Control user data access on records in different business units

(0) Share

Report

Posted on by Community Member

Hello Community,

I am trying to solve the following security requirements for users in Dynamics 365 (Customer Engagement), and would appreciate some pointers:

Background:

- Team A is in Business Unit A

- Team B is in Business Unit B

- User 1 is in Business Unit A

- User 2 is in Business Unit A

- Both User 1 and User 2 has individual security role that has BU Read/Write access on the Account entity. It needs to stay as BU level access, and cannot be changed to organization (global) level access.

Needs:

- We want to allow User 1 and User 2 to be able to access Account records owned by Team B

Approach:

- Create a security role (called Test Role), with the member's privilege inheritance set to "Direct User (Basic) access level and Team privileges", and assign this role to Team B

- This Test Role has BU Read/Write access on the Account entity

- Add both User 1 and User 2 as members of Team B

Results:

- Now both User 1 and User 2 can access Account records owned by Team B

Problem:

However, what if we want User 1 to only have READ access on Account records owned by Team B, but no WRITE access, and at the same time, we want User 2 to have both READ/Write access on Account records owned by Team B

Any ideas what changes I would need to make, given the set up above, to achieve this? (Note: let's assume the out of the box Share feature is not an option)

Thank you!

I have the same question (0)

All responses (3)

Answers (1)

Sort by

Community Member on at

Like (0)

Report
Copy link

Link copied!

If I understand this correctly, I don't think it is possible for User1/User2 to be in Team B (which has BU level access to accounts) and yet prevent user 1 from doing something that its team can do. I'm even confused now by my own statement :)

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report
Copy link

Link copied!

Hi Omar,

Yes, I believe you understand this correctly :) So we cannot have both User 1 and User 2 in Team B. But to solve this requirement, I might have to create another dummy team called Team C, which would be in the same business unit as Team B. Then, I would leave User 1 in Team B, and put User 2 in Team C. I would assign Team B a security role that gives only BU level Read access on Account, and Team B is the owner of Account records. I would assign Team C another different security role that gives both BU level Read/Write access on Account. Team C doesn't own any records.

With the above set up, I believe I should be able to allow User 1 to just view Accounts owned by Team B, and also allow User 2 to view and update Accounts owned by Team B.

Does my approach above make sense?

Thanks.

Was this reply helpful? Yes No
Verified answer

Community Member on at

Like (0)

Report
Copy link

Link copied!

HI Eric, it does make sense to me. The only concern is that it doesn't scale and the more things you add in the future will make it hard to maintain. I would strongly suggest revisiting the share functionality.

Was this reply helpful? Yes No