Dynamics Community Forum Thread Details

Customer Insights – Journeys: Access Teams vs Business Units for selective data isolation

Hello,

We have a Customer Insights implementation with 6 Business Units and are using Access Teams for access control in Dataverse today.

Current Dataverse access model (works as intended)

Users can be members of multiple Access Teams.

Access Teams are aligned to what we conceptually treat as sub‑BUs (for example C, D, E).

Access is group‑managed via Azure AD.

Resulting behavior:
- If a user is a member of Access Teams for C, D, and E, they can see all data belonging to C, D, and E.
- They cannot see data belonging to A or B.
- If a user is only a member of A, they can only see A.
This works well across Dataverse entities using standard security + Access Teams.

The challenge in Customer Insights – Journeys

The issue appears specifically in Customer Insights – Journeys, especially for:

journeys

emails

marketing interactions

real‑time marketing assets

In CIJ, data access seems to be evaluated based on the user’s primary Business Unit rather than:

Access Teams

team membership

cross‑BU collaboration pattern

This creates a problem for our hybrid access model:

We need Business Unit A to be fully isolated

Other units (C, D, E, etc.) must collaborate and share CIJ assets and data

Users already have the correct access via Access Teams, but CIJ does not appear to respect this model

Questions

Is this behavior expected in Customer Insights – Journeys (BU‑based access only)?

Does CIJ currently ignore Access Team membership when determining visibility of journeys, emails, and interactions?

Is there a supported way to implement a hybrid model where:
- One BU is isolated
- Other BUs collaborate
- Access Teams (rather than primary BU) drive visibility
If not supported, what is the recommended Microsoft architecture for this scenario?
- Separate environments?
- Separate CIJ instances?
- Different BU structure?
- Other patterns?

We want to avoid duplicating environments if possible, as Dataverse access control already works correctly using Access Teams.

Any clarification on supported patterns, limitations, or roadmap considerations would be greatly appreciated.

Thanks in advance!

Categories:

Dynamics 365 Customer Insights - Journeys

Hi DS-04030832-0,

1) Issue
In Dynamics 365 Customer Insights - Journeys, data access for journeys, emails, and real-time marketing assets does not align with the existing Dataverse Access Team model, causing visibility and collaboration issues across Business Units.

Observed behavior:
- Users with Access Team membership across multiple logical sub-BUs cannot see all related CIJ assets
- Visibility appears to be restricted based on the user’s primary Business Unit
- Access Teams and Azure AD group-based access are not respected in CIJ scenarios
- One Business Unit requires strict isolation, while others require shared collaboration

2) Reason
This behavior is probably expected due to how Customer Insights - Journeys enforces its security model, which differs from standard Dataverse record-level access.

Potential contributing factors include:
A) Business Unit-centric security model in CIJ
- CIJ assets such as journeys, emails, and segments are governed primarily by ownership and Business Unit
- Access is evaluated using owner teams or user BU, not Access Teams
- This differs from standard Dataverse entities where Access Teams can grant record-level permissions

B) Limited support for Access Teams in CIJ
- Access Teams are designed for record sharing on Dataverse tables
- CIJ entities (especially real-time marketing assets) do not fully participate in Access Team sharing model
- As a result, membership in Access Teams does not grant visibility to CIJ artifacts

C) Ownership-based access for marketing assets
- Journeys, emails, and triggers are owned by users or owner teams
- Access is granted through:
- Ownership
- Security roles
- Business Unit hierarchy
- Cross-BU access requires explicit ownership or sharing via owner teams

D) Real-time marketing architecture constraints
- CIJ real-time marketing relies on a service-layer architecture
- Some assets are not traditional Dataverse records and have scoped visibility rules
- This limits the use of granular sharing models like Access Teams

E) Isolation and compliance design
- CIJ is designed to support data isolation scenarios between Business Units
- Default behavior prioritizes containment within BU boundaries
- Cross-BU collaboration must be explicitly modeled using supported constructs

3) Resolution
Step 1: Acknowledge supported security pattern
- Accept that CIJ currently relies on:
- Business Units
- Owner Teams
- Security Roles
- Access Teams cannot be used as the primary access mechanism for CIJ assets

Step 2: Use Owner Teams for cross-BU collaboration
- Create Owner Teams aligned to collaborative groups (for example C+D+E)
- Assign CIJ assets such as journeys and emails to these Owner Teams
- Add users from multiple BUs into these teams
- Ensure teams have appropriate security roles

Step 3: Redesign BU structure for hybrid model
- Maintain isolated BU A as a separate top-level or segregated BU
- Group collaborative BUs (C, D, E) under a shared parent BU if possible
- This enables inherited access via BU hierarchy while keeping A isolated

Step 4: Apply security roles with appropriate scope
- Assign roles with:
- Business Unit level for isolation scenarios
- Parent-child BU level for collaboration scenarios
- Ensure roles allow access to CIJ entities such as:
- Journeys
- Emails
- Segments
- Interaction records

Step 5: Separate ownership for isolation use case
- Keep BU A assets owned only by:
- Users in BU A
- Owner Teams restricted to BU A
- Avoid cross-assignment to shared teams

Step 6: Consider environment separation (if strict isolation required)
- If regulatory or strict isolation is mandatory:
- Deploy separate environments for BU A and others
- This guarantees full data and execution isolation
- Use integration (e.g., Power Platform or Azure) if limited data sharing is needed

Step 7: Manage shared assets via governance
- Define clear ownership rules for:
- Global templates
- Shared journeys
- Use Owner Teams to manage lifecycle and access

Step 8: Validate CIJ configuration and limitations
- Test visibility scenarios for:
- Journeys
- Emails
- Real-time triggers
- Confirm expected behavior under Owner Team model

Step 9: Monitor roadmap and product updates
- Microsoft is evolving CIJ and Dataverse convergence
- Watch for future enhancements around:
- Unified security model
- Improved team-based access support

For a more detailed answer, please provide more information.

Rg,

Alexander

*Due to the complex and different possibilities of deploying Dynamics 365 I highly recommend not to setup the application without some expert/partner or support. (For more information contact me under anassl@inno-solutions.info or visit www.inno-solutions.de)

*The Information comes directly from the manufacturer or provider and are validated (not guaranteed) up to date of creation of the posting.

References: