100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Low-Code

Security Roles in Dataverse

Understand how Dataverse security roles, privileges, and access levels control who can see and do what with your data.

Model-Driven AppsIntermediate10 min readJul 10, 2026
Analogies

Privileges and Access Levels

A security role grants a matrix of privileges (Create, Read, Write, Delete, Append, Append To, Assign, Share) for each table, and each privilege carries an access level that defines how far it reaches: None, User (only records you own), Business Unit, Parent-Child Business Units, or Organization (every record regardless of owner or business unit). A user's effective access is the union of every security role assigned to them or their team, so roles are additive, not restrictive.

🏏

Cricket analogy: A player's central contract grants different access levels for different formats — full national team selection (Organization level) versus only domestic squad selection (Business Unit level), just as a security role scopes access differently per privilege.

Business Units and Hierarchy

Business units organize your Dataverse environment into a hierarchy that mirrors organizational structure — a root business unit with child business units beneath it, such as separate units for Sales, Support, and Marketing. Access levels like Parent-Child Business Units let a role at a parent unit see records owned by users in every child unit beneath it, which is useful for regional managers who need visibility across multiple local teams without granting full organization-wide access.

🏏

Cricket analogy: A national cricket board's root business unit oversees state associations as child units, and a national selector role with Parent-Child access can see player records across every state team, but not other nations.

Teams and Role Assignment

Rather than assigning security roles to every individual user, Dataverse encourages assigning roles to teams — owner teams (which can own records directly and have roles assigned) or Microsoft Entra ID (Azure AD) group teams (which automatically sync membership from a security group). A user's effective privileges are the combined maximum across every role they hold directly plus every team they belong to, so removing a user from a team can reduce their access without touching their user record at all.

🏏

Cricket analogy: Assigning fielding positions to an entire slip cordon rather than briefing each fielder individually is like assigning a security role to a team instead of configuring every user one by one.

json
// Example: security role privilege matrix (conceptual JSON representation)
{
  "roleName": "Regional Sales Manager",
  "privileges": {
    "opportunity": {
      "read": "ParentChildBusinessUnits",
      "write": "ParentChildBusinessUnits",
      "create": "User",
      "delete": "None",
      "assign": "ParentChildBusinessUnits",
      "share": "User"
    },
    "account": {
      "read": "Organization",
      "write": "ParentChildBusinessUnits"
    }
  }
}

Use the built-in security role Preview pane (or the 'Enable role preview' feature) to see a live diagram of exactly which access level each privilege grants before assigning the role, catching accidental Organization-level grants early.

Because effective access is the union of every role a user or their teams hold, granting even one Organization-level role by mistake overrides every other more restrictive role — always audit combined access after adding a user to a new team, not just the individual role's settings.

  • Security roles define a matrix of privileges (Create, Read, Write, Delete, Append, Append To, Assign, Share) per table.
  • Each privilege has an access level: None, User, Business Unit, Parent-Child Business Units, or Organization.
  • A user's effective access is the union of all roles assigned directly and through team membership.
  • Business units create an organizational hierarchy that scopes Parent-Child and Business Unit access levels.
  • Owner teams and Microsoft Entra ID group teams let admins assign roles once and manage membership centrally.
  • Removing a user from a team can reduce access without editing the user's record directly.
  • Always audit combined effective access after changes, since roles are additive and one broad role can override intent.

Practice what you learned

Was this page helpful?

Topics covered

#LowCode#PowerAppsStudyNotes#MicrosoftTechnologies#SecurityRolesInDataverse#Security#Roles#Dataverse#Privileges#StudyNotes#SkillVeris