cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Sheikx800
Helper II
Helper II

Multi Tier Business Structure - Security and Business Structure

Hi All

 

I have gone head-first into the Security and Business structures and mechanisms of the Power Apps/D365 platform and all but gone mad. Its time to ask the gods again. 🙂

 

This is my first time working with it so there has been a lot to take in and my understanding is probably not perfect so please correct me if I look like I have taken the wrong approach. I am very close to having what I want, but I am facing some real sticking points at the bottom of the business structure and I cant see any posts with a similar use case so I am reaching out for some pointers. This project is not in production yet so I have nothing and nobody to bother by changing things.

 

Very abbreviated background:

- Canvas App for Client access.

- Dataverse backend.

- Client access is literally a client of the business. Not internal staff. (this is where my use case seems to differ from others)

- Model-driven app (Admins only - out of scope of the question)

- multiple points of business separation (Big Bosses/Regions/Clients)

 

After a significant amount of reading and brainstorming the requirements, I came up with the concept of the following structure:

 

4tier Business Unit set-up - each one below being a child:

   - Root

   - The Brass

   - Regional Manager

   - Client

 

The Brass and Regional Manager layers are, from all I can gather an easy implementation in this layout. The challenge for me at stage is the Client level.

 

For the Client Level, there would be Multiple individual clients in the single Client Business Unit. From my reading, having too many Business Units can both complicate and slow down the system. So my intention to avoid this was to have all Clients within a single Business Unit and isolate their data security and permissions via individual AAD Security Group Teams. From what I was reading, this would work, and it would allow the multiple users of each 'client' to work on the same data.

 

Implementation has not proven this to be the case though... I have set up an AAD Security Group Team and assigned it to the Client Business Unit. I have observed 2 issues so far which leave me thinking I have either totally misunderstood the material I've been reading, OR there is some kind of bug in my environment:

1. When one of the client users in the team creates something, the other member is unable to see the record.

2. Virtually anywhere that I am supposed to be able to 'assign' records to a Team, these AAD Security Group Teams are NOT visible. ONLY the Business Unit Teams. I am unable to change ownership of records to the Team. (This is as the Global Admin. So its not a permissions issue from here... I dont think!?)

3. It appears that when a user in this team creates a record, that USER is the owner of the record. Not the Team. (which explains point 1 really.

 

If it adds anything to the scenario - The ONLY location I have seen these teams show up when using the 'reassign records' function within the Classic D365 Security Admin Portal. THIS option allows me to select teams other than the Business Unit teams. But this is only useful for moving all records from a user to the team. Not specific records. 

 

So I suppose my overall question is two-fold:

1. Why are these AAD Security Group Teams not showing up when I go to change ownership of records? (I think the answer to this will answer a lot of my underlying questions about implementation)

2. Am I wasting my time and making a mistake setting up my Clients in Teams rather than individual Business Units given they are for all intents and purposes 'external users' that need to have very limited access permissions? From what I can tell, getting this to work becomes real easy if I just use Business Units for each Client... But if the answer to this is yes, what happens if there ends up being thousands of clients and thus thousands of Business Units?

 

To all who made it to the bottom, thank you and I appreciate your time. Hoping someone out there can help me out. 

 

1 ACCEPTED SOLUTION

Accepted Solutions
ChrisPiasecki
Most Valuable Professional
Most Valuable Professional

Hi @Sheikx800,

 

Before I go further, have you evaluated Power Apps Portals for allowing your external clients access into the system? It uses Account (Organization) or Contact (Individual) as its primary ways of securing data. 

 

The Azure AD group teams approach works and as you pointed out, is more flexible especially if many teams could be added or removed over time. But if you need a team per client and there are thousands of clients, managing this over time is unrealistic and you are better suited using portals and securing the data by the Account. 

 

With regards to the issues you are experiencing:

 

#1 - This is likely due to Team Members Privilege Inheritence  settings and how you assigned security roles. You'd want Team level privileges so that the members only have access to records owned by the team, and whenever they create records its auto assigned to the Team and not their individual accounts. You want to ensure you only assign the security role to the Team and not the individual, otherwise the record gets assigned to the individual by default and other team members won't have access. 

 

#2 - the default Lookup views for Teams doesn't show AAD teams in the list. You'll need to select the view specifically for group teams, which is annoying because of the extra clicks.

 

#3 - see #1.

 

---
Please click Accept as Solution if my post answered your question. This will help others find solutions to similar questions. If you like my post and/or find it helpful, please consider giving it a Thumbs Up.

---
Please click Accept as Solution if my post answered your question. This will help others find solutions to similar questions. If you like my post and/or find it helpful, please consider giving it a Thumbs Up.
Chris

View solution in original post

5 REPLIES 5
ChrisPiasecki
Most Valuable Professional
Most Valuable Professional

Hi @Sheikx800,

 

Before I go further, have you evaluated Power Apps Portals for allowing your external clients access into the system? It uses Account (Organization) or Contact (Individual) as its primary ways of securing data. 

 

The Azure AD group teams approach works and as you pointed out, is more flexible especially if many teams could be added or removed over time. But if you need a team per client and there are thousands of clients, managing this over time is unrealistic and you are better suited using portals and securing the data by the Account. 

 

With regards to the issues you are experiencing:

 

#1 - This is likely due to Team Members Privilege Inheritence  settings and how you assigned security roles. You'd want Team level privileges so that the members only have access to records owned by the team, and whenever they create records its auto assigned to the Team and not their individual accounts. You want to ensure you only assign the security role to the Team and not the individual, otherwise the record gets assigned to the individual by default and other team members won't have access. 

 

#2 - the default Lookup views for Teams doesn't show AAD teams in the list. You'll need to select the view specifically for group teams, which is annoying because of the extra clicks.

 

#3 - see #1.

 

---
Please click Accept as Solution if my post answered your question. This will help others find solutions to similar questions. If you like my post and/or find it helpful, please consider giving it a Thumbs Up.

---
Please click Accept as Solution if my post answered your question. This will help others find solutions to similar questions. If you like my post and/or find it helpful, please consider giving it a Thumbs Up.
Chris

Hi @ChrisPiasecki - Thank you for your response! Thank you for your comment on Portals. It confirms a direction I would like to go once this project hits market and develops some financial traction. Unfortunately, with the cost of Portal implementation, its not feasible until we are more established. I did a cost analysis on the 'tipping' point for this early in the project and it is highly beneficial once we have an established client base, but it would have us hemorrhaging money in the short-term. So it will be internal users and licensing for the beginning of the journey.

 

Thank you for your comments on Member Privilege Inheritance. The possibility that I have assigned privs to both the user and the group crossed my mind while I was staring at the ceiling in bad last night. I will check that later today and hopefully its the problem.

 

As for #2 - I cant believe I missed that... I had been into the advanced lookup window a dozen times but somehow missed the drop-down in the teams section to let you select the other teams... Thanks so much. 

 

Will adjust privileges and re-assign some records later today and post back with outcome.

 

Sheikx800
Helper II
Helper II

@ChrisPiasecki I have had another good play with this a and had a good read of this page as well: 

Security roles and privileges - Power Platform | Microsoft Docs

Using advanced lookup and not having a 'man look' I was able to assign my records correctly to my teams. I can now observe each individual team in the same BU is seeing their own records. This is great.

 

I still seem to be missing or mis-understanding something with the Team privileges... It claims on that page that "For team members who do not have user privileges of their own, they can only create records with the team as the owner and they have access to records owned by the Team when Basic access level for Create and Read were given." If I dont give them any USER rights to create within the table they are working on, it should create within the Team right??

 

When one of my users goes to create a new record within the canvas app, the app errors and states they need create privileges, even though they should be getting that from the Teams security role and, I would then assume, it would create the record with the Team as the owner. I cant even find a gallery field that works nicely to change the owner of a new blank record and I didn't suspect it'd be possible. I was hoping that when these users created records this way they could straight away become owned by the Team. Am I wrong in this thinking? I see a few forum posts of people asking similar questions and getting responses with ideas such as having an instant flow monitoring the table and re-assigning records as users put them in... seems very work-aroundy to me???

I realise I am bending the rules a bit here by asking follow-up questions in the same thread.. but its very closely related so I am hoping it'll help others to have the response in the same place if you happen to have a solution. 🙂

Sheikx800
Helper II
Helper II

I have opened up another post to cover this specific point @ChrisPiasecki - If you can answer the question by all means do but I figure it deserves extra points. 🙂
Creating records with Team as owner - Canvas App 

Sheikx800
Helper II
Helper II

Thought I would come back and post on my resolution to all of this in case anyone else with my struggle stumbles across this post.

 

Given time restraints and not being able to find a real solution to this issue, I changed my security structure to be dependent on Business Units rather than Teams. This is going to result in a lot of Business Units over time, but if our project gets to a point where the number of Business Units are causing problems in the Organisation (apparently around 1000 units), we will be in a very good place and be quite happy to fix it then. 🙂

 

So to summarise, I am no longer using AAD Security Group teams for segmenting/assigning record ownership. I have changed to using Business Unit Owner Teams and also User ownership to allow users to Create records (which they couldn't do when they had Teams only permissions). I have adjusted the security role to allow access to all permissions at a BUSINESS UNIT level rather than a user level as I was originally hoping. So now users can create records, and see other users' records that are within the team. 

Using multiple Business Units in a parent-child relationship was a functional approach to this issue for our use case. I still believe that AAD Security Group Teams are a lot more flexible, but I couldn't find any resources or confirm why I was unable to create records directly on behalf of the Team from my Canvas app. 

 

Helpful resources

Announcements

Exclusive LIVE Community Event: Power Apps Copilot Coffee Chat with Copilot Studio Product Team

  It's time for the SECOND Power Apps Copilot Coffee Chat featuring the Copilot Studio product team, which will be held LIVE on April 3, 2024 at 9:30 AM Pacific Daylight Time (PDT).     This is an incredible opportunity to connect with members of the Copilot Studio product team and ask them anything about Copilot Studio. We'll share our special guests with you shortly--but we want to encourage to mark your calendars now because you will not want to miss the conversation.   This live event will give you the unique opportunity to learn more about Copilot Studio plans, where we’ll focus, and get insight into upcoming features. We’re looking forward to hearing from the community, so bring your questions!   TO GET ACCESS TO THIS EXCLUSIVE AMA: Kudo this post to reserve your spot! Reserve your spot now by kudoing this post.  Reservations will be prioritized on when your kudo for the post comes through, so don't wait! Click that "kudo button" today.   Invitations will be sent on April 2nd.Users posting Kudos after April 2nd. at 9AM PDT may not receive an invitation but will be able to view the session online after conclusion of the event. Give your "kudo" today and mark your calendars for April 3rd, 2024 at 9:30 AM PDT and join us for an engaging and informative session!

