The Complete Dataverse Access Teams Setup Guide
Dataverse access teams grant team members permission to a specific record in a table. They also have the ability to grant access to any related child records. Access teams are best used when a unique set of users needs access to each individual record in a table and when the number of teams needed is not known during the solution’s design. Permissions granted by access teams are in addition to access granted by record ownership and security roles. In this article I show you the complete method to setup Dataverse access teams.
Table of Contents
• Introduction: The Equipment Management App
Access Teams Setup For Parent Record:
• Create A New Dataverse Table
• Add An Access Team Template
• Setup A New Security Role
• Apply The Security Role To A User
• Add An Access Team Members Subgrid To The Main Form
• Assign A User To A Record's Access Team
• Check The Access Team Member's Permissions For A Record
Access Teams Setup For Child Records:
• Grant Access To Child Records Upon Access Team Assignment
• Define The Lookup Column Relationship Behaviour
• Add The Child Records Table To The Security Role
• Populate The Child Records Table With Data
• Check The Access Team Member's Permissions To Child Records
Introduction: The Equipment Management App
On-site Service Technicians at a printer & copier leasing company use the Equipment Management App to see information about the equipment on-lease. Technicians are added to an Access Team for their customer’s building when they become responsible for maintenance at the customer’s location.
The Service Technician can only see Building Facilities they are assigned to.
And they can only see Equipment within the Building Facilities they are assigned to.
Create A New Dataverse Table
When a Service Technician opens the Equipment Management App they will see a list of all Building Facilities they are assigned to. Open the Power Apps Maker Portal and create a new table named Building Facility inside of a solution.
Populate the Building Facilities table with the following data.
Name |
3330 Union Park |
40 Village Junction |
736 Delaware Place |
74 Carpenter Road |
776 Mayer Trail |
Then create a new Model Driven App named Equipment Management and add the Building Facilities table to it. The app should look like the image below.
Enable Access Teams For A Dataverse Table
Access Teams must be enabled for any Dataverse table that will use them. Go to the Building Facility table settings, find the Rows in this table settings group, and check the box for Have An Access Team. Then press Save.
Add An Access Team Template
An access team template defines the permissions-level granted to the user when they become assigned to a record’s access team. To add an Access Team template go to the solution explorer and select New > More > Other > Team Template.
On the New Team Template menu provide the name Building Facility (Read-Write-Append). Select the table Building Facility. Then specify these Access Rights: Read, Write, Append, Append To. Save and close once finished.
Setup A New Security Role
Any User assigned to an Access Team must have a security role with at least User level permissions to each Access Right (Read, Write, Append, Append To). In the Power Platform Admin Center create a new security role named Equipment Management App User.
Then grant the following permissions to the Building Facility table.
- Read – User
- Write – User
- Append – Organization
- Append To – Organization
Apply The Security Role To A User
The Equipment Management App User security role must be applied to the User who will be assigned to an Access Team. Go to the User settings in the Power Platform Admin Center and grant the new role to a User.
Add An Access Team Members Subgrid To The Main Form
Assignment of a User to an Access Team can be done using a subgrid on the Building Facility table’s main form. Navigate to the Building Facility main form in the solution explorer and choose Edit.
The main form initially has only a Name and Owner field.
Add a new subgrid to the form with the following options:
- Show related records – unchecked
- Table – Users
- Default – Associated Record Team Members
- Team Template – Building Facility (Read-Write-Append)
The subgrid now appears in the Building Facility main form. Give it the title Access Team Members and then save and publish the form. We have now completed setup for Access Teams on the Building Facility table.
Assign A User To A Record’s Access Team
When a Service Technician is assigned to work at building facility we want them to see its record in the Equipment Management App. Open the Model Driven App and browse to a Building Facility record. Select the Add User button in the Access Team Members subgrid.
Choose the User who was previously granted the Equipment Management App User security role. Then press Add.
The User is now assigned to the Building Facility record’s access team.
Check The Access Team Member’s Permissions For A Record
There are two ways the validate the newly assigned User’s access to Building Facility records. The first is to navigate to a specific record in the Model Driven App and go to Check Access menu.
In the Check Access dialog, change the User lookup field to the assigned User. We can see they have Read, Write, Append & Append To permissions because the record was shared with a team that they are a member of.
The second method to verify the User’s access to Building Facility records is to login as that User. There are 5 records total in this table. But the User only sees the single record they were assigned.
Grant Access To Child Records Upon Access Team Assignment
When assigning a User to an Access Team for a parent record we can also grant access to any related child records. In the Equipment Management App, we want to assign Users to a Building Facility’s access team and then also grant access to any Equipment at that building
Create a new table named Equipment with the following columns:
- Name (Text)
- Building Facility (Lookup)
Do not populate the Equipment table with any values yet. We must first configure the relationship between the Building Facility and Equipment tables. As as preview, here is what the table will eventually look like once it is filled-in with data.
Define The Lookup Column Relationship Behaviour
An access team for a parent record will cascade to the child record when the relationship behaviour is set to either Parental or Custom with Cascade All Share & Unshare. In the Equipment table the Building Facility column is a lookup type column.
Go to the relationship for the Building Facility and choose Parental as the type of behaviour. Then select Done.
Add The Child Records Table To The Security Role
The Equipment table must also be added to the Equipment Management App User security role. Grant the same permissions as Building Facility table. The child records will receive the same access permissions as the parent record they are related to.
