cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Sheikx800
Helper II
Helper II

Creating records with Team as owner - Canvas App

I still seem to be missing or mis-understanding something with the Team privileges... It claims on that page that "For team members who do not have user privileges of their own, they can only create records with the team as the owner and they have access to records owned by the Team when Basic access level for Create and Read were given." If I dont give them any USER rights to create within the table they are working on, it should create within the Team right??

 

When one of my users goes to create a new record within the canvas app, the app errors and states they need create privileges, even though they should be getting that from the Teams security role and, I would then assume, it would create the record with the Team as the owner. I cant even find a gallery field that works nicely to change the owner of a new blank record and I didn't suspect it'd be possible. I was hoping that when these users created records this way they could straight away become owned by the Team. Am I wrong in this thinking? I see a few forum posts of people asking similar questions and getting responses with ideas such as having an instant flow monitoring the table and re-assigning records as users put them in... seems very work-aroundy to me???

 

The Security Role I have set to Teams Only, as I dont want the USERS to inherit the privs. Once that happens and they create a new record, it assigns to them instead of the team which results in the rest of the team members not being able to see that record.

teamprivsonly.png

Users can see the records in various galleries within the app, so these privs have to be applying to the users because, if they were not, they wouldn't be able to see ANY records. To my knowledge, by checking in both the modern UI and the classic one, they have no roles assigned to them directly.

 

Can someone explain what I am missing here!? 

1 ACCEPTED SOLUTION

Accepted Solutions
DeviKrishna
Super User
Super User

Hi @Sheikx800 ,

 

Please find my response inline.

 

I still seem to be missing or mis-understanding something with the Team privileges... It claims on that page that "For team members who do not have user privileges of their own, they can only create records with the team as the owner and they have access to records owned by the Team when Basic access level for Create and Read were given." If I dont give them any USER rights to create within the table they are working on, it should create within the Team right??

Yes. Your understanding is right. Here make sure the security roles are assigned to the team. The security role assigned to team should have the create,read, assign and share permission for the specific entity.

When one of my users goes to create a new record within the canvas app, the app errors and states they need create privileges, even though they should be getting that from the Teams security role and, I would then assume, it would create the record with the Team as the owner. I cant even find a gallery field that works nicely to change the owner of a new blank record and I didn't suspect it'd be possible. I was hoping that when these users created records this way they could straight away become owned by the Team. Am I wrong in this thinking? I see a few forum posts of people asking similar questions and getting responses with ideas such as having an instant flow monitoring the table and re-assigning records as users put them in... seems very work-aroundy to me???

Please make sure the security role assigned to the team has at-least read permissions for the specific entity. To create - Team should have the security role with create, assign and share permissions.

The Security Role I have set to Teams Only, as I dont want the USERS to inherit the privs. Once that happens and they create a new record, it assigns to them instead of the team which results in the rest of the team members not being able to see that record.

Yes. your understanding is right. Recheck the security role assigned at team level.

 

Regards

Devi

 

View solution in original post

9 REPLIES 9
DeviKrishna
Super User
Super User

Hi @Sheikx800 ,

 

Please find my response inline.

 

I still seem to be missing or mis-understanding something with the Team privileges... It claims on that page that "For team members who do not have user privileges of their own, they can only create records with the team as the owner and they have access to records owned by the Team when Basic access level for Create and Read were given." If I dont give them any USER rights to create within the table they are working on, it should create within the Team right??

Yes. Your understanding is right. Here make sure the security roles are assigned to the team. The security role assigned to team should have the create,read, assign and share permission for the specific entity.

When one of my users goes to create a new record within the canvas app, the app errors and states they need create privileges, even though they should be getting that from the Teams security role and, I would then assume, it would create the record with the Team as the owner. I cant even find a gallery field that works nicely to change the owner of a new blank record and I didn't suspect it'd be possible. I was hoping that when these users created records this way they could straight away become owned by the Team. Am I wrong in this thinking? I see a few forum posts of people asking similar questions and getting responses with ideas such as having an instant flow monitoring the table and re-assigning records as users put them in... seems very work-aroundy to me???

Please make sure the security role assigned to the team has at-least read permissions for the specific entity. To create - Team should have the security role with create, assign and share permissions.

The Security Role I have set to Teams Only, as I dont want the USERS to inherit the privs. Once that happens and they create a new record, it assigns to them instead of the team which results in the rest of the team members not being able to see that record.

Yes. your understanding is right. Recheck the security role assigned at team level.

 

Regards

Devi

 

Hi @DeviKrishna 

Thank you for your response. I do have all the things you have stated in place. That is why I am a little bit confused. In fact, I have User level access on all 6 permissions for the tables in question. 

 

Is there any other specific permissions that have to be required? I see permissions in the Business Management unit for Users/Teams. Do I need to increase the permissions in this section in order for it to work correctly?

userprivs.png

I am only working with a copy of the 'Basic User' security role with additional permissions for my custom tables. I have not really made any other changes so if something is required please let me know.

