AAD RBAC Security Groups and Dynamics Security Roles

(0) Share

Report

Posted on by RachelColes

Hi All,

I'm trying to implement AAD RBAC security groups into Dynamics and make it easier to control access to Dynamics and also easier to add and remove users from the relevant security groups.

What I have done so far:

1. Created the AAD RBAC security groups - Added the users into the relevant groups

2. Duplicated the 'Salespersons' securtiy role - created a new one with a new name RBAC..
Added extra roles as required to new group to cover other access (went through all the current secriurty roles the users had and added if needed to the new group

2. Created the corresponding 'Teams' with Power Platform

3. Added the new RBAC security group as a security role to the Dynamics Team created above

4. Removed the default access roles from the test user and the followeed happened
5. Firstly, the had no Site Map on the left side so therefore could not go between Contacts/Leads/Opportunities and Accounts - Only via individual links to those sections

6. As a test a added back 'Sales Enterprise app access' and the site map came back.
I looked into the security roles of 'Sales Enterprise....' and my newly created role has all the features of this role and more....

So my question
Why is my RBAC groups not working?
Have I set them up wrong?
Why when I add a security group directly back to the user they have access again?

Any suggrstions and help

Read all the documentation so not sure if I'm missing something.

All responses (4)

Answers (1)

RachelColes 71 on at

Like (0)

Report

RE: AAD RBAC Security Groups and Dynamics Security Roles

Thank you both for the replies and help

All works, except for one user.....

For some reason the user is not getting added to the security Team in Dynamics. Revoked AAD session, keft it overnight and still it will not add the user to the group so they are not getting the permssions....

Will get the user to clear all browser cache etc and see what happens.

At the moment, having to give the user the security roles via PA

really weird as account the same as all the others
Verified answer

Sayen Zhang on at

Like (0)

Report

RE: AAD RBAC Security Groups and Dynamics Security Roles

Hi Rachel,

Hope you are well.

Sales Enterprise app access Member's privilege inheritance to Team privileges only so team members who do not have user privileges of their own, they can only create records with the team as the owner.

We can change RBAC_DYNAMICS_SALES_USER Member's privilege inheritance to Team privileges only and save to check if Site Map on the left side can be seen.

If users to don't have the privileges on their custom security role to access the entities defined in your sitemap, the entities will automatically hide from the app.

Please also make sure at least read (user access) to the entities of your site map are selected.

Here is a reference link: Solved: Left Navigation disappeared for a user that a cust... - Power Platform Community (microsoft.com)

Best Regards,

Sayen Zhang
RachelColes 71 on at

Like (0)

Report

RE: AAD RBAC Security Groups and Dynamics Security Roles

Hey Daniel,

Thank you for the reply and explaination.

I checked the security group I created in PA and it does have the model-driven app added

So I decided to make a seperte security group (copied the the Sales Enterprise App), made sure it was set to Team privileges only

Then added it to my PA Team as a security role and will test

I understand now more of thow it works and hopefully with this will now work
I'll let you know
Suggested answer

PerezAguiar on at

Like (0)

Report

RE: AAD RBAC Security Groups and Dynamics Security Roles

Hey Rachel

THe Sales Enterprise App Access has a particular permission that is required for the navigation to show:

Can you confirm your custom role has this? also, it should be set to "team privileges only"

Also, note that when you create a security group on AzureAD, assign users and create an AAD Team in Dataverse, the AAD Team in Dataverse WILL NOT populate the users automatically:

This comes from https://learn.microsoft.com/en-us/power-platform/admin/manage-group-teams

Seems to be RBAC is working correctly, but you need to differentiate 2 behaviors: What you have access to (CRUD operations on specific entities) and what you can "see" (UI Experience). This second point comes by the options set on that particular privilege ("Model driven apps" set to Read on Organization level) as this will allow you to see the apps and the left menu. Then, the apps might be customized to show different navigation options (and you'll need permissions to read those entities so the option shows).

Regards,