Populate The Child Records Table With Data
Now that access teams are enabled for the Equipment table we can populate it with data. Go to the Equipment table and add these records. When the Equipment record is related to a Building Facility it shares the parent record’s access team members and permissions.
Name | Building Facility |
PRINTER-001 | 3330 Union Park |
PRINTER-002 | 3330 Union Park |
PRINTER-003 | 3330 Union Park |
PRINTER-004 | 40 Village Junction |
PRINTER-005 | 40 Village Junction |
PRINTER-006 | 736 Delaware Place |
PRINTER-007 | 74 Carpenter Road |
PRINTER-008 | 74 Carpenter Road |
PRINTER-009 | 776 Mayer Trail |
PRINTER-010 | 776 Mayer Trail |
The filled-in Equipment table will look like this.
Check The Access Team Member’s Permissions To Child Records
To verify the access team members and permissions for the parented were shared go to a record in the Model Driven App and open the Check Access menu.
In the Check Access dialog, change the User lookup field to the parent record’s access team member. We can see they have Read, Write, Append & Append To permissions to the child record. This is because the User is a member of an access team for a related record.
When the User opens the Equipment table they can only see 3 records for the assigned location even though there are 10 Equipment records in the database.
Did You Enjoy This Article? 😺
Subscribe to get new Power Apps & Power Automate articles sent to your inbox each week for FREE
Questions?
If you have any questions or feedback about The Complete Dataverse Access Teams Setup Guide please leave a message in the comments section below. You can post using your email address and are not required to create an account to join the discussion.
Matthew, this is very timely. I am about to embark on a journey to develop a networking application for a particular industry. This article is the cat’s meow. Bravo!
Scott,
I appreciate your comments and I wish you the best of luck in building your own awesome app 🙂
Glorious thank you for all the effort! Had this exact question for a Power Pages Portal recently.
Brett,
Power Pages would be an interesting challenge because the security model is based off a Contact record and not the User right?
This is brilliant! Thank you so much for a very useful and informative post. 🙂
Kasia,
You’re welcome!
Hi Matthew,
I faced an issue when I set the security role privileges as you show, but the problem when I checked the user access, it shows me all privileged assigned to the user that I want to add. Normally, it should only show the assigned ones. I checked the user roles, it only have Basic and the role that I created which is Equipment Management App User. Is it temporarily error or I missed something?.
Thanks & Regards
Lutfi,
I would like to answer your question but it is not clear to me what problem you are facing. Please try to explain again.
How does it work with Business Units? Is it another layer that I can apply?
Hi Matthew, we use Access Teams for a custom table “case” and we do not enable all the child records table for access teams (only the “case” table). We only define all the lookup column relationship behaviour and it work great for two years now. I wonder why you enable child record table for access teams. I want to make sure that I don’t miss something. Is there a reason why you do it that way ?
Thanks. Keep up the good work 🙂
Pierre,
You are 100% correct. It is not necessary to enable access teams on the child record. I have updated the article to reflect this. Thank you for sharing your knowledge.
Hello, this helped me a lot with my solution.
Unfortunately I already had records created in the child table before I implemented access teams.
Now the functionality doesnt apply to old records, only to newly created.
Is there a way to refresh permissions for all existing records ?
Thank you
Hi Matthew,
Really helpful article. Out of curiosity, are you aware of a way to bulk add the same Access Team to multiple Records at once? So far, I am only seeing ways to add an Access Team/User for an individual Record, but in my case I have about 2000 Records needing the same Access Team (and their current Owning User/Team left intact), so doing it one-by-one isn’t really feasible…
Hi Matt. Great article. We have records that until they go through an approval cycle (ex. status gets to approved) could not been seen by numerous users (who happen to share a security role).
Once approval is reached we’d want them to gain read access. Using a power automate (with unbound action) could be used to gran access. It does use Access Teams.
However, we’d like the access teams to be in synch with all users with a specific role and not have to maintain the Access Team members.
Is there a better way to achieve this ?
Hey Mathew! Thanks a lot for your super helpful post.
I have two questions: is there a way to check all rows assigned to a certain person (that is part of a team)? For example: I have a projects table where each row is a project. I used your team solution to assign projects to teams and consequently for people. Now I’d like a way to see which projects were assigned to person X.
The other one is:
Can we create a column n that project´s table with the names of the people assigned for each project? Even better, this column available only for admins.
Thanks a lot!!
Sincerely,
Erick
I’ve followed this amazing post about assigning rows to a team of users, and it worked like a charm.
Some context of my scenario: I’m working on Model Driven Apps with a Projects Table where each project (i.e., row of the Project table) is assigned to different users that are part of a team. I followed the blog`s approach and it’s perfect. My users can only see projects that they were assigned.
Now, I’d like to do two extra things:
1)Add a column on my Projects Table where only Admins would seeit, containing all the users with access to that specific project
2) Create a view with all the projects and everyone assigned to each project (to check, e.g., what are the projects assigned to person X)
Thanks and have an amazing Friday!!
What if I want to take this to the next level?
Each time I create a new Building, I want to automatically create a new team just for that Building, and then add users to that new Access Team. This gives users with the same role the ability to do the same things, but only for the Building Team they’ve been assigned to.
How can I restrict the owner name to be entered again in the Team access subgrid
2147750174Attribute ‘value’ or ‘valueof’ must be specified for condition operator: EqualDismiss
I am getting this error whenever I am creating a new record
Following this setup, the team user has read-write access to the building and also to the equipment in it. I have a scenario where I only want to give read access to the building but want read-write access to the equipment. What is the proper way to set this up?