Modernized Record Ownership in D365
Record ownership across business units is a powerful, relatively new feature in Dynamics 365 CE, that allows users to assign records to other users in different business units, giving them access to the data regardless of the business unit they are assigned to. This feature is particularly beneficial for multi-region companies, as it allows for greater flexibility in managing data across multiple regions and ensures that the correct users have access to the data they need. In this blog post, we will explore the benefits of record ownership across business units, and how to set it up in Dynamics 365 CE.
When we think of a multi-regional company, it is not uncommon for employees in different regions to work on the same projects or deals. Previously, to facilitate this work, we would need to work with a pretty complex model, where users are part of multiple teams, and both teams and users are given security roles. Also, when a user would switch to work in a different region, it would take time to correctly manage the data owned by that user and the changing of their permissions.
With this feature, users can be given different access rights for data belonging to different business units, regardless of a user’s position in the organization. Now users in different regions can easily collaborate on the same records, and users can work in different regions and still only access the data that they should and need.
In the above multi region scenario, setting up and maintaining the security of your application is not only simplified, but it also provides a safer and more robust setup of permissions, while being flexible enough when users move positions across your company.
The security model in D365
The security model in D365 consists of a few elements:
- Business units: a distinct unit within an organization that has its own set of data and functionality, like departments, divisions and locations
- Security Roles: set of permissions that defines what a user can do within the system. A security role is made up of a collection of privileges, which are the individual actions that a user can perform, such as creating, reading, updating, or deleting records.
- Teams: are a way to group users together and assign them a specific set of access rights.
Now, users can only belong to one business unit and a security role also belongs to a business unit. The owner of a record will be in a given business unit, and so that record is owned also by that business unit. When granting permissions to data in Dynamics 365, users or teams are given privileges to access records based on the business unit of the owner of records. Since users can only belong to one business unit, and since business units are strictly separated, users could only have visibility to records in another business unit if they were given access to all records within the system for a table (unless a parent child structure was set up between two business units).
|BU Europe||BU USA||BU Asia|
|User 1||User 2||User 3|
|Europe Accounts||USA Accounts||Australia Accounts|
Let’s say, user 1 has security roles that give them permission on business unit level, meaning user 1 can access account data only for accounts in business unit Europe. For user 1 joining a project in the USA, they would need to get permissions to account records on an organizational level, with which they would also then have access to all records that are part of the Australia business unit.
Previously, we would need to use teams to facilitate a better setup in above scenario, but this can become a tedious task if the company is large, there are many cross regional projects and a lot of users who work on projects and data spread out over the organization.
This is where the new setup can be super useful.
Setting up Record Ownership across business units
To set up record ownership across business units in Dynamics 365 CE, the first step is to enable the “EnableOwnershipAcrossBusinessUnits” environment setting. This setting can be found in the System Settings area of the Dynamics 365 CE application. Once this setting is enabled, users can begin assigning records to other users in different business units.
With this feature on, there are a few new options to use:
1. Users can now be owners of records, regardless of the business units they are in. A new column, owning business unit, can be set (users can be given permission to do this themselves as well).
2. On top of that, when a user changes business units, it is possible to keep their records in the business unit they are leaving. This is done by changing environment setting AlwaysMoveRecordToOwnerBