cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Sheikx800
Helper II
Helper II

Multi Tier Business Structure - Security and Business Structure

Hi All

 

I have gone head-first into the Security and Business structures and mechanisms of the Power Apps/D365 platform and all but gone mad. Its time to ask the gods again. 🙂

 

This is my first time working with it so there has been a lot to take in and my understanding is probably not perfect so please correct me if I look like I have taken the wrong approach. I am very close to having what I want, but I am facing some real sticking points at the bottom of the business structure and I cant see any posts with a similar use case so I am reaching out for some pointers. This project is not in production yet so I have nothing and nobody to bother by changing things.

 

Very abbreviated background:

- Canvas App for Client access.

- Dataverse backend.

- Client access is literally a client of the business. Not internal staff. (this is where my use case seems to differ from others)

- Model-driven app (Admins only - out of scope of the question)

- multiple points of business separation (Big Bosses/Regions/Clients)

 

After a significant amount of reading and brainstorming the requirements, I came up with the concept of the following structure:

 

4tier Business Unit set-up - each one below being a child:

   - Root

   - The Brass

   - Regional Manager

   - Client

 

The Brass and Regional Manager layers are, from all I can gather an easy implementation in this layout. The challenge for me at stage is the Client level.

 

For the Client Level, there would be Multiple individual clients in the single Client Business Unit. From my reading, having too many Business Units can both complicate and slow down the system. So my intention to avoid this was to have all Clients within a single Business Unit and isolate their data security and permissions via individual AAD Security Group Teams. From what I was reading, this would work, and it would allow the multiple users of each 'client' to work on the same data.

 

Implementation has not proven this to be the case though... I have set up an AAD Security Group Team and assigned it to the Client Business Unit. I have observed 2 issues so far which leave me thinking I have either totally misunderstood the material I've been reading, OR there is some kind of bug in my environment:

1. When one of the client users in the team creates something, the other member is unable to see the record.

2. Virtually anywhere that I am supposed to be able to 'assign' records to a Team, these AAD Security Group Teams are NOT visible. ONLY the Business Unit Teams. I am unable to change ownership of records to the Team. (This is as the Global Admin. So its not a permissions issue from here... I dont think!?)

3. It appears that when a user in this team creates a record, that USER is the owner of the record. Not the Team. (which explains point 1 really.

 

If it adds anything to the scenario - The ONLY location I have seen these teams show up when using the 'reassign records' function within the Classic D365 Security Admin Portal. THIS option allows me to select teams other than the Business Unit teams. But this is only useful for moving all records from a user to the team. Not specific records. 

 

So I suppose my overall question is two-fold:

1. Why are these AAD Security Group Teams not showing up when I go to change ownership of records? (I think the answer to this will answer a lot of my underlying questions about implementation)

2. Am I wasting my time and making a mistake setting up my Clients in Teams rather than individual Business Units given they are for all intents and purposes 'external users' that need to have very limited access permissions? From what I can tell, getting this to work becomes real easy if I just use Business Units for each Client... But if the answer to this is yes, what happens if there ends up being thousands of clients and thus thousands of Business Units?

 

To all who made it to the bottom, thank you and I appreciate your time. Hoping someone out there can help me out. 

 

1 ACCEPTED SOLUTION

Accepted Solutions
ChrisPiasecki
Dual Super User
Dual Super User

Hi @Sheikx800,

 

Before I go further, have you evaluated Power Apps Portals for allowing your external clients access into the system? It uses Account (Organization) or Contact (Individual) as its primary ways of securing data. 

 

The Azure AD group teams approach works and as you pointed out, is more flexible especially if many teams could be added or removed over time. But if you need a team per client and there are thousands of clients, managing this over time is unrealistic and you are better suited using portals and securing the data by the Account. 

 

With regards to the issues you are experiencing:

 

#1 - This is likely due to Team Members Privilege Inheritence  settings and how you assigned security roles. You'd want Team level privileges so that the members only have access to records owned by the team, and whenever they create records its auto assigned to the Team and not their individual accounts. You want to ensure you only assign the security role to the Team and not the individual, otherwise the record gets assigned to the individual by default and other team members won't have access. 

 

#2 - the default Lookup views for Teams doesn't show AAD teams in the list. You'll need to select the view specifically for group teams, which is annoying because of the extra clicks.

 

#3 - see #1.

 

---
Please click Accept as Solution if my post answered your question. This will help others find solutions to similar questions. If you like my post and/or find it helpful, please consider giving it a Thumbs Up.

View solution in original post

5 REPLIES 5
ChrisPiasecki
Dual Super User
Dual Super User

Hi @Sheikx800,

 

Before I go further, have you evaluated Power Apps Portals for allowing your external clients access into the system? It uses Account (Organization) or Contact (Individual) as its primary ways of securing data. 

 

The Azure AD group teams approach works and as you pointed out, is more flexible especially if many teams could be added or removed over time. But if you need a team per client and there are thousands of clients, managing this over time is unrealistic and you are better suited using portals and securing the data by the Account. 

 

With regards to the issues you are experiencing:

 

#1 - This is likely due to Team Members Privilege Inheritence  settings and how you assigned security roles. You'd want Team level privileges so that the members only have access to records owned by the team, and whenever they create records its auto assigned to the Team and not their individual accounts. You want to ensure you only assign the security role to the Team and not the individual, otherwise the record gets assigned to the individual by default and other team members won't have access. 

 

#2 - the default Lookup views for Teams doesn't show AAD teams in the list. You'll need to select the view specifically for group teams, which is annoying because of the extra clicks.

 

#3 - see #1.

 

---
Please click Accept as Solution if my post answered your question. This will help others find solutions to similar questions. If you like my post and/or find it helpful, please consider giving it a Thumbs Up.

Hi @ChrisPiasecki - Thank you for your response! Thank you for your comment on Portals. It confirms a direction I would like to go once this project hits market and develops some financial traction. Unfortunately, with the cost of Portal implementation, its not feasible until we are more established. I did a cost analysis on the 'tipping' point for this early in the project and it is highly beneficial once we have an established client base, but it would have us hemorrhaging money in the short-term. So it will be internal users and licensing for the beginning of the journey.

 

Thank you for your comments on Member Privilege Inheritance. The possibility that I have assigned privs to both the user and the group crossed my mind while I was staring at the ceiling in bad last night. I will check that later today and hopefully its the problem.

 

As for #2 - I cant believe I missed that... I had been into the advanced lookup window a dozen times but somehow missed the drop-down in the teams section to let you select the other teams... Thanks so much. 

 

Will adjust privileges and re-assign some records later today and post back with outcome.

 

Sheikx800
Helper II
Helper II

@ChrisPiasecki I have had another good play with this a and had a good read of this page as well: 

Security roles and privileges - Power Platform | Microsoft Docs

Using advanced lookup and not having a 'man look' I was able to assign my records correctly to my teams. I can now observe each individual team in the same BU is seeing their own records. This is great.

 

I still seem to be missing or mis-understanding something with the Team privileges... It claims on that page that "For team members who do not have user privileges of their own, they can only create records with the team as the owner and they have access to records owned by the Team when Basic access level for Create and Read were given." If I dont give them any USER rights to create within the table they are working on, it should create within the Team right??

 

When one of my users goes to create a new record within the canvas app, the app errors and states they need create privileges, even though they should be getting that from the Teams security role and, I would then assume, it would create the record with the Team as the owner. I cant even find a gallery field that works nicely to change the owner of a new blank record and I didn't suspect it'd be possible. I was hoping that when these users created records this way they could straight away become owned by the Team. Am I wrong in this thinking? I see a few forum posts of people asking similar questions and getting responses with ideas such as having an instant flow monitoring the table and re-assigning records as users put them in... seems very work-aroundy to me???

I realise I am bending the rules a bit here by asking follow-up questions in the same thread.. but its very closely related so I am hoping it'll help others to have the response in the same place if you happen to have a solution. 🙂

Sheikx800
Helper II
Helper II

I have opened up another post to cover this specific point @ChrisPiasecki - If you can answer the question by all means do but I figure it deserves extra points. 🙂
Creating records with Team as owner - Canvas App 

Sheikx800
Helper II
Helper II

Thought I would come back and post on my resolution to all of this in case anyone else with my struggle stumbles across this post.

 

Given time restraints and not being able to find a real solution to this issue, I changed my security structure to be dependent on Business Units rather than Teams. This is going to result in a lot of Business Units over time, but if our project gets to a point where the number of Business Units are causing problems in the Organisation (apparently around 1000 units), we will be in a very good place and be quite happy to fix it then. 🙂

 

So to summarise, I am no longer using AAD Security Group teams for segmenting/assigning record ownership. I have changed to using Business Unit Owner Teams and also User ownership to allow users to Create records (which they couldn't do when they had Teams only permissions). I have adjusted the security role to allow access to all permissions at a BUSINESS UNIT level rather than a user level as I was originally hoping. So now users can create records, and see other users' records that are within the team. 

Using multiple Business Units in a parent-child relationship was a functional approach to this issue for our use case. I still believe that AAD Security Group Teams are a lot more flexible, but I couldn't find any resources or confirm why I was unable to create records directly on behalf of the Team from my Canvas app. 

 

Helpful resources

Announcements
Power Platform Conf 2022 768x460.jpg

Join us for Microsoft Power Platform Conference

The first Microsoft-sponsored Power Platform Conference is coming in September. 100+ speakers, 150+ sessions, and what's new and next for Power Platform.

May UG Leader Call Carousel 768x460.png

June User Group Leader Call

Join us on June 28 for our monthly User Group leader call!

PA Virtual Workshop Carousel 768x460.png

Register for a Free Workshop

This training provides practical hands-on experience in creating Power Apps solutions in a full-day of instructor-led App creation workshop.

PA.JPG

New Release Planning Portal (Preview)

Check out our new release planning portal, an interactive way to plan and prepare for upcoming features in Power Platform.

Users online (1,414)