Designing a Scalable Security Model in Dynamics 365 Using Business Units, Teams, and Record Ownership

Views:

Details

Scenarios / Symptoms

Need to segregate access for multiple departments (e.g., Customer Service vs. Finance).
Require cross‑team collaboration without exposing all records.
Need a scalable model for regional or functional divisions.

Root Cause

Security issues often arise from:

Misaligned Business Unit (BU) structure.
Overreliance on user‑level roles rather than team‑based access.
Mixing owner and access team concepts without clear governance.

Resolution Steps

1) Plan the Business Unit Structure

Use Business Units to create logical security boundaries (e.g., UK, EMEA, APAC or Customer Service vs. Field Service).
Keep the number of BUs minimal to reduce complexity.
Place users and owner teams in the BU where their primary work happens.

Navigation:
Power Platform Admin Center → Environments → Select Environment → Settings → Users + permissions → Business units.

2) Choose Record Ownership Model

User/Team-owned tables (e.g., Case, Account) for Customer Service records.
Use Owner Teams to centralize ownership for shared queues or shared workload.
Use Access Teams for fine-grained sharing on individual records (ad-hoc collaboration).

3) Assign Security Roles at the Right Level

Grant Security Roles to Teams first (preferred), then add users to those teams.
Use least privilege:
- Organization-level only when necessary.
- Prefer Business Unit or Parent: Child Business Units scope.
Example roles for Customer Service:
- CSR – Case Agent
- CSR – Supervisor
- CSR – Knowledge Manager
- CSR – Queue Manager

Navigation:
Power Platform Admin Center → Environments → Environment → Settings → Users + permissions → Security roles.

4) Use Teams for Flexibility

Owner Teams: Own records; have roles; belong to a BU.
Access Teams: Do not own records; provide shared access; dynamic team membership through rules or manually.
Azure AD (Microsoft Entra) Group Teams: Map M365 groups to Dataverse teams for automated membership.

Navigation:
Advanced Settings → Security → Teams → New.

5) Optional: Hierarchy Security

Enable Manager hierarchy to allow managers to access subordinates’ records.
Restrict by depth and scopes to avoid overexposure.

Navigation:
Settings → Security → Hierarchy Security.

Validation / Expected Outcome

Users only see what they need based on BU, team membership, and role scopes.
Supervisors can see team records via hierarchy or team ownership.
Collaboration enabled via Access Teams/sharing without over-permissioning.

FAQs / Notes

Prefer team-based roles for simplified provisioning.
Keep BU changes minimal—moving users across BUs impacts access and may trigger reindexing.
For omnichannel scenarios, align queues and routing with teams to simplify security.

Keywords: Dynamics 365, Security, Scalable