The Complete Dataverse Access Teams Setup Guide

The Complete Dataverse Access Teams Setup Guide

Dataverse access teams grant team members permission to a specific record in a table. They also have the ability to grant access to any related child records. Access teams are best used when a unique set of users needs access to each individual record in a table and when the number of teams needed is not known during the solution’s design. Permissions granted by access teams are in addition to access granted by record ownership and security roles. In this article I show you the complete method to setup Dataverse access teams.

Table of Contents
• Introduction: The Equipment Management App

Access Teams Setup For Parent Record:
• Create A New Dataverse TableAdd An Access Team TemplateSetup A New Security RoleApply The Security Role To A UserAdd An Access Team Members Subgrid To The Main FormAssign A User To A Record's Access TeamCheck The Access Team Member's Permissions For A Record

Access Teams Setup For Child Records:
• Grant Access To Child Records Upon Access Team AssignmentDefine The Lookup Column Relationship BehaviourAdd The Child Records Table To The Security RolePopulate The Child Records Table With DataCheck The Access Team Member's Permissions To Child Records




Introduction: The Equipment Management App

On-site Service Technicians at a printer & copier leasing company use the Equipment Management App to see information about the equipment on-lease. Technicians are added to an Access Team for their customer’s building when they become responsible for maintenance at the customer’s location.



The Service Technician can only see Building Facilities they are assigned to.



And they can only see Equipment within the Building Facilities they are assigned to.




Create A New Dataverse Table

When a Service Technician opens the Equipment Management App they will see a list of all Building Facilities they are assigned to. Open the Power Apps Maker Portal and create a new table named Building Facility inside of a solution.



Populate the Building Facilities table with the following data.

Name
3330 Union Park
40 Village Junction
736 Delaware Place
74 Carpenter Road
776 Mayer Trail



Then create a new Model Driven App named Equipment Management and add the Building Facilities table to it. The app should look like the image below.




Enable Access Teams For A Dataverse Table

Access Teams must be enabled for any Dataverse table that will use them. Go to the Building Facility table settings, find the Rows in this table settings group, and check the box for Have An Access Team. Then press Save.




Add An Access Team Template

An access team template defines the permissions-level granted to the user when they become assigned to a record’s access team. To add an Access Team template go to the solution explorer and select New > More > Other > Team Template.



On the New Team Template menu provide the name Building Facility (Read-Write-Append). Select the table Building Facility. Then specify these Access Rights: Read, Write, Append, Append To. Save and close once finished.




Setup A New Security Role

Any User assigned to an Access Team must have a security role with at least User level permissions to each Access Right (Read, Write, Append, Append To). In the Power Platform Admin Center create a new security role named Equipment Management App User.



Then grant the following permissions to the Building Facility table.

  • Read – User
  • Write – User
  • Append – Organization
  • Append To – Organization




Apply The Security Role To A User

The Equipment Management App User security role must be applied to the User who will be assigned to an Access Team. Go to the User settings in the Power Platform Admin Center and grant the new role to a User.




Add An Access Team Members Subgrid To The Main Form

Assignment of a User to an Access Team can be done using a subgrid on the Building Facility table’s main form. Navigate to the Building Facility main form in the solution explorer and choose Edit.



The main form initially has only a Name and Owner field.



Add a new subgrid to the form with the following options:

  • Show related records – unchecked
  • Table – Users
  • Default – Associated Record Team Members
  • Team Template – Building Facility (Read-Write-Append)



The subgrid now appears in the Building Facility main form. Give it the title Access Team Members and then save and publish the form. We have now completed setup for Access Teams on the Building Facility table.




Assign A User To A Record’s Access Team

When a Service Technician is assigned to work at building facility we want them to see its record in the Equipment Management App. Open the Model Driven App and browse to a Building Facility record. Select the Add User button in the Access Team Members subgrid.



Choose the User who was previously granted the Equipment Management App User security role. Then press Add.



The User is now assigned to the Building Facility record’s access team.




Check The Access Team Member’s Permissions For A Record

There are two ways the validate the newly assigned User’s access to Building Facility records. The first is to navigate to a specific record in the Model Driven App and go to Check Access menu.



In the Check Access dialog, change the User lookup field to the assigned User. We can see they have Read, Write, Append & Append To permissions because the record was shared with a team that they are a member of.



The second method to verify the User’s access to Building Facility records is to login as that User. There are 5 records total in this table. But the User only sees the single record they were assigned.




Grant Access To Child Records Upon Access Team Assignment

When assigning a User to an Access Team for a parent record we can also grant access to any related child records. In the Equipment Management App, we want to assign Users to a Building Facility’s access team and then also grant access to any Equipment at that building

Create a new table named Equipment with the following columns:

  • Name (Text)
  • Building Facility (Lookup)

Do not populate the Equipment table with any values yet. We must first configure the relationship between the Building Facility and Equipment tables. As as preview, here is what the table will eventually look like once it is filled-in with data.




Define The Lookup Column Relationship Behaviour

An access team for a parent record will cascade to the child record when the relationship behaviour is set to either Parental or Custom with Cascade All Share & Unshare. In the Equipment table the Building Facility column is a lookup type column.



Go to the relationship for the Building Facility and choose Parental as the type of behaviour. Then select Done.




Add The Child Records Table To The Security Role

The Equipment table must also be added to the Equipment Management App User security role. Grant the same permissions as Building Facility table. The child records will receive the same access permissions as the parent record they are related to.




Populate The Child Records Table With Data

Now that access teams are enabled for the Equipment table we can populate it with data. Go to the Equipment table and add these records. When the Equipment record is related to a Building Facility it shares the parent record’s access team members and permissions.