Tuesday Tip: Unlocking Community Achievements and Earning Badges

TUESDAY TIPS are our way of communicating helpful things we've learned or shared that have helped members of the Community. Whether you're just getting started or you're a seasoned pro, Tuesday Tips will help you know where to go, what to look for, and navigate your way through the ever-growing--and ever-changing--world of the Power Platform Community! We cover basics about the Community, provide a few "insider tips" to make your experience even better, and share best practices gleaned from our most active community members and Super Users.   With so many new Community members joining us each week, we'll also review a few of our "best practices" so you know just "how" the Community works, so make sure to watch the News & Announcements each week for the latest and greatest Tuesday Tips!     THIS WEEK'S TIP: Unlocking Achievements and Earning BadgesAcross the Communities, you'll see badges on users profile that recognize and reward their engagement and contributions. These badges each signify a different achievement--and all of those achievements are available to any Community member! If you're a seasoned pro or just getting started, you too can earn badges for the great work you do. Check out some details on Community badges below--and find out more in the detailed link at the end of the article!       A Diverse Range of Badges to Collect The badges you can earn in the Community cover a wide array of activities, including: Kudos Received: Acknowledges the number of times a user’s post has been appreciated with a “Kudo.”Kudos Given: Highlights the user’s generosity in recognizing others’ contributions.Topics Created: Tracks the number of discussions initiated by a user.Solutions Provided: Celebrates the instances where a user’s response is marked as the correct solution.Reply: Counts the number of times a user has engaged with community discussions.Blog Contributor: Honors those who contribute valuable content and are invited to write for the community blog.       A Community Evolving Together Badges are not only a great way to recognize outstanding contributions of our amazing Community members--they are also a way to continue fostering a collaborative and supportive environment. As you continue to share your knowledge and assist each other these badges serve as a visual representation of your valuable contributions.   Find out more about badges in these Community Support pages in each Community: All About Community Badges - Power Apps CommunityAll About Community Badges - Power Automate CommunityAll About Community Badges - Copilot Studio CommunityAll About Community Badges - Power Pages Community

Tuesday Tips: Powering Up Your Community Profile

TUESDAY TIPS are our way of communicating helpful things we've learned or shared that have helped members of the Community. Whether you're just getting started or you're a seasoned pro, Tuesday Tips will help you know where to go, what to look for, and navigate your way through the ever-growing--and ever-changing--world of the Power Platform Community! We cover basics about the Community, provide a few "insider tips" to make your experience even better, and share best practices gleaned from our most active community members and Super Users.   With so many new Community members joining us each week, we'll also review a few of our "best practices" so you know just "how" the Community works, so make sure to watch the News & Announcements each week for the latest and greatest Tuesday Tips!   This Week's Tip: Power Up Your Profile!  🚀 It's where every Community member gets their start, and it's essential that you keep it updated! Your Community User Profile is how you're able to get messages, post solutions, ask questions--and as you rank up, it's where your badges will appear and how you'll be known when you start blogging in the Community Blog. Your Community User Profile is how the Community knows you--so it's essential that it works the way you need it to! From changing your username to updating contact information, this Knowledge Base Article is your best resource for powering up your profile.     Password Puzzles? No Problem! Find out how to sync your Azure AD password with your community account, ensuring a seamless sign-in. No separate passwords to remember! Job Jumps & Email Swaps Changed jobs? Got a new email? Fear not! You'll find out how to link your shiny new email to your existing community account, keeping your contributions and connections intact. Username Uncertainties Unraveled Picking the perfect username is crucial--and sometimes the original choice you signed up with doesn't fit as well as you may have thought. There's a quick way to request an update here--but remember, your username is your community identity, so choose wisely. "Need Admin Approval" Warning Window? If you see this error message while using the community, don't worry. A simple process will help you get where you need to go. If you still need assistance, find out how to contact your Community Support team. Whatever you're looking for, when it comes to your profile, the Community Account Support Knowledge Base article is your treasure trove of tips as you navigate the nuances of your Community Profile. It’s the ultimate resource for keeping your digital identity in tip-top shape while engaging with the Power Platform Community. So, dive in and power up your profile today!  💪🚀   Community Account Support | Power Apps Community Account Support | Power AutomateCommunity Account Support | Copilot Studio  Community Account Support | Power Pages

