Hey everybody!
Today we're going to talk a little bit about Dataverse security.
I've gotten a few questions recently about Dataverse security:
So, I'd like to do a quick video to kind of go over some of these scenarios and options, and show you what's possible with Dataverse security.
So let's get into it. okay?
Okay, first I wanted to lay out the different options that we have in Dataverse's security. Now, this isn't exhaustive. We also have 'Access Teams' which I'm not going to cover in this video, but the three main ones that I usually work with the most are:
But, the three main ones, that I usually work with the most, are:
So, let's take a look at a couple scenarios that I've created here regarding 'Owner Teams' and 'Business Units'.
Let's take a look at 'Business Units' first.
So I have two browsers open side by side. One is with a demo user called Scotty Security, and another is with my profile in our tenant.
Now, in my tenant I have the parent 'Business Unit' assigned to my profile, and in Scotty Security I have a child 'Business Unit' called Denver assigned to that user.
I have a table at the bottom here called 'Demo Business Unit Security'.
I have two records created in that table. One is created by myself and I have the parent 'Business Unit', Rockhop, and I assigned that to the owning 'Business Unit'. The other is created by Scotty Security who has the Denver Business unit.
Now you'll notice that there's a difference in records between both of these views. Since I'm in the parent 'Business Unit', and my user is in the parent 'Business Unit', I can see all records in that 'Business Unit'. And, any child records. Whereas, Scotty Security has the exact same permission assign to their security role, so they can't see anything above their 'Business Unit'.
Rockhop is a parent of the Denver Business, so Scotty Security cannot see anything above that.
Okay, so that was 'Business Units'. Now I want to switch over to 'Owner Teams'.
I quickly want to show you the setup here. I have a team inside my environment called 'Demo Denver Region', and Scotty Security is inside of this team. If I switch over to the app, I have a record inside of the demo company's table. In the security role for Scotty Security and myself I have the user permission assigned to this table for that security role. So, if I am the owner of that, only I will be able to see that. Or, if a team is an owner of that record then whoever's in that team will see that record.
So right now 'Demo Denver Region' is the owner of this record, so we both can see this, as Scotty's a part of this and my account is actually a system administrator.
Now, what happens if I were to change this?
I'm going to make this my user and I'm going to save and close.
Let's refresh. I'm now no longer able to see that record. You'll also notice that the job and sub-jobs underneath this company have been assigned a new owner, and that's me because I have set up the parental relationship from companies to jobs to job. So, that owner assignment will trickle down to any child records underneath companies.
Now, let's just do this one more time to show you when I assign a user or team 'Demo Denver Region' that will trickle down to any child records.
And, now Scotty Security can see that.
So that's 'Owner Teams':
I quickly want to cover a couple of options that you have with 'Owner Teams'.
I'm going to navigate over to the team section in my environment inside of the Power Platform admin Center. And, then when I go to create a team, I have a few options of how I want to create that team which offers some flexibility.
Select whether you want it to be an 'Owner Team', an 'Access Team', a 'Security Group', or an 'Office Group' team.
Now, what do each of those mean?
I stated at the beginning of this video that I'm not going to cover 'Access Teams' as those are a different topic in itself. So, I'll cover 'Owner Security Group' and 'Office Group' as they all act as a similar type of team.
An 'Owner Team' is one that you will create custom within this environment, so you will add users to this team within the environment. Now, if you don't want to manage users within your Power Platform environments you have the option to create an 'Owner Team' from an 'Intra ID Security Group' or an 'Intra ID Office Group'. So, when you create a Security Group, you can associate that Security Group with a team inside of your environment so you can then search for your Security Group.
In this new team creation wizard, the same thing goes for an 'Office Group'. That can be managed outside of Power Platform, so pretty useful in terms of managing users for apps.
Okay, so those were the couple scenarios I wanted to quickly show you to demo 'Owner Teams' and 'Business Units' to give you some flexibility around security in your Dataverse environments.
Now, there's a bunch of other security options that you can do inside of Dataverse. These are the two main ones that I typically use on solutions and usually fits most of the criteria in terms of security requirements on any given solution.
So I hope this was helpful to explain how Dataverse security works.
Have a great rest of your day, and happy power platforming!