Team based Security in Microsoft Dynamics 365 CE : Owner Team (Part 2)

At Microsoft Dataverse, where the role-based security limit is only accessible to the parent business unit, the team allows us to work across all business units. The owner team acts like a role-based security, but the two are not the same. While owner teams are associated with a business unit, as they are required to assign security roles, team members are not required to have a relationship with the same business unit. This is beneficial when business people need to collaborate in business units. In other words, the role based boundary can be broken using the owner team while the business objects are still owners.


As the definition by Microsoft Doc:

 An owner team owns records and has security roles assigned to the team. The team’s privileges are defined by these security roles. In addition to privileges provided by the team, team members have the privileges defined by their individual security roles and team member’s privilege inheritance roles, and by the roles from other teams in which they are members. A team has full access rights on the records that the team owns. Team members are added manually to the owner team.


When to Use Owner Teams:
  • Organization policies require the ability of records to be owned by entities other than users. Such as a team.
  • The number of teams is known at the design time of your system.
  • Daily reporting on progress by owning teams is required
Advantages of Owner Teams:
  • Single business objects can be shared and collaborated with multiple users and departments.
  • It breaks the limits of the business unit.
  • It is a best practice to manage/administer all user permissions in this way, even if the team has only one user.
  • A user can be assigned to multiple teams if the user's business functions are diverse and blended across departments.
  • Privileges are granted by security roles and change dynamically as the role definition changes.
  • will be cached in CRM Server when a user accesses the application.
Microsoft introduced a new privilege inheritance.

Team member’s privilege inheritance

User and Team privileges
User privileges: User is granted these privileges directly when a security role is assigned to the user. User can create and has access to records created/owned by the user when Basic access level for Create and Read were given.

Team privileges: User is granted these privileges as member of the team. For team members who do not have user privileges of their own, they can only create records with the team as the owner and they have access to records owned by the Team when Basic access level for Create and Read were given.

You can also set this privilege inheritance property for all out-of-the-box security roles except the System Administrator role. When a privilege inheritance security role is assigned to a user, the user gets all the privileges directly.

Team creation steps:
  1. In the web app, go to Settings > Advanced Settings.
  2. Select Settings > Security. In Microsoft Dynamics 365 for Outlook, go to Settings > System >
  3. Security.
  4. Select Teams.
  5. On the Actions toolbar, select New button.
  6. Enter a team name.
  7. Select a business unit.
  8. Enter an administrator.
  9. Select Owner in Team Type.
  10. Complete other required fields, and then select Save.


Team Name: Create unique name for new team name.
Business Unit:  Because we need to assign security roles, we need to assign business units.
Administrator:
  1. Team administrators have access to Team owned records.
  2. Team administrators do not need to be added to a team and do not show up as a member of the team.
Azure AD Object Id for a Group: This is option for Owner Team.
Description: Optional 
Team Member: Add the Team member

Special points:
  • A security role can be set to provide a team member with direct Basic-level access user privileges. A team member can create records that they own and records that have the team as owner when the Basic access level for Create is given. When the Basic access level for Read is given, team member can access records that are owned by both that team member and by the team.
  • If an owner team doesn’t own records and doesn’t have security roles assigned to the team, it can be converted to an access team.
  • It is a one-way conversion. You can’t convert the access team back to the owner team. During conversion, all queues and mailboxes associated with the team are deleted. 
  • When you create a team in the web application, you have to choose the team type Owner.
Conclusion:

In summary, Role based security grants the permission for business units, but we can take leverage to collaborate and share the business objects across the business units by help of Owner Team. In other words, An owner team owns records and has security roles assigned to the team. The team’s privileges are defined by these security roles. A team has full access rights on the records that the team owns. Team members are added manually to the owner team.

Comments

Popular posts from this blog

PCF vs. Web Resources: Choosing the Right Extensibility Tool for Dataverse

Is Debt Prosperity or Trap?

Exam PL-400: Microsoft Power Platform Developer