Privileges and Access Levels
A security role grants a matrix of privileges (Create, Read, Write, Delete, Append, Append To, Assign, Share) for each table, and each privilege carries an access level that defines how far it reaches: None, User (only records you own), Business Unit, Parent-Child Business Units, or Organization (every record regardless of owner or business unit). A user's effective access is the union of every security role assigned to them or their team, so roles are additive, not restrictive.
Cricket analogy: A player's central contract grants different access levels for different formats — full national team selection (Organization level) versus only domestic squad selection (Business Unit level), just as a security role scopes access differently per privilege.
Business Units and Hierarchy
Business units organize your Dataverse environment into a hierarchy that mirrors organizational structure — a root business unit with child business units beneath it, such as separate units for Sales, Support, and Marketing. Access levels like Parent-Child Business Units let a role at a parent unit see records owned by users in every child unit beneath it, which is useful for regional managers who need visibility across multiple local teams without granting full organization-wide access.
Cricket analogy: A national cricket board's root business unit oversees state associations as child units, and a national selector role with Parent-Child access can see player records across every state team, but not other nations.
Teams and Role Assignment
Rather than assigning security roles to every individual user, Dataverse encourages assigning roles to teams — owner teams (which can own records directly and have roles assigned) or Microsoft Entra ID (Azure AD) group teams (which automatically sync membership from a security group). A user's effective privileges are the combined maximum across every role they hold directly plus every team they belong to, so removing a user from a team can reduce their access without touching their user record at all.
Cricket analogy: Assigning fielding positions to an entire slip cordon rather than briefing each fielder individually is like assigning a security role to a team instead of configuring every user one by one.
// Example: security role privilege matrix (conceptual JSON representation)
{
"roleName": "Regional Sales Manager",
"privileges": {
"opportunity": {
"read": "ParentChildBusinessUnits",
"write": "ParentChildBusinessUnits",
"create": "User",
"delete": "None",
"assign": "ParentChildBusinessUnits",
"share": "User"
},
"account": {
"read": "Organization",
"write": "ParentChildBusinessUnits"
}
}
}Use the built-in security role Preview pane (or the 'Enable role preview' feature) to see a live diagram of exactly which access level each privilege grants before assigning the role, catching accidental Organization-level grants early.
Because effective access is the union of every role a user or their teams hold, granting even one Organization-level role by mistake overrides every other more restrictive role — always audit combined access after adding a user to a new team, not just the individual role's settings.
- Security roles define a matrix of privileges (Create, Read, Write, Delete, Append, Append To, Assign, Share) per table.
- Each privilege has an access level: None, User, Business Unit, Parent-Child Business Units, or Organization.
- A user's effective access is the union of all roles assigned directly and through team membership.
- Business units create an organizational hierarchy that scopes Parent-Child and Business Unit access levels.
- Owner teams and Microsoft Entra ID group teams let admins assign roles once and manage membership centrally.
- Removing a user from a team can reduce access without editing the user's record directly.
- Always audit combined effective access after changes, since roles are additive and one broad role can override intent.
Practice what you learned
1. What determines a user's effective access in Dataverse when they hold multiple security roles?
2. Which access level lets a role see records owned by users across an entire parent business unit and all its child units?
3. What is the benefit of assigning a security role to a team instead of individual users?
4. Which privilege in a security role controls whether a user can transfer ownership of a record to someone else?
5. Why is it risky to grant an Organization-level access level on a privilege by mistake?
Was this page helpful?
You May Also Like
Dataverse Tables and Relationships
Learn how Microsoft Dataverse organizes data into tables, columns, and relationships that power Model-Driven and Canvas apps.
Business Rules
Apply no-code logic in Dataverse tables to set field values, show warnings, and enforce validation without writing JavaScript.
Model-Driven App Navigation (Sitemap)
Learn how the Sitemap defines the navigation structure — areas, groups, and subareas — that users see in a Model-Driven App.
Related Reading
Related Study Notes in Microsoft Technologies
Browse all study notesWindows 10 / UWP Development Study Notes
.NET · 30 topics
Microsoft TechnologiesWindows Batch Scripting Study Notes
Batch · 30 topics
Microsoft TechnologiesMFC (Microsoft Foundation Classes) Study Notes
C++ · 30 topics
Microsoft TechnologiesSilverlight Study Notes
.NET · 30 topics
Microsoft TechnologiesXAML Study Notes
.NET · 30 topics
Microsoft TechnologiesWPF (Windows Presentation Foundation) Study Notes
.NET · 30 topics