Hi,
Great setup, here's how I'd approach each of your questions:
1. Owning Team vs. Business Units
Use both - they serve different purposes. Owning team alone won't reliably enforce cross-team isolation at scale with 50+ teams.
- Create one Business Unit (BU) per team. Set the Read privilege on your security roles to Business Unit scope this enforces isolation at the platform level, not just the view level.
- Set the owning team at submission to the submitter's team (associated with the correct BU). This automatically places the record in the right BU.
- BU-level scope is enforced at the query/SQL layer, so it can't be bypassed by a misconfigured view or future admin change.
2. CurrentApprovalStage Field via Power Automate
Yes, this is the standard and recommended pattern. I'd suggest pairing it with an ApprovalStatus field (Pending / Approved / Rejected):
- This lets you build views like Stage = 2 AND Status = Pending for Role C's action queue
- A separate "All Team Records" view shows everything regardless of stage
- Keep all stage transition logic in a single flow to avoid race conditions, avoid updating this field from multiple parallel flows
3. Multiple Security Roles on One Team
This is the most important thing to get right: Dataverse merges privileges from all assigned roles and the most permissive one wins. You cannot use role stacking to restrict visibility only to grant more.
The correct pattern is one dedicated role per approver tier:
| User | Assigned Role |
| Submitter | Role_Submitter |
| Tier B Approver | Role_Approver_B |
| Tier C Approver | Role_Approver_C |
| Tier D Approver | Role_Approver_D |
| Tier E Approver | Role_Approver_E |
Each role: Read = Business Unit scope, Write = User scope, no Org-level Read on the approval table.
Important: Don't try to filter by stage using security roles - roles can't filter on field values. Use system views for that.
4. Best Practices for Role-Specific Views
- Separate sitemap areas per role - use the Roles property on sitemap groups in the app designer to show role-appropriate views to each approver tier. No code needed.
- System views over personal views - create system views like Approvals – Stage B – Pending filtered on stage + status. Personal views can't be centrally deployed.
- Filter on both stage AND status in your views - a record at Stage 2 that's already approved shouldn't appear in Role C's queue.
- Use Record Sharing (GrantAccess) for exceptions - if an escalation needs cross-BU visibility, share the specific record via Power Automate rather than broadening the role.
- Audit role assignments regularly - with 50+ teams, role drift (users accumulating extra roles over time) is the most common way isolation breaks down.
Summary:
BU scope = team isolation | One role per tier = privilege ceiling | Stage field = view filtering | Sitemap roles = what each user sees in the app
Hope this helps!
