Have you noticed that there is a new feature that’s been added to the security model in Dataverse, and it’s called “Matrix Business Units”?
It is in preview, and it is being rolled out. To be honest, it’s not, yet, available in the environments I have access to, so I’m just waiting to see it there, but, based on the private preview experience, this is going to be of great help in may cases.
Because, you see, once it is available and enabled, we’ll be to achieve the following:
- Keep our users in any BU
- While giving them access to other BU-s by assigning roles in those BU-s
- Assign records to the users, while keeping the same records associated to just about any BU in the system
For example, imagine two different business units with different groups of users. You might want each group to see records associated with their respective BU, but you might still want to allow a few users from another BU to have access, too.
Here is what might happen then:
- If a user from another BU were to create a record, that record would be associated with the creator’s business unit (since, by default, creator becomes the owner)
- Which is still going to be the case, but you will now be able to change the BU that new record belongs to while still keeping it with the original owner
That would allow the user who created the record to have full access to it, while also allowing all users from the BU with which that record is associated to have access to it through the security roles
That, however, does not change the basics of owner-based / bu security. If a record belongs to a business unit, anyone who needs access to that record should have at least some role in that BU that gives them access to the record (even the owner of the record).
The whole point, though, is that now we’ll be able to give roles in the BU-s without having to add users to teams, and, also, we’ll be able to decouple “owners” from “owning business units”.
Anyways, I’d be happy to share screenshots, but, given that private preview might have been somewhat different from the public preview, I’ll hold off and wait till this has been rolled out.
So, then, this post is *TO BE CONTINUED*
Nov 22: Here is part 2 of this post
Really interesting new feature that will offer more flexibility when it comes to security configs in a multi BU applications. Also as I see this then this new feature should offer a better, at least more granular, ways to prevent users to access data they should not be able to access.