web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics 365 | Integration, Dataverse... / Control user data acce...
Microsoft Dynamics 365 | Integration, Dataverse...
Answered

Control user data access on records in different business units

(0) ShareShare
ReportReport
Posted on by Community Member

Hello Community,

I am trying to solve the following security requirements for users in Dynamics 365 (Customer Engagement), and would appreciate some pointers:

Background:

- Team A is in Business Unit A

- Team B is in Business Unit B

- User 1 is in Business Unit A

- User 2 is in Business Unit A

- Both User 1 and User 2 has individual security role that has BU Read/Write access on the Account entity. It needs to stay as BU level access, and cannot be changed to organization (global) level access.

Needs:

- We want to allow User 1 and User 2 to be able to access Account records owned by Team B

Approach:

- Create a security role (called Test Role), with the member's privilege inheritance set to "Direct User (Basic) access level and Team privileges", and assign this role to Team B

- This Test Role has BU Read/Write access on the Account entity

- Add both User 1 and User 2 as members of Team B

Results:

- Now both User 1 and User 2 can access Account records owned by Team B

Problem:

However, what if we want User 1 to only have READ access on Account records owned by Team B, but no WRITE access, and at the same time, we want User 2 to have both READ/Write access on Account records owned by Team B

Any ideas what changes I would need to make, given the set up above, to achieve this? (Note: let's assume the out of the box Share feature is not an option)

Thank you!

I have the same question (0)
  • Community Member Profile Picture
    Community Member on at

    If I understand this correctly, I don't think it is possible for User1/User2 to be in Team B (which has BU level access to accounts) and yet prevent user 1 from doing something that its team can do. I'm even confused now by my own statement :)

  • Community Member Profile Picture
    Community Member on at

    Hi Omar,

    Yes, I believe you understand this correctly :) So we cannot have both User 1 and User 2 in Team B. But to solve this requirement, I might have to create another dummy team called Team C, which would be in the same business unit as Team B. Then, I would leave User 1 in Team B, and put User 2 in Team C. I would assign Team B a security role that gives only BU level Read access on Account, and Team B is the owner of Account records. I would assign Team C another different security role that gives both BU level Read/Write access on Account. Team C doesn't own any records.

    With the above set up, I believe I should be able to allow User 1 to just view Accounts owned by Team B, and also allow User 2 to view and update Accounts owned by Team B.

    Does my approach above make sense?

    Thanks.

  • Verified answer
    Community Member Profile Picture
    Community Member on at

    HI Eric, it does make sense to me. The only concern is that it doesn't scale and the more things you add in the future will make it hard to maintain. I would strongly suggest revisiting the share functionality. 

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Microsoft Dynamics 365 | Integration, Dataverse, and general topics

#1
Martin Dráb Profile Picture

Martin Dráb 47 Most Valuable Professional

#2
André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 38 Super User 2025 Season 2

#3
#ManoVerse Profile Picture

#ManoVerse 31

Last 30 days Overall leaderboard

Featured topics

Identifying an Org as CDS or Dynamics
Get batch job history log from D365 FO to Power Automate
Gross and Net Weight of Shipments feeding back into Sales Order (from External Source)

Product updates

Dynamics 365 release plans