Super User of the Month | Chris Piasecki

In our 2nd installment of this new ongoing feature in the Community, we're thrilled to announce that Chris Piasecki is our Super User of the Month for March 2024. If you've been in the Community for a while, we're sure you've seen a comment or marked one of Chris' helpful tips as a solution--he's been a Super User for SEVEN consecutive seasons!       Since authoring his first reply in April 2020 to his most recent achievement organizing the Canadian Power Platform Summit this month, Chris has helped countless Community members with his insights and expertise. In addition to being a Super User, Chris is also a User Group leader, Microsoft MVP, and a featured speaker at the Microsoft Power Platform Conference. His contributions to the new SUIT program, along with his joyous personality and willingness to jump in and help so many members has made Chris a fixture in the Power Platform Community.   When Chris isn't authoring solutions or organizing events, he's actively leading Piasecki Consulting, specializing in solution architecture, integration, DevOps, and more--helping clients discover how to strategize and implement Microsoft's technology platforms. We are grateful for Chris' insightful help in the Community and look forward to even more amazing milestones as he continues to assist so many with his great tips, solutions--always with a smile and a great sense of humor.You can find Chris in the Community and on LinkedIn. Thanks for being such a SUPER user, Chris! 💪🌠

Tuesday Tips: Community Ranks and YOU

TUESDAY TIPS are our way of communicating helpful things we've learned or shared that have helped members of the Community. Whether you're just getting started or you're a seasoned pro, Tuesday Tips will help you know where to go, what to look for, and navigate your way through the ever-growing--and ever-changing--world of the Power Platform Community! We cover basics about the Community, provide a few "insider tips" to make your experience even better, and share best practices gleaned from our most active community members and Super Users.   With so many new Community members joining us each week, we'll also review a few of our "best practices" so you know just "how" the Community works, so make sure to watch the News & Announcements each week for the latest and greatest Tuesday Tips!This Week: Community Ranks--Moving from "Member" to "Community Champion"   Have you ever wondered how your fellow community members ascend the ranks within our community? What sets apart an Advocate from a Helper, or a Solution Sage from a Community Champion? In today’s #TuesdayTip, we’re unveiling the secrets and sharing tips to help YOU elevate your ranking—and why it matters to our vibrant communities. Community ranks serve as a window into a member’s role and activity. They celebrate your accomplishments and reveal whether someone has been actively contributing and assisting others. For instance, a Super User is someone who has been exceptionally helpful and engaged. Some ranks even come with special permissions, especially those related to community management. As you actively participate—whether by creating new topics, providing solutions, or earning kudos—your rank can climb. Each time you achieve a new rank, you’ll receive an email notification. Look out for the icon and rank name displayed next to your username—it’s a badge of honor! Fun fact: Your Community Engagement Team keeps an eye on these ranks, recognizing the most passionate and active community members. So shine brightly with valuable content, and you might just earn well-deserved recognition! Where can you see someone’s rank? When viewing a post, you’ll find a member’s rank to the left of their name.Click on a username to explore their profile, where their rank is prominently displayed. What about the ranks themselves? New members start as New Members, progressing to Regular Visitors, and then Frequent Visitors.Beyond that, we have a categorized system: Kudo Ranks: Earned through kudos (teal icons).Post Ranks: Based on your posts (purple icons).Solution Ranks: Reflecting your solutions (green icons).Combo Ranks: These orange icons combine kudos, solutions, and posts. The top ranks have unique names, making your journey even more exciting! So dive in, collect those kudos, share solutions, and let’s see how high you can rank! 🌟 🚀   Check out the Using the Community boards in each of the communities for more helpful information!  Power Apps, Power Automate, Copilot Studio & Power Pages

Find Out What Makes Super Users So Super

We know many of you visit the Power Platform Communities to ask questions and receive answers. But do you know that many of our best answers and solutions come from Community members who are super active, helping anyone who needs a little help getting unstuck with Business Applications products? We call these dedicated Community members Super Users because they are the real heroes in the Community, willing to jump in whenever they can to help! Maybe you've encountered them yourself and they've solved some of your biggest questions. Have you ever wondered, "Why?"We interviewed several of our Super Users to understand what drives them to help in the Community--and discover the difference it has made in their lives as well! Take a look in our gallery today: What Motivates a Super User? - Power Platform Community (microsoft.com)

Users online (5,734)