Microsoft Dynamics 365 | Integration, Dataverse...

Best Practice Question: Assign Security Roles to Users or Teams?

(1) Share

Report

Posted on by nkrauter

Hello all,

what are the pros and cons of assigning a security role either directly to a user or to a team?

From what I see assigning a security role to a team and then adding users to that team makes it easier to directly see which group of people have a certain security role. However, in the documentation I can only find guides that talk about directly assigning security roles to users and MS even states:

"While teams provide access to a group of users, you must still associate individual users with security roles that grant the privileges they need to create, update, or delete user-owned records. These privileges cannot be applied by assigning security roles to a team and then adding the user to that team." (Use access teams and owner teams to collaborate and share information (Developer Guide for Dynamics 365 Customer Engagement (on-premises)) | Microsoft Learn)

Do I understand correctly that if I want to configure security roles that allow a user to only edit his/her contacts I need to assign the role directly to the user? What would happen if I assign the role to a team the user is in. Will all team members be able to edit his/her contacts? If I assign security roles to users how do I find out which users have a certain security role?

Thanks

All responses (2)

Answers (0)

Suggested answer

PerezAguiar on at

Like (0)

Report

RE: Best Practice Question: Assign Security Roles to Users or Teams?

Hey.

First: that link you're pasting is about OnPrem. The version for Online would be https://learn.microsoft.com/en-us/power-platform/admin/manage-teams

Second, this talks about 2 types of Teams: Owner, Access and AzureAD Team (which is an Owner team associated to an AzureAD SecGroup). It's important to know the difference between owner (responsible for the record) and Access (have access to records because it has been shared with them). Security Roles should be assigned to Owner groups.

Regards,
Suggested answer

Haig Liu Microsoft Employee on at

Like (0)

Report

RE: Best Practice Question: Assign Security Roles to Users or Teams?

Hi Nicolas Krauter,

Another point is mentioned below this document:

A user must have sufficient privileges to join an access team. For example, if the access team has the Delete access right on an account, the user must have the Delete privilege on the Account entity to join the team. If you’re trying to add a user with insufficient privileges, you’ll see this error message: “You can’t add the user to the access team because the user doesn’t have sufficient privileges on the entity.”

When assigning security roles we can customize a specific security role to be assigned to the same class of users.

Please follow the steps below to see which users have been assigned to this security role:

1.Open power apps and click on the nine dots in the upper left corner -> select admin:

2.Open Power Platform admin center -> select the Environment you want to lookup -> Click on see all Security Roles on the right:

3.select the role -> click member button

4.All users who have been assigned this security role are here: