Before I start the blog, a quick reminder – The feature we are going to discuss here is a preview feature.
Since the advent of erstwhile Dynamics CRM and later Dynamics 365 and now in DataVerse, a user can belong to a single business unit. And a user can be assigned a security role of that business unit only.
In my example, I have a business unit structure as shown in the screenshot below. Pretty simple. The root Business unit is named Contoso and there are two child business units under Contoso, Dept A and Dept B.
Carl is a user in this environment and is associated with Business Unit – Dept A. Traditionally if we try to assign a security role to Carl, the security roles in Dept A only show up. Screenshot below for illustration.
The department selector is greyed out and you cannot change business unit. Reading this far, you might be wondering what’s new in here. In-fact this behavior is through the ages.
And here in comes the change. With the new preview feature, users can now have security roles across business unit irrespective of the business unit they are in. Let’s see that in action.
To begin with, we need to enable the preview feature. Navigate to Power Platform Environment center and open the environment where you want to enable this feature.
Then go to Settings -> Features and enable the below feature.
Once you do that, you now have the option to assign security roles across business units for the user. Please note the feature is only available through Power Platform admin center and not through the classic users area.
Wonderful isn’t it? A feature we are waiting for the ages. But what security implication does it have?
To test this, I modified the OOB Basic User role privileges to BU level read on account table.
In the next step, I assign the Basic User security role from both Dept A and Dept B to the user Carl.
All set and done, it’s time to test. I created a sample account whose Owner is Facility Admin. Facility admin belong to business unit – Dept B
Quite obvious, the owning business unit of the record is Dept B.
Now I login as Carl. Remember Carl is in Business unit – Dept A. When I navigate to the Accounts view, I could see the sample account which is owned by Facility Admin and is in business unit Dept B.
You may have already understood how it is working but for the sake of clarification, Carl is having Basic user role from both Dept A and Dept B. And by virtue of BU level read, Carl is now able to see records of Dept B even though he belong to Dept A.
Wonderful isn’t it. Before I close the blog, I would like to answer a question that may be coming to your mind. What if I change the business unit of a user?
Previously the user shall loose all their security roles. Well, now also it’s the same behavior. The user shall loose all their security roles.
I hope that was a new learning you came across today. Hope it helped!
You will also like the below posts.
Debajit Dutta
Business Solutions MVP