Dynamics Community Forum Thread Details

Security structure to restrict user access to specific accounts and all associated records

We have a set of customers whose records (anything linked to the account) should only be accessible by users who are security cleared. We plan to implement Business units to separate the users but users who are security cleared can also be the owners of records for customers who don't need security clearance. This means we can't solely use record ownership to control access so looking into assigning records to Business units.

How does assigning records to business units work? If you assign an account to a BU can all linked records e.g. cases automatically move to that BU or does it need to be done on a per table level?

Categories:

Dynamics 365 general

Hi,

You can use the modernized business units. If I understood correctly your requirement, it would look like:

User 1 (security cleared) - BU 1 security cleared

User 2 (not security cleared) - BU 1

Any time an account is created, and it doesn't belong to a security customer, no matter if is user 1 or 2 creating it, you will created a plugin to set its owning business unit as BU 1. Then, you can also add some logic on the child records (like cases) that any time they are created, they will inherit the owning business unit from the related account.

If the account is a security customer, then only users from BU 1 security cleared are allowed to created then. OOB, the system will set their owning BU as BU 1 security cleared só the others won't ser them.

To ensure the guys in the BU 1 security cleared also nave the role belonging to BU 1.

Consider the following links for more details:

https://learn.microsoft.com/en-us/power-platform/admin/wp-security-cds#enable-the-matrix-data-access-structure

https://learn.microsoft.com/en-us/power-platform/admin/wp-security-cds#record-ownership-in-modernized-business-units

Hope I was clear and this helps you.

Quick Links