top of page
Search

How to set up Row-Level Security with Record Ownership Across Business Units in a Power Platform Environment

  • Writer: Tristan Danic
    Tristan Danic
  • Mar 31
  • 5 min read


ree

Arrr, matey! In today's treacherous business seas, it's vital to have sharp control over data access. In a Power Platform environment, ye can set up row-level security by using record ownership across various business units. This allows ye to manage who sees what data, based on organizational hierarchies and team memberships. This guide will steer ye through the process, step by step. ⚓️📜



Enabling Record Ownership Across Business Units


Before ye begin configurin' yer business units and security roles, ye must ensure that yer environment be set up to support record ownership across business units. This allows records to be owned by users or teams outside o' the user's default business unit. ⚓️


Steps:

  1. Sign In to the Power Platform Admin Center:

    Use an account with Dynamics 365 or Microsoft Power Platform admin privileges to sign in to the Power Platform admin center.


  2. Select the Environment:

    Choose the environment where you want to enable cross-business unit record ownership.

    ree

  3. Access Environment Settings:

    In the environment, navigate to Settings > Product > Features.



ree

  1. Enable the Feature:

    Find the option labeled Record ownership across business units and turn it On.

    I will take few minutes, be patient ! 😉



Configuring Business Units


Business units be representin' logical groupings within yer organization. They be crucial in controllin' data access and ensurin' that security roles and teams be properly segmented. 🌊


Steps:

  1. Access Business Unit Settings:

    In the Power Platform admin center, select your target environment. Then navigate to Settings > Users + permissions > Business units.


ree

  1. Create a New Business Unit:

    • Click on + New.

    • Enter a Name for the new business unit.

    • Select a Parent Business Unit. By default, the root (organization) is created automatically.

    • Fill in any additional required details and click Save.


ree

  1. Here's how to edit an Existing Business Unit (If Needed):

    • Select the business unit you wish to modify.

    • Update the necessary fields.

    • Save your changes.


Important Considerations:

  • The organization (root business unit) is automatically created and cannot be deleted.

  • Each business unit can have one parent but may include multiple child business units.

  • Users and security roles are assigned to business units, and each user must belong to one business unit.



Creating and Configuring Security Roles


Security roles be defin' what data users can access and what actions they can perform. In this scenario, ye'll be creatin' roles that correspond to the requirements of each business unit. 🏴‍☠️


Steps:

  1. Navigate to Security Roles:

Within your environment in the Power Platform admin center, go to Settings > Users + permissions > Security roles.


  1. Create a New Security Role:

    • Click on + New role.

    • Provide a Role Name that reflects the intended function or department.

    • Choose the Business Unit that this role will belong to.

    • Set the Member's privilege inheritance option to specify how privileges are inherited for team members.

    • Configure the necessary privileges for each entity (read, write, update, delete, etc.) based on your security requirements.

    • Click Save.


ree

  1. Editing Existing Security Roles:

    • Select a security role from the list.


ree

  • Adjust the privileges and access levels to meet the business unit requirements.

  • Save your modification


ree

Notes:

  • The System Administrator role cannot be edited directly. If you need similar privileges, copy the role and customize the new one as needed.

  • I do tend to not include the “App opener” privileges for a better understanding of the role


Now it gets tricky indeed. Ye can choose the path o' assignin' Security Roles to Users or settin' up Teams and configurin' their Security Roles. Let's dive into both options and see what be best for yer needs. 🦜

Assigning Security Roles to Users


Proper assignment o' security roles to users be crucial to enforce row-level security. With record ownership enabled across business units, ye have the flexibility to assign roles from different business units to a single user. ⚓️


Steps:

  1. Access the Users Section:

In the Power Platform admin center, navigate to Settings > Users + permissions > Users.


  1. Manage Security Roles for a User:

    • Select the user you wish to manage.


ree

  • Click on Manage security roles.

  • From the list, assign the appropriate security roles for that user.

    Tip: Ensure that each user has at least one security role so they have the required permissions to operate within the environment.

  • Save your changes.


Setting Up Teams and Configuring Their Security Roles


Teams in Power Platform not only enhance collaboration but also serve as record owners. Teams are particularly useful when implementing row-level security since they can be associated with a specific business unit and have tailored security roles.


Steps:

  1. Access Teams in the Admin Center:

    • In your target environment, go to Settings > Users + permissions > Teams.


ree

  1. Create a New Team:

    • Click on + Create team.

    • Enter a Team Name and a brief Description.

    • Choose the associated Business Unit for the team.

    • Assign a team administrator.

    • Add the relevant Security Group

    • Choose a membership type :

      1. Owner:

        1. They have the highest level of access within a team.

        2. They can manage team settings, add or remove members, and have full control over the team's resources and data.

        3. Owners can also assign roles and permissions to other members.

      2. Member:

        1. They have access to the team's resources and data based on the permissions assigned to them by the owners.

        2. They can collaborate with other team members, create and edit records, and participate in team activities.

        3. They do not have the ability to manage team settings or add/remove members.

      3. Guest:

        1. They are external users who are invited to join the team.

        2. They have limited access to the team's resources and data, typically restricted to viewing and collaborating on specific records or projects.

        3. Guests cannot manage team settings or add/remove members.


ree

  1. Manage Team Membership:

    • Select the newly created team.

    • Choose Manage team members.

    • Add or remove users as necessary to ensure the right people are included in the team.

If you are using a security group, this message will appear at the top of the team members
If you are using a security group, this message will appear at the top of the team members

  1. Assign Security Roles to the Team:

    • While still in the team’s settings, assign the appropriate security roles. These roles should align with the team’s function within the business unit.

    • This allows the team to own records and enforce row-level security based on its business unit’s configuration.


  1. Assign Security Roles to the Team:

    • While still in the team’s settings, assign the appropriate security roles. These roles should align with the team’s function within the business unit.

    • This allows the team to own records and enforce row-level security based on its business unit’s configuration.


ree

  1. Associating your data to the business units

    • Let’s assume that your ship size dictate which crew mate can see your ship and that only the frigates can be seen by your crew mates

    • If you haven’t activated the multiple Business Unit option, your Owning Business unit column will look like that :


ree

  • After activation :

ree

  • You can edit the Owning Business Unit to associate it either manually or using a business rule


ree


ree


Results

Et voilà !!! Here is the result for a user with system admin or full access.


ree

And here is the result for a user being part of the team.


ree

Best Practices:

  • Role Inheritance: Ensure that any security roles assigned to a team are designed to allow proper privilege inheritance. This will guarantee that all team members have the correct access when they work with records owned by the team.

  • Regular Reviews: Periodically review team memberships and security role assignments to adapt to changes in business structure or employee responsibilities.



Conclusion


Settin' up row-level security with record ownership across business units in Power Platform be a multi-step process that requires careful plannin' and configuration. By enabling cross-business unit record ownership, properly configurin' business units, creatin' tailored security roles, and settin' up teams, ye can enforce a mighty security model that aligns with yer organization’s structure. 🏴‍☠️


By followin' these steps in detail, ye can ensure that yer Power Platform environment be secure, flexible, and tailored to meet the needs of each business unit within yer organization. Happy configurin' , ye scallywag! ! ⚓️

Comments

bottom of page