In this post I will look at the security aspects of Dynamics 365 and the Common Data Services.
In this post I will probably not talk about much new stuff if you come from a Dynamics CRM background. But nowadays with the citizen developers creating apps using the Common Data Services it is much needed to understand the security in Dynamics.
If you get the security wrong then you might find that you can see data in your app, while users don’t see any data appear. Missing data is a typical symptom of security missconfigurations.
The following terms are going to be important to understand:
- Business Unit
- Security Role
- Hierarchy security
- Mobile configuration
In the Power Platform Admin Center you can configure all these options.
A default Business Unit in the Power Platform terms is similar to an environment. Each environment will initially have one buysiness unit with the name of the environment.
If you want to you can create additional business units so that for example different divisions within your organisation have different business units. However within the Power platform you could also create separate environments instead.
Each person using the Common Data Service will need to have an account. This account can be part of one of more teams. Security roles can then be assigned to a team or to a user account.
All users that exist within your office 365 environment will automatically be added to your list of users, so you might find that you hardly ever will add users to Dynamics 365.
You will however find that you will be updating roles or teams assigned to the user in the user maintenance screens.
We already saw that users can be part of a Team.
You can create new teams and add members to each team. Typically you would make teams for administrators, Sales, support and any other kind of groups of people that needs to be able to access data in a different way.
Once you have considered your users and the teams that they are part of you will have to make Security Roles.
The security Roles can be assigned to users however it is better to assign the roles to groups instead. That way you only need to add users to groups and you can be sure that they have the same permissions as the other group members.
With the earlier example, if you have created a canvas app, and you want to make sure that your users can access the data used by the app, you will only need to add new users to the team and ensure that the team has the right security roles assigned.
Just tick the boxes required for the role.
Users can be added to multiple teams. So you could consider a sales support manager to be part of the support team and also be part of the sales team.
Configuring the Security Roles
This is where things become complicated.
In the Power Platform Admin Center You can Edit the security roles. When you get to the edit screen the first part isn’t to bad.
But when you go through the tabs you will find the massive amount of settings.
For each Entity you will have to supply permissions. These permissions can be.
- Business Unit
- Parent: Child Business Units
Simply click on the circles and you will step through the level that the permission needs to be applied to.
Then for Each entity you can define if the users assigned to the security role can Create, Read, Write, Delete, Append, Append To, Assign or Share.
And if that wasn’t enough yet, there are also the Miscellaneous Privileges to be set.
Ok, that was the second tab!
I’m going to skip the following tabs fro now, but I don’t want to skip the custom entities. This is where we canvas app-ers get caught out most often.
You;’ve created a custom entity and then forgot to supply the permissions. So make sure that you sort that out before you get caught out!
With hierarchy security you can set permissions for data owned by users to be visible to their managers. This can go across multiple levels of hierarchy
The position Security is similar to hierarchy security , however this time there is no manager/reportee relation between people.
Note that for both Position and Hierarchy security you will need to consider performance. But then in general, the more complicated your security model becomes the more you need to consider which options you go for.
Mobile configuration has been included in the Security section of the Power Platform Admin center, hence i’m including it here. However this is less much about securing your data from an access perspective. It is more about, which data users can use in an offline mode on their phones.
So this data will be synchronized to their phones.