" by them and will not even know (even via API, Power Automate, etc) that other records exists. Not sure what your exact requirements are, but probably you can achieve your security requirements without the need of Power Automate to share records. Here's a nice video that provides an overview of CDS security model, even though it might not directly answer you question, it will help to understand and possibly model your security: https://powerusers.microsoft.com/t5/Webinars-and-Video-Gallery/Security-in-Common-Data-Service-CDS/t...

Cheers

There's no specific limit, but you can get some performance degradation of a lot of records are shared. For each record that is shared with a principal (user or team), a record is created in the PrincipalObjectAccess table. This is referenced whenever data is queried, to check what records a user can access. 

I used to have a rule of thumb that having under 1 million records in the PrincipalObjectAccess table shouldn't cause any siginificant issues, but once you get into the millions, then you may see slower performance, especially for more complex queries (based on the number of entities they reference). This table will also count towards you space utilisation, and that can mount up if you share many records to multiple principals

View solution in original post

ben-thompson
Solution Sage
Solution Sage

There is no actual limit but there may be an issue were sufficient records shared to overload the PrincipalObjectAccess  table but the cross over point is usually somewhere in the high millions.

 

One thing to note is that if the PrincipalObjectAccess  is large it will slow the entire system down as all queries (retrieve, retrievemultiple) hit that table potentially multiple times in the same query...

---
If this post has answered your question please consider it for "Accept as Solution" or if it has been helpful give it a "Thumbs Up".

View solution in original post

AmirBakht
Helper IV
Helper IV

Thanks @DavidJennaway and @ben-thompson 

This is exactly what I was looking for. Documentations say performance degradation but don't mention a cross over point or a limit.

Thank you gentlemen.

AmirBakht
Helper IV
Helper IV

@EricRegnier thank you. This was very helpful, though I was looking for something else. I'm not looking to share my records at grouped levels but customized sharing based on process scenario. For example one entry will need 5 people read access to it and another will have 7 while the next record will have a mix of the two. No predefined grouping that I can achieve through teams or owners, but based on participants within processes that may be dynamic from case to case basis. I'm achieving this by sharing through Power Automate and was wondering of the consequences. 

What @ben-thompson and @DavidJennaway replied is what I was after.

Thanks @ben-thompson and @DavidJennaway, didn't realize is what actually concerning out-of-the-box sharing..

 

@AmirBakht, When you share, try to unshare when it's no longer required to keep the POA (PrincipalObjectAccess) table a minimum because not only sharing affects that table, but parental relationships and access teams, etc. Here's an old tip, but still very valid about sharing: https://crmtipoftheday.com/969/the-problem-with-sharing/

Cheers!

View solution in original post

Very good read and advice @EricRegnier Thank you. I'll add it to housekeeping automations. Much appreciated. 

Helpful resources

Announcements
UG GA Amplification 768x460.png

Launching new user group features

Learn how to create your own user groups today!

Community Connections 768x460.jpg

Community & How To Videos

Check out the new Power Platform Community Connections gallery!

M365 768x460.jpg

Microsoft 365 Collaboration Conference | December 7–9, 2021

Join us, in-person, December 7–9 in Las Vegas, for the largest gathering of the Microsoft community in the world.

Users online (2,828)