cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
mrstian89
Helper III
Helper III

Security group as a member of another security group

I have tried the following, and it does not work. Hopefully someone can explain why! 🙂

 

I have to security roles:

  • Read access
  • Edit data access

All accesses are set to "User level", which I have  read also means "Team".

I have to AAD security groups:

  • Read access
  • Edit data access

The security group is set up as a Team, and read team has read access, and edit data has edit access.

 

The entire AAD group "Edit data" has been added as a member in the Read group.

 

I have a flow which sets the record owner to the "Read team".
In my mind this would mean that the "Edit data" group would be able to edit the data in PowerApps.

 

This does not work! Not unless I change the security level from user to "business unit" in the security role.


What am I missing or not understanding here?

Update:

The read permission definetely works as it should, because I am able to see all the values that is owned by "Read access". But I am not able to write to them unless write is sett to business unit.

1 ACCEPTED SOLUTION

Accepted Solutions
dpoggemann
Super User
Super User

Hi @mrstian89 ,

 

I would suggest looking at the Teams in Dataverse and seeing the roles and users assigned.  Overall I don't know if the multiple layers of Group assignments carry down to Dataverse, I don't think they do.  You can define a security group (SC A) and add users and these will be added to the team (SC A) in Dataverse.  If you have another Security Group (SC B) that you add as a member of the First Group, this will not map the users to the (SC A) in Dataverse that I know of.  These will map to Team (SC B) in Dataverse.

 

Things I would check:

1.  Look at owner of record, assuming it is Team

2.  Look at members of the Team in Dataverse after you did the SC-A and SC-B combine by adding the Group to the other Group.  I think you will see that they users will not all be combined in Team SC-A

 

Hope this helps.  Please accept if answers your question or Like if helps in any way.

 

Thanks,

Drew

Hope this helps. Please accept if answers your question or Like if helps in any way.
Thanks,
Drew

View solution in original post

2 REPLIES 2
dpoggemann
Super User
Super User

Hi @mrstian89 ,

 

I would suggest looking at the Teams in Dataverse and seeing the roles and users assigned.  Overall I don't know if the multiple layers of Group assignments carry down to Dataverse, I don't think they do.  You can define a security group (SC A) and add users and these will be added to the team (SC A) in Dataverse.  If you have another Security Group (SC B) that you add as a member of the First Group, this will not map the users to the (SC A) in Dataverse that I know of.  These will map to Team (SC B) in Dataverse.

 

Things I would check:

1.  Look at owner of record, assuming it is Team

2.  Look at members of the Team in Dataverse after you did the SC-A and SC-B combine by adding the Group to the other Group.  I think you will see that they users will not all be combined in Team SC-A

 

Hope this helps.  Please accept if answers your question or Like if helps in any way.

 

Thanks,

Drew

Hope this helps. Please accept if answers your question or Like if helps in any way.
Thanks,
Drew

View solution in original post

I actually got a partly working scenario now, I think.

 

A user who is part of the Maintainer role through a team, get read access to the right user/team records, but only write access to the same records if the write permission is set to business unit. Weird, but works for now.

 

I am using the following code to give access to the edit button for items:

 

If(
   (LookUp([@'Security Roles'], Name = "Maintainer", Role) in Concat(LookUp([@Users], 'Full Name' = User().FullName).'Security Roles (systemuserroles_association)', Role & ";") 
||
LookUp([@'Security Roles'], Name = "Admin", Role) in Concat(LookUp([@Users], 'Full Name' = User().FullName).'Security Roles (systemuserroles_association)', Role & ";")),true,false
)

 

This works if a user is directly assigned to the security role, but if they get the role through a Team, this does not work, as it is not set under "Manage permission" for specific users.

 

Is there any way to re-write this code to work when the user is not directly assigned? Would it have to be if he is a member of XXX team in stead?

Helpful resources

Announcements
2022 Release Wave 1 760x460.png

2022 Release Wave 1 Plan

Power Platform release plan for the 2022 release wave 1 describes all new features releasing from April 2022 through September 2022.

Community Connections 768x460.jpg

Community & How To Videos

Check out the new Power Platform Community Connections gallery!

Users online (2,701)