Skip to main content

Notifications

Announcements

Join us in the Community for an AMA: December 12th Register Today
News and Announcements icon
Dynamics 365 Community / Forums / Microsoft Dynamics 365 | Integration, Dataverse... / Issue with inherited t...
Microsoft Dynamics 365 | Integration, Dataverse...
Unanswered

Issue with inherited team privileges Azure AD Group Dataverse

(0) ShareShare
ReportReport
Posted on by HFG 20

Hi all, 

 

I am trying to replace our current security set up and use Azure AD groups to provide access to a Model Driven App and data in Dataverse. I am seeing some very strange behaviour and need your help.

 

The current set up is as follows:

 

Root BU with two sub business units 

Security roles which give access to the data at BU unit level

Users are in one of the sub BUs and assigned a security role directly

 

This allows us to manage the access to the tables through the security role and access to the data through the BU. 

 

What we would like to do is use Azure AD groups to assign the security role so that we don't need to assign a role to each person individually. This is the current test model:

 

Root BU with two sub business units

Azure AD group(s) which are in the root BU and each have a role attached. The role has Direct User/Basic access level and Team privileges

User is in a sub BU and has no individual role attached to them

 

This is the strange behaviour I am seeing:

When user access is given to a table, the user sees only records that they own - correct
When organisation level is given the user sees all records - correct
However, when BU level is given, the user doesn't see anything! (Why would they lose access to their own records when a higher access level has been given?!)

When the security role with BU level access is assigned directly to the user, we see the desired effect: the user has access to the table, but only the records for their BU.

 

Can anyone shed any light on what is going on? It would be hugely appreciated!

  • HFG Profile Picture
    HFG 20 on at
    RE: Issue with inherited team privileges Azure AD Group Dataverse

    OK I think I figured it out. I'm going to post my findings rather than just deleting the thread.

    When the user has basic level given, the role acts like the user directly so they are able to see any records that belong to them directly.

    When the user is given a higher level, the role looks at the team rather than the user. In this case, the team and user were in different divisions so when the division level access was given, the user only saw records that were owned by their team or anyone in the same division as the team.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Join us in the Community for an AMA: December 12th Register Today

Quick Links

December Spotlight Star - Muhammad Affan

Congratulations to a top community star!

Top 10 leaders for November!

Congratulations to our November super stars!

Community AMA December 12th

Join us as we continue to demystify the Dynamics 365 Contact Center

Leaderboard

#1
André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 291,240 Super User 2024 Season 2

#2
Martin Dráb Profile Picture

Martin Dráb 230,149 Most Valuable Professional

#3
nmaenpaa Profile Picture

nmaenpaa 101,156

Leaderboard

Featured topics

Get batch job history log from D365 FO to Power Automate

Product updates

Dynamics 365 release plans