Subscribe

Hierarchy Security in Dataverse

23rd October 2023

Ever have that scenario in your organisation where you need a manager to be able to see the data that their reports have ownership of? For example, an industry lead for Sales should be able to see the accounts that their reporting account executives own… 🤔

In Microsoft’s Low Code data platform, Dataverse, this concept exists out the box with very little configuration to do, and so in this post, I’ll show you how to configure hierarchy security for Dataverse organisations with a few simple clicks! 🖱️ 🐭

2 options

So we have two options when it comes to hierarchy models for Dataverse hierarchy security here. We can either use the manager hierarchy model, or the position hierarchy modal. Both of these models and in general, hierarchy security is based on the ownership or direct sharing of data via users or teams. If a user has organisation level permissions to see accounts, it does not mean their manager will also have that permission, but rather the manager of that user will have access to any accounts the user owners and any shared directly with them via users or teams.

Manager hierarchy model

So, in the manager hierarchy model, effectively as a manager I will be able to access any data my direct reports have access to through being an owner of those records, from being part of a team that owns those records, or by having those records directly shared with the user (report).

Manager Hierarchy – Microsoft

Position hierarchy model

By using the position hierarchy model, we’re able to tag different users in Dataverse / Dynamics 365 with the position they have in the organisation. Then we define the position hierarchy in the organisation. With those things configured the access to data is controlled by the level in the organisation chart people are sat at. So rather than a sales manager only have access to their sales executives data. All sales managers will have access to every sales persons data because all sales people sit on the level below sales managers.

Position hierarchy – Microsoft

Business units

When it comes to users who have managers that sit in separate business units for example there is more to take into account here. For those cases if you want managers to be able to access data that direct reports from different business units own, you’ll need to enable the record ownership across business units tools.

Depth

When configuring hierarchy security in Dataverse there is the concept of depth control which we can configure too. Depth effectively lets you control how many levels down a manager has access to i.e. whether they can only access their direct reports, or whether they can access a further level of reports to that and so on. This is set by a numeric value.

Configuring hierarchy security

So first we’ll need to navigate to the Power Platform admin center. To do this go to admin.powerplatform.microsoft.com/environments

From here, select the environment you want to configure hierarchy security for then select settings in the ribbon.

Next under users and permissions, select ‘Hierarchy security’.

Cool! Now we’re at the page where we can start to configure hierarchy security for this organisation / environment.

From here we can either choose the manager or position hierarchy options and we can then open up the user table for manager hierarchy which will utilise the structure we have configured in Microsoft Entra ID, or we can configure users positions in Dataverse and utilise the position hierarchy model.

Then we can set the depth and finally we can exclude any tables from the model which shouldn’t adopt the set of rules configured for hierarchy security.

And that’s it! Save your changes and thats you configured with a hierarchy security model. All that without a single line of code or even a formula! Just a few clicks 😉 🖱️ 🐭

Did you like this content? 💖

Did you like this content? Check out some of the other posts on my blog, and if you like those too, be sure to subscribe to get my posts directly in your inbox for free!

Posted in UncategorisedTags:

Leave a Reply

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

This will close in 0 seconds