Dataverse Modernized security model for Business Unit
What do you know about Dynamics 365 security model ? Personally, I have worked on it several times. Sometime, I had to deep dive in it in order to provide an adapted structure to companies for whom the collaboration is key in business.
I encourage you to read this article, a deep dive in the classic Security Role mode of D365. There you will be able to dive further in roles and privileges.
From my side, I realized that Dynamics 365 Security Model raises questions and as complex the organization structure is, as big the number of questions will be.
One of those questions is : how do you give common privileges to people not working in the same business unit ? Said another way, how can I allow the user to see across business units if needed ?
This is the major issue I have met when I had to deal with security model and fortunately, Microsoft is about to release a new feature called Modernized Business Units.
Previously, we could not do this. To fullfill requirements and allow user to see records across Business Units, we had to use Owner Teams and give a specific role to this Team. Meaning that the user would have a role within his Business Unit but also in a Team where you could include a banch of user from different Business Unit
The new feature proposed by Microsoft allow us to give Role within several Business Units in order to give a specific user, privileges across business units.
In this article, we will see and explain the way Security Model was made. Then we will show the new way Security Model is about to work in the future and what major difference it makes as I explain as preambule.
I - Dynamics 365 Security Model
Business Units are blocks where users are assigned. It gives boundaries in order to limit the access of Data to users belonging to this specific business unit or/and his child business units depending on level of privileges the user have. Basically, it looks like this :
We have at the Top, the root business unit and under it Child Business Units which can have Child Business Units too.
Let's assume, as it is on the previous schema, that User 1 belong to Division A. As administrator, if I give to this User 1 read privilege of Account at Business Unit level, then User 1 will be able to see all Accounts which have as owner any member of Division A. So according to the previous schema, User 1 is able to see all Accounts of his own and the ones of User 2.
Though, User 1 will not be able to see anything from the root Business Unit and also not Accounts belonging to User 4 and User 5 within Division Aa.
Now, let's assume that we give to this User 1 reading privilege for Account at Business Unit (Child business unit) level. Nothing is changing regarding what User 1 will be able to see in his own Business Unit but moreover, User 1 will be able to see Accounts from Child Business Units. Meaning that User 1 will see Accounts with User 4 and User 5 as owner. Though, still not possible to see anything from root Business Unit and also across Business Unit at the same level like Division B.
Now, let's give to User 1 reading privilege for Account at Organization Level. Then User 1 will be able to see absolutely all Accounts from every Business Unit in the Organization including Child Business Unit, Root Business Unit and also Business Unit at the same level like Division B.
So we have a Role where we define at which level (User, Business Unit, Business Unit (Child Business Unit) or Organization), each privilege (read, write, delete, append, append to, assign ..) is given to the user for each Entity in the system.
There is some obvious limitations. A user can belong to a single Business Unit. If I want User 1 to be able to see Accounts of his Business Unit and also of Business Unit of his level like Division B, then we would have an issue.
I would have to consider this user story and create what we call a Owner Team. In this Owner Team, I would have to include all Users from Division B and User 1 from Division A. Then I would have to assign a specific role to this Team to fullfil requirements.
Honestly, this is kind of heavy and complicated for something like that ! Hopefully, we now have this Modernized Business Unit which will release and that's already available in Preview.
II - Modernized Business Unit
As mentionned in the previous part, Microsoft released a new feature called Modernized Business Unit which allow us to give privileges across Business Units.
Unlike previously, we will be able to give a User several Roles which are each bellonging to a specific Business Unit.
Let's assume we want the user be able to see different records in several Business Unit which are on the same level so no hierarchy relationship possible. As you can see in the schema below, we can give to the user one role on each Business Unit he should have access to :
Note that giving a role in a specific Business Unit will give privileges only in this Business Unit and giving a different role in another Business Unit will have effect only in that particular Business Unit.
So here, user A will be able to see all records of BU1 according to Role Y. He will also be able to see all records in BU2 according to Role X. Finally, he will also be able to see records in BU4 according to Role Z.
It's a important improvement that will definitelly enhance Secuty Model Mangement !
III - Enable the preview
This new way of managing Security Model is accessible in Power Platform Admin Center.
If you want to get the access in Preview, Select the environment involved --> Settings --> Features
Now, Enable the follwing option :
If this is not displayed, use Org Settings in XRM tool box and Enable the following line :
Note that it takes some time before truly enabling after you enabled it.
IV - In practice
After enabling this feature, you will not see this change appearing in the old security interface.
Better go to Power Platform Admin Center --> Environment --> Select the environment --> Settings --> Users (as below)
Select a User and click on 'Manage security roles' :
As you can see, we now have the possibility to select a Business Unit and assign a security role specific to this Business Unit in several different one. The user belong to one Business Unit and can have several role in several Business Units :
Simply select the Business Unit and then the Role that you want to assign to the User for this specific Business Unit. Switch of Business Unit and do the same if needed. Save and it will be effective instantly. The user can access records across Business Unit accordingly to Roles given within each Business Unit.
As I mentionned in preambule, I found quickly limits to the classic Security Model in Dynamics 365 when I had to meet customer requirements.
It could become really heavy and complicated under certain circonstances to meet those.
This new feature is a great improvement that enhanced without any doubt the User experience and ease the management of Security Model.
This is since November 2021 available in Preview. Enjoy !