Record ownership across business units (Preview)

This is a feature that has been in preview for quite some time now (for those of you who are interested, the preview was announced back in early November of 2021 under the heading of ‘Modernize Business Units’), but I realized I haven’t written an article about this, so I thought now would be a good time to explain what this feature entails.
This feature has been requested for quite some time as it will allow for a much simpler security configuration process.
If you are not familiar quite with role-based security in Dynamics 365 I will first explain what the functionality was prior to having this preview available, and of course I will discuss what this preview of record ownership across business units brings to the table. A very important thing that you need to understand is that each user can only be assigned to one business unit, and that’s what made things a bit complicated when it comes to security in Dynamics 365.

Role based security in Dynamics 365

If you use role based security in Dynamics 365 you’re using the security roles that are part of the application to give users access to rows (aka records). The way it works today is that you can give users access to certain tables and assign individual privileges to each table. Privileges available can be seen when you open a security role record in the system. You can do this by navigating to https://admin.powerplatform.microsoft.com/ and clicking on environments and clicking on an environment. From there you need to click on ‘settings’ and expand the ‘Users + Permissions’ section and open ‘Security Roles’. Click on the ellipse next to the role and select ‘Edit’ to open any security role from the list. When you click on ‘Core Records’ you’ll see what I am referring to. For this example I created a custom security role.

As you can see on the above image, each of the system tables are shown under the ‘Table’ heading, and the privileges are shown on the right side of the screen. You’ll see ‘Create’, ‘Read’, ‘Write’, ‘Delete’, ‘Append’, ‘Append To’, ‘Assign’ and ‘Share’. On the bottom of the security role page you’ll notice different icons; ‘User’, ‘Business Unit’, ‘Parent: Child Business Units’ and ‘Organization’. The ‘User’ icon means that these are the permissions a user has when the row is owned by them. (This means the user name is populated in the owner field.) You can see on the image above that for account creation users with this role can only create accounts that they own. They can read rows of the account table that belong to owning users that are in the same business unit as the person who has this role assigned, and any child business units. Below you can see what I mean by child business units. Business Unit 1 has a total of 5 child business units. Business unit 2 has 1 child: business unit 6, and business unit 3 has 2 children: business unit 4 and 5, while business unit 4 has one child business unit: BU 5. So depending on which business unit the user is assigned to, he or she will have different access levels! If they are assigned to BU1, they can see all the accounts, not matter which business unit he/she is in. If he is assigned to BU3, he/she will be able to see all accounts in BU3, BU4 and BU5.

I’m sure you can imagine that this could be problematic, because what if a user in BU3 (let’s call him David So’) also would need to get access to accounts that are owned by users in BU2 and BU6?? Can we even do that? Yes we can, but it takes a little work and makes it slightly more complicated: we would need to create a team inside of BU2, assign a security role (with parent-child access) to the team and then add users to the team in BU2. All the users in the team will get the permissions assigned to that team. These permissions stack on top of other security permissions they already have. Now this was a simple example, but I’m sure you can imagine this can become very complicated and hard to manage with these multiple teams and security roles! Now let’s say that Amy, who is also in BU3 only needs access to accounts in BU6, how would we handle that? Well, we would need to create another team, this time in BU6, assign a security role and add all the users to the team. I think you’re starting to see how complicated and messy this can get right?

How does the preview feature work?

In order to explain what this preview feature does, you need to understand that the system automatically makes a copy of all the security roles that live in the top parent business unit, and they trickle down to each business unit. These are called ‘Inherited security roles‘ and they can’t be updated. (You CAN however, create new security roles in each business unit.) Today (if you didn’t turn the preview feature on) you can only assign security roles to a user from the same business unit. So if the user lives in BU3, then only roles from BU3 can be assigned. This is exactly why this preview feature is so exciting because this changes that! When this feature is turned on, you can assign security roles from ALL business units, no matter in which business unit the user is located! This will make security more manageable as it will be easier to keep track of security permissions for each user: security roles will all be in the same place, and we won’t have to check all the teams they are a member of and which security roles are inherited from the teams!

If we go back to the example I used earlier, where David So is a user who lives in BU2, but who also needs access to accounts in BU2 & BU6. With this new feature we will not have to create any teams, because we will be able to assign a security role from another business unit to David! I tried to assign a security roles from a different business unit to a user, but I wasn’t able to do this from within Dynamics 365. I was able to accomplish this by navigating to https://admin.powerplatform.microsoft.com, opening the environment and accessing settings. From there you can open ‘Users + Permissions’ and open ‘Users’. Click on the user you want to assign the security role for, and click ‘Manage roles’ on the user record. A screen with a list of security roles opens up and you can change the business unit from the top! The ability to do this will make managing security in Dynamics 365 a lot easier than it has been in the past. It also gives makers a lot more possibilities! I hope you found this article informative! Be sure to check in again next week for a new article or subscribe here to never miss another post!