Introduction
One of the most common misconceptions in Dynamics 365 implementations is that access to a record automatically means access to all related documents.
In practice, this is not always true.
I recently worked on a case management solution where multiple departments needed visibility of case records. Users required access to case details, status information, activities, and progress updates. However, the legal team had a separate requirement: sensitive legal documents stored against cases should only be accessible to authorised legal personnel.
This created an interesting challenge.
How can users view and work with a case while preventing access to the SharePoint documents associated with that case?
This article explores some important design considerations when implementing secure document management with Dynamics 365 and SharePoint integration.
Understanding the Challenge
Dynamics 365 and SharePoint integration is widely used because it provides an effective way to manage documents while keeping case information within Dynamics 365.
However, organisations often assume that Dynamics 365 security automatically controls access to SharePoint documents.
In reality, Dynamics 365 security and SharePoint security are separate security models.
A user may have access to a Dynamics 365 record but still be restricted from viewing documents stored in SharePoint.
While Dataverse security roles determine access to records within Dynamics 365, SharePoint permissions control access to files stored in document libraries. Because these platforms enforce security independently, organisations should design both permission models together rather than assuming one automatically controls the other.
This distinction becomes particularly important in environments that manage:- Legal documentation
- HR records
- Investigation files
- Compliance evidence
- Commercially sensitive information
Why Standard Record Security Is Not EnoughDataverse security roles are excellent for controlling access to:- Tables
- Records
- Forms
- Views
- Fields
However, once documents are stored in SharePoint, document access is governed by SharePoint permissions.
Without additional planning, users who can access a case may also gain access to documents stored within the associated SharePoint location.
For sensitive business processes, this can create governance and compliance concerns.
A Practical ScenarioConsider a legal case management solution.The organisation has three user groups:Legal TeamResponsible for legal investigations and document management.Case ManagersResponsible for operational case handling.Read-Only ReviewersRequire visibility of case progress but should not access legal documentation.All three groups need access to the Dynamics 365 case record.However, only the Legal Team should be able to open or download legal documents stored within SharePoint.This is where document security design becomes critical.Key Design ConsiderationsSeparate Record Access from Document AccessOne of the most important design principles is treating record security and document security as separate requirements.Questions to ask early include:- Who can view the case?
- Who can update the case?
- Who can access documents?
- Who can upload documents?
- Who can delete documents?
These permissions are often different.Design SharePoint Security EarlyA common mistake is implementing Dynamics 365 security first and treating SharePoint security as an afterthought.In practice, document security should be discussed during discovery workshops and solution design.Changes become significantly more complex once document libraries have been populated with business data.Use SharePoint GroupsWhere possible, document access should be managed through SharePoint groups rather than individual user permissions.This approach improves:- Maintainability
- Governance
- Auditability
- Administration
It also reduces the risk of permission inconsistencies developing over time.Consider Dedicated Document LibrariesIn some scenarios, separating sensitive documents into dedicated SharePoint libraries can simplify security management.For example:- General Case Documents
- Legal Documents
- Compliance Evidence
Each library can then have its own security model.Balancing Security and User ExperienceSecurity controls should protect sensitive information without making the solution difficult to use.Users should clearly understand:- Which documents they can access
- Why access may be restricted
- How access requests are managed
Clear communication helps reduce support requests and user frustration.Lessons LearnedSeveral lessons emerged during implementation.Document Security Is Not the Same as Dynamics 365 SecurityMany stakeholders initially assume Dynamics 365 permissions automatically control SharePoint documents.Setting expectations early avoids confusion later in the project.Security Requirements Need Detailed DiscoverySimple statements such as "users should not see legal documents" often hide complex requirements.Discovery workshops should explore:- Different document categories
- Access exceptions
- Regulatory requirements
- Audit requirements
Governance Matters
Security design should support future growth.
As additional teams, departments, and document types are introduced, governance becomes increasingly important.
Well-structured permission models are easier to maintain and audit over time.
Conclusion
Dynamics 365 and SharePoint provide a powerful combination for case and document management. However, organisations should avoid assuming that access to a Dynamics 365 record automatically determines access to associated SharePoint documents.
For sensitive processes involving legal, HR, compliance, or investigation records, document security requires its own design approach.
By treating SharePoint permissions as a dedicated security requirement and addressing them early in the project lifecycle, organisations can provide users with the case visibility they need while protecting sensitive documentation appropriately.
In many implementations, the challenge is not simply giving users access to information. Addressing document security early can help organisations avoid governance issues, reduce security risks, and build solutions that remain scalable as case volumes and teams grow.
