When dealing with advanced security requirements, Modernized Business Units are the go-to feature to use to utilize implicit access across Dataverse records. Essentially, by turning on this environment switch, you are enabling two things:
- Dataverse tables with User or Team ownership type also have an
owningbusinessunitreference. Without using Modernized Business Units, this reference is always set to the record owner’s (user or team) business unit that he belongs to and it cannot be modified. Modernized Business Units allow changing this reference independently of the current record owner. - Every business unit in Dataverse will get its own set of Dataverse security roles. In practice, when you enable this feature in an environment, for every existing business unit, Dataverse will generate its own security role to be used in the context of the business unit. Creating a new security role will also create the role for each existing business unit. Creating a new business unit will trigger generation of a new set of security roles.
Find out more about Modernized Business Units on MS Learn
- Modernized business units security - Power Platform | Microsoft Learn
- Security concepts in Microsoft Dataverse
With that being said, what was not obvious to me from the documentation and community resources is how the Parent: Child Business Unit access level works when used in the context of a business unit other than the user’s main business unit.
The documentation says: “Users can access records in their business unit and all business units subordinate to it. Users with this access automatically have business unit and user access.”
To me, “their business unit” implies that this access level should work only in the context of the business unit the user belongs to and not when granted a security role in another business unit somewhere else in the hierarchy. Let’s put it to the test.
Let’s imagine this simple scenario.
A user (Bob) belongs to business unit BU1, which is a direct child of the root BU.
In the hierarchy, another set of business units exists, where a specific contact “Contact 1” is owned by BU3, which is a direct child of BU2.
By utilizing Modernized Business Units, the user is assigned to a custom security role Contact reader to a BU2. This security role definition contains a privilege that allows reading contact records with the access level Parent: Child Business Unit
Let’s impersonate as Bob and try to access the Contact 1.
And indeed this scenario works as you can see. The Parent: Child Business Unit access level can be utilized when giving someone access in the BU hierarchy, which is outside the scope of the main user’s BU.
This shows to me how the inherent Dataverse security model is truly robust. I can imagine that in a lot of scenarios where implementations utilize explicit access methods (sharing, access teams), this would be a better alternative in my opinion, as the scaling options are much better, since we are not polluting the principalobjectaccess which causes performance issues when overused.