Security and Authorization in Dataverse
Roles, modernized business units, teams, hierarchies, and sharing: everything you need to build a robust security model in Microsoft Power Platform.
Introduction to Dataverse Authorization
Microsoft Dataverse is the core of security in Power Platform. Each Dataverse-based application — such as Power Apps or Dynamics 365 — adopts a multilayered security model combining authentication, roles, business units, and granular control over records and columns. Authorization determines which users can access data and what actions they can perform.
This model integrates with Azure Active Directory, enabling centralized management of identities and permissions. Users or teams in Dataverse act as the main security principals and are associated with roles defining their privileges.
Security Roles and Permissions
Security roles define access rights for each table and function. Each role can assign different permission levels for eight main transaction types: create, read, update, delete, assign, share, append, and append to. These levels determine whether a user can operate only on their own records or on those of their business unit.
| Permission Level | Description |
|---|---|
| None | No access to records or functions. |
| User | Access only to records owned by the user. |
| Business Unit | Access to records owned by the user and other members of the same business unit. |
| Parent/Child Business Units | Access to records owned by the business unit and all subordinate units. |
| Organization | Full access to all records in the organization. |
Proper configuration of these roles is essential to maintain a secure and consistent environment. Best practices recommend creating new custom roles based on copies of standard roles rather than altering the original system roles.
Business Units and Organizational Hierarchies
The hierarchical model of Business Units forms the backbone of the Dataverse authorization system. Each user is assigned to a specific business unit, and privileges derive both from assigned roles and the position in the hierarchy. Users can access data based on their business unit level.
In the classic model, moving a user between business units results in the loss of previously assigned roles. However, with the introduction of Modernized Business Units, it’s now possible to assign roles from multiple business units, overcoming the limitations of the traditional approach.
This approach enhances flexibility and supports cross-department collaboration across complex enterprise structures.
Teams and Sharing
Teams in Dataverse simplify permission management. Teams can be created as internal groups or linked to Azure Active Directory (AAD) security groups. In the latter case, members automatically inherit the team's roles, reducing administrative overhead.
There are several types of teams:
- User Teams: manually managed teams where members are added individually.
- AAD Security Group Teams: linked directly to Azure AD security groups.
- Office 365 Teams: connected to Microsoft 365 groups for shared access and collaboration.
Direct record sharing between users or teams is possible but should be used cautiously. It is generally better to use roles and teams to maintain a structured and auditable permission model.
App and User Interface Authorization
Beyond data access, Dataverse allows control over applications and interface components. Specific roles can be assigned to model-driven apps so that only authorized users can access them. The same principles apply to forms and dashboards.
- Forms: access controlled by roles, with the ability to set a fallback form.
- Dashboards: visibility configured per role, with default dashboard options.
This granularity enables personalized experiences for each business function while reducing the risk of exposing irrelevant data.
Column-Level Security and Data Protection
For highly sensitive data, Dataverse provides column-level security. This feature allows limiting access to specific columns within a table, such as account numbers or personal details. Only members of configured column security profiles can view or modify those fields.
Protection extends to the Dataverse API: user credentials automatically determine whether a column is accessible, ensuring consistency between the interface and backend layers.
Best Practices for Dataverse Authorization
- Create custom roles based on standard ones.
- Use group teams to simplify permission management.
- Apply the principle of least privilege to every table and column.
- Configure session timeouts and inactivity controls at the environment level.
- Limit direct sharing to reduce complexity.
- Avoid editing system roles directly.
Following these guidelines ensures a consistent, scalable, and enterprise-grade security model that supports complex Power Platform deployments.
Frequently Asked Questions about Dataverse Authorization
What is the difference between a user role and a team role?
A user role applies to an individual account, while a team role is assigned to a group of users. Team members automatically inherit the privileges of the team role.
Can a user have multiple roles?
Yes. A user can hold multiple roles simultaneously, and their permissions are cumulative. This allows combining access rights for different functional areas.
How do Modernized Business Units work?
Modernized Business Units allow assigning roles from multiple units, eliminating the rigid hierarchy of the traditional model and improving cross-department collaboration.
Explore Power Platform Security
Learn how to configure secure environments, manage roles and access policies, and apply enterprise-scale models for Dataverse and Power Platform.