NameBuilding Facility
PRINTER-0013330 Union Park
PRINTER-0023330 Union Park
PRINTER-0033330 Union Park
PRINTER-00440 Village Junction
PRINTER-00540 Village Junction
PRINTER-006736 Delaware Place
PRINTER-00774 Carpenter Road
PRINTER-00874 Carpenter Road
PRINTER-009776 Mayer Trail
PRINTER-010776 Mayer Trail



The filled-in Equipment table will look like this.




Check The Access Team Member’s Permissions To Child Records

To verify the access team members and permissions for the parented were shared go to a record in the Model Driven App and open the Check Access menu.



In the Check Access dialog, change the User lookup field to the parent record’s access team member. We can see they have Read, Write, Append & Append To permissions to the child record. This is because the User is a member of an access team for a related record.



When the User opens the Equipment table they can only see 3 records for the assigned location even though there are 10 Equipment records in the database.




Questions?

If you have any questions or feedback about The Complete Dataverse Access Teams Setup Guide please leave a message in the comments section below. You can post using your email address and are not required to create an account to join the discussion.

Matthew Devaney

Subscribe
Notify of
guest

20 Comments
Oldest
Newest
Inline Feedbacks
View all comments
Scott McKenzie
Scott McKenzie
8 months ago

Matthew, this is very timely. I am about to embark on a journey to develop a networking application for a particular industry. This article is the cat’s meow. Bravo!

Brett Randall
8 months ago

Glorious thank you for all the effort! Had this exact question for a Power Pages Portal recently.

Kasia
Kasia
8 months ago

This is brilliant! Thank you so much for a very useful and informative post. 🙂

Lütfi
8 months ago

Hi Matthew,

I faced an issue when I set the security role privileges as you show, but the problem when I checked the user access, it shows me all privileged assigned to the user that I want to add. Normally, it should only show the assigned ones. I checked the user roles, it only have Basic and the role that I created which is Equipment Management App User. Is it temporarily error or I missed something?.

Thanks & Regards

Rado
Rado
8 months ago

How does it work with Business Units? Is it another layer that I can apply?

Pierre
Pierre
7 months ago

Hi Matthew, we use Access Teams for a custom table “case” and we do not enable all the child records table for access teams (only the “case” table). We only define all the lookup column relationship behaviour and it work great for two years now. I wonder why you enable child record table for access teams. I want to make sure that I don’t miss something. Is there a reason why you do it that way ?
Thanks. Keep up the good work 🙂

Marek
Marek
7 months ago

Hello, this helped me a lot with my solution.

Unfortunately I already had records created in the child table before I implemented access teams.
Now the functionality doesnt apply to old records, only to newly created.
Is there a way to refresh permissions for all existing records ?

Thank you

Cian O'Carroll
Cian O'Carroll
6 months ago

Hi Matthew,
Really helpful article. Out of curiosity, are you aware of a way to bulk add the same Access Team to multiple Records at once? So far, I am only seeing ways to add an Access Team/User for an individual Record, but in my case I have about 2000 Records needing the same Access Team (and their current Owning User/Team left intact), so doing it one-by-one isn’t really feasible…

Martin Lavoie
Martin Lavoie
6 months ago

Hi Matt. Great article. We have records that until they go through an approval cycle (ex. status gets to approved) could not been seen by numerous users (who happen to share a security role).

Once approval is reached we’d want them to gain read access. Using a power automate (with unbound action) could be used to gran access. It does use Access Teams.

However, we’d like the access teams to be in synch with all users with a specific role and not have to maintain the Access Team members.

Is there a better way to achieve this ?

Erick Veronesi Boczar
Erick Veronesi Boczar
4 months ago

Hey Mathew! Thanks a lot for your super helpful post.

I have two questions: is there a way to check all rows assigned to a certain person (that is part of a team)? For example: I have a projects table where each row is a project. I used your team solution to assign projects to teams and consequently for people. Now I’d like a way to see which projects were assigned to person X.

The other one is:
Can we create a column n that project´s table with the names of the people assigned for each project? Even better, this column available only for admins.

Thanks a lot!!

Sincerely,

Erick

Erick Veronesi Boczar
Erick Veronesi Boczar
4 months ago

I’ve followed this amazing post about assigning rows to a team of users, and it worked like a charm.

Some context of my scenario: I’m working on Model Driven Apps with a Projects Table where each project (i.e., row of the Project table) is assigned to different users that are part of a team. I followed the blog`s approach and it’s perfect. My users can only see projects that they were assigned.

Now, I’d like to do two extra things: 

1)Add a column on my Projects Table where only Admins would seeit, containing all the users with access to that specific project

2) Create a view with all the projects and everyone assigned to each project (to check, e.g., what are the projects assigned to person X)

Thanks and have an amazing Friday!!

Marc K
Marc K
4 months ago

What if I want to take this to the next level?

Each time I create a new Building, I want to automatically create a new team just for that Building, and then add users to that new Access Team. This gives users with the same role the ability to do the same things, but only for the Building Team they’ve been assigned to.

Shashank KS
Shashank KS
1 month ago

How can I restrict the owner name to be entered again in the Team access subgrid

Shashank KS
Shashank KS
25 days ago

2147750174Attribute ‘value’ or ‘valueof’ must be specified for condition operator: EqualDismiss

I am getting this error whenever I am creating a new record

Steve Brozosky
Steve Brozosky
20 days ago

Following this setup, the team user has read-write access to the building and also to the equipment in it. I have a scenario where I only want to give read access to the building but want read-write access to the equipment. What is the proper way to set this up?