 

DeviKrishna
Super User
Super User

Hi @Sheikx800 ,

 

Can you share the below details to help you further.

 

For which entity user is trying to create a record?

What is the access team has on this entity  .. Please share the screen shot of security role assigned to the team and also where user is assigned to the team.

 

Regards

Devi

Thanks @DeviKrishna ,

 

The user is trying to create a record for a custom entity

 

sdfcustomentities.png

 

This security role is applied to the AAD Security Group Team that the user is a member of. There are no security roles applied directly to the user. 

 

The user is assigned to the team through the AAD Security Group. The user shows up as a team member in the security settings just fine. The user is also evidently receiving permissions from that security role because if they were not, they wouldn't even be able to VIEW the records on the other pages in the app. So I am slightly confused as to why 'create' is not being allowed. The error its presenting is as such, I hope I am interpreting it right:

Inkedincidenterror_LI.jpg

Sheikx800
Helper II
Helper II

Hi All. Given time restraints and not being able to find a real solution to this issue, I changed my security structure to be dependent on Business Units rather than Teams. This is going to result in a lot of Business Units over time, but if our project gets to a point where the number of Business Units are causing problems in the Organisation (apparently around 1000 units), we will be in a very good place and be quite happy to fix it then. 🙂

 

So to summarise, I am no longer using AAD Security Group teams for segmenting/assigning record ownership. I have changed to using Business Unit Owner Teams and also User ownership to allow users to Create records (which they couldn't do when they had Teams only permissions). I have adjusted the security role to allow access to all permissions at a BUSINESS UNIT level rather than a user level as I was originally hoping. So now users can create records, and see other users' records that are within the team. 

Using multiple Business Units in a parent-child relationship was a functional approach to this issue for our use case. I realise that Teams are a lot more flexible, but I couldn't find any resources or confirm why I was unable to create records directly on behalf of the Team from my Canvas app. 

 

I wont mark this as resolved at this point. If someone comes along that knows the answer to this and it can be verified, I will mark it as the answer.

Cheers.

Hi @Sheikx800 ,

 

I think get the point.

Can you try once by elevating the assign and share permission to organization level / Parent Child BU level.

This is because User needs to set the owner of Incident record as 'TeamName' in your scenario, but owner is defaulting to the creator 'user'.

 

To use the privileges at 'User' level you also need the security role assigned at the individual user level.

 

Reference Linkhttps://docs.microsoft.com/en-us/dynamics365/customerengagement/on-premises/developer/use-access-tea...

 

 

Regards

Devi

 

Sheikx800
Helper II
Helper II

Hi Devi,

 

Thanks for replying. 

 

I made a quick attempt to replicate this structure as you describe, but something isn't right. I think I have mis-configured something because its working worse than my previous configuration. I will have another attempt at it over the weekend.

Sheikx800
Helper II
Helper II

Hi Devi,

 

I am afraid I had no luck with this. The test users kept getting an error that they had no security role assigned in the environment. I didn't have this issue with my initial testing... This either means that I had the security roles set up incorrectly (assigned to the user) the first time around, or that I am missing something this time around. Users had Environment access group membership and AAD Security Group team membership for permissions but were still not able to access.

 

Thank you for your efforts in trying to sort out my issue and I am sorry I cant confirm it as a solution. 

 

I have to move on with this one for now, but if anyone else can confirm what Devi has suggested as working I will be happy to mark it as the solution. I have run out of time to argue with it and found a functional alternative as stated above which seems to be more 'traditional'.

Sheikx800
Helper II
Helper II

Just posting back on this after more time/research and finally implementation.

 

More recently I found that, Microsoft increased the number of supported Business Units in a tenant up to tens of thousands and even more child Business Units below them. This removed my concern around hitting caps or limitations in this area and I thus went ahead and implemented traditional Business Unit hierarchy user permissions. @DeviKrishna - I never got to test your final suggestion on this thread, but thank you for your efforts and I have marked it a solved regardless. Someone else may gain something from this for a smaller user group business case. 

  

Helpful resources

Announcements
Power Platform Conf 2022 768x460.jpg

Join us for Microsoft Power Platform Conference

The first Microsoft-sponsored Power Platform Conference is coming in September. 100+ speakers, 150+ sessions, and what's new and next for Power Platform.

May UG Leader Call Carousel 768x460.png

June User Group Leader Call

Join us on June 28 for our monthly User Group leader call!

PA Virtual Workshop Carousel 768x460.png

Register for a Free Workshop

This training provides practical hands-on experience in creating Power Apps solutions in a full-day of instructor-led App creation workshop.

PA.JPG

New Release Planning Portal (Preview)

Check out our new release planning portal, an interactive way to plan and prepare for upcoming features in Power Platform.

Users online (3,041)