Security Permissions set in Dynamics

In this post I will look at the security aspects of Dynamics 365 and the Common Data Services.

Security Background

In this post I will probably not talk about much new stuff if you come from a Dynamics CRM background. But nowadays with the citizen developers creating apps using the Common Data Services it is much needed to understand the security in Dynamics.

If you get the security wrong then you might find that you can see data in your app, while users don’t see any data appear. Missing data is a typical symptom of security missconfigurations.

Security Terminology

The following terms are going to be important to understand:

  • Business Unit
  • User
  • Security Role
  • Hierarchy security
  • Position
  • Teams
  • Mobile configuration

In the Power Platform Admin Center you can configure all these options.

Security and Common Data Services/Dynamics 365 Microsoft Office 365, Microsoft Dynamics 365, Microsoft Power Apps, Microsoft Power Automate image 31

Business Unit

A default Business Unit in the Power Platform terms is similar to an environment. Each environment will initially have one buysiness unit with the name of the environment.

Security and Common Data Services/Dynamics 365 Microsoft Office 365, Microsoft Dynamics 365, Microsoft Power Apps, Microsoft Power Automate image 30

If you want to you can create additional business units so that for example different divisions within your organisation have different business units. However within the Power platform you could also create separate environments instead.

Users

Each person using the Common Data Service will need to have an account. This account can be part of one of more teams. Security roles can then be assigned to a team or to a user account.

Security and Common Data Services/Dynamics 365 Microsoft Office 365, Microsoft Dynamics 365, Microsoft Power Apps, Microsoft Power Automate image 32

All users that exist within your office 365 environment will automatically be added to your list of users, so you might find that you hardly ever will add users to Dynamics 365.

You will however find that you will be updating roles or teams assigned to the user in the user maintenance screens.

Teams

We already saw that users can be part of a Team.

Security and Common Data Services/Dynamics 365 Microsoft Office 365, Microsoft Dynamics 365, Microsoft Power Apps, Microsoft Power Automate image 33

You can create new teams and add members to each team. Typically you would make teams for administrators, Sales, support and any other kind of groups of people that needs to be able to access data in a different way.

Security and Common Data Services/Dynamics 365 Microsoft Office 365, Microsoft Dynamics 365, Microsoft Power Apps, Microsoft Power Automate image 35

Security Role

Once you have considered your users and the teams that they are part of you will have to make Security Roles.

The security Roles can be assigned to users however it is better to assign the roles to groups instead. That way you only need to add users to groups and you can be sure that they have the same permissions as the other group members.

With the earlier example, if you have created a canvas app, and you want to make sure that your users can access the data used by the app, you will only need to add new users to the team and ensure that the team has the right security roles assigned.

Security and Common Data Services/Dynamics 365 Microsoft Office 365, Microsoft Dynamics 365, Microsoft Power Apps, Microsoft Power Automate image 36

Just tick the boxes required for the role.

Users can be added to multiple teams. So you could consider a sales support manager to be part of the support team and also be part of the sales team.

Configuring the Security Roles

This is where things become complicated.

In the Power Platform Admin Center You can Edit the security roles. When you get to the edit screen the first part isn’t to bad.

Security and Common Data Services/Dynamics 365 Microsoft Office 365, Microsoft Dynamics 365, Microsoft Power Apps, Microsoft Power Automate image 38

But when you go through the tabs you will find the massive amount of settings.

Entity Security Set in Dynamics

For each Entity you will have to supply permissions. These permissions can be.

  • None
  • User
  • Business Unit
  • Parent: Child Business Units
  • Organisation

Simply click on the circles and you will step through the level that the permission needs to be applied to.

Then for Each entity you can define if the users assigned to the security role can Create, Read, Write, Delete, Append, Append To, Assign or Share.

And if that wasn’t enough yet, there are also the Miscellaneous Privileges to be set.

Security and Common Data Services/Dynamics 365 Microsoft Office 365, Microsoft Dynamics 365, Microsoft Power Apps, Microsoft Power Automate image 40

Ok, that was the second tab!

I’m going to skip the following tabs fro now, but I don’t want to skip the custom entities. This is where we canvas app-ers get caught out most often.

Security and Common Data Services/Dynamics 365 Microsoft Office 365, Microsoft Dynamics 365, Microsoft Power Apps, Microsoft Power Automate image 41

You;’ve created a custom entity and then forgot to supply the permissions. So make sure that you sort that out before you get caught out!

Hierarchy security

With hierarchy security you can set permissions for data owned by users to be visible to their managers. This can go across multiple levels of hierarchy

Security and Common Data Services/Dynamics 365 Microsoft Office 365, Microsoft Dynamics 365, Microsoft Power Apps, Microsoft Power Automate image 42

Position

The position Security is similar to hierarchy security , however this time there is no manager/reportee relation between people.

Security and Common Data Services/Dynamics 365 Microsoft Office 365, Microsoft Dynamics 365, Microsoft Power Apps, Microsoft Power Automate image 43

Note that for both Position and Hierarchy security you will need to consider performance. But then in general, the more complicated your security model becomes the more you need to consider which options you go for.

Mobile configuration

Mobile configuration has been included in the Security section of the Power Platform Admin center, hence i’m including it here. However this is less much about securing your data from an access perspective. It is more about, which data users can use in an offline mode on their phones.

Security and Common Data Services/Dynamics 365 Microsoft Office 365, Microsoft Dynamics 365, Microsoft Power Apps, Microsoft Power Automate image 44

So this data will be synchronized to their phones.

Avatar for Pieter Veenstra

By Pieter Veenstra

Business Applications Microsoft MVP working as a Principal Architect at HybrIT Services Ltd. You can contact me using contact@sharepains.com

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from SharePains by Microsoft MVP Pieter Veenstra

Subscribe now to keep reading and get access to the full archive.

Continue Reading

%d bloggers like this: