Solved: Re: Security architecture

Termigez1 · ‎10-01-2021

Hello,

I have a simple business case:

- 1 environment with security group to give access to the environment

- 3 groups of users with custom security roles

I want to create an architecture based on Azure AD that will allow admin to: 1. add a user to main security group (so he can access the environment), 2. add a user to specific security group so he can get security role automatically. I listed such steps to achieve it:

1. Create main, access SG in Azure (Let's call it SG1)

2. Add SG1 as security group of the environment

3. Create Dynamics Team 1, type: AAD, connect it to SG1, then add it as a member of SG1 in Azure so it can synchronize.

4. Create SG2, SG3, SG4 in Azure

5. Do step 3 for all SG in Azure.

6. Create 3 custom security roles and add them to the appropriate Dynamics Teams.

Once I do all these steps I expect, that If I add User 1 to SG1 and SG2 he will be able to access environment (due to SG1) and will be given security role of SG2, am I right?

I also wonder whether I need to:

1. Add a security role to Dynamics Team 1? If yes, can it be very simple group without much permissions?

2. Add Azure SG2, SG3, SG4 as a member of SG1 co it can all work?

If you think that I missed something or it can be done better, please feel free to provide better solution. Thank you in advance.

ChrisPiasecki · ‎10-10-2021

Hi @Termigez1,

You're on the right track, just a few points:

If SG1 is just meant for association of users to the environment, you don't need to give it any Dataverse security role nor create an AAD Group Team for it. Just simply set the Security Group of the environment to SG1.
Create 3 AAD Group Teams for SG2, SG3, SG4.
Assign Dataverse security roles to appropriate AAD group teams above as per your need
Add SG2, SG3, SG4 to SG1.
Add users into either SG2, SG3, SG4. Users get access to environment due to nested membership of SG1, then access to Dataverse through security roles assigned to the AAD Group Team and the SG associated to that Group Team.

So overall less steps are required than your initial thoughts.

---
Please click Accept as Solution if my post answered your question. This will help others find solutions to similar questions. If you like my post and/or find it helpful, please consider giving it a Thumbs Up.

View solution in original post

ChrisPiasecki · ‎10-10-2021

Hi @Termigez1,

You're on the right track, just a few points:

If SG1 is just meant for association of users to the environment, you don't need to give it any Dataverse security role nor create an AAD Group Team for it. Just simply set the Security Group of the environment to SG1.
Create 3 AAD Group Teams for SG2, SG3, SG4.
Assign Dataverse security roles to appropriate AAD group teams above as per your need
Add SG2, SG3, SG4 to SG1.
Add users into either SG2, SG3, SG4. Users get access to environment due to nested membership of SG1, then access to Dataverse through security roles assigned to the AAD Group Team and the SG associated to that Group Team.

So overall less steps are required than your initial thoughts.

---
Please click Accept as Solution if my post answered your question. This will help others find solutions to similar questions. If you like my post and/or find it helpful, please consider giving it a Thumbs Up.

Security architecture

Helpful resources

Register for a Free Workshop

Microsoft Build is May 24-26. Have you registered yet?

What difference can a User Group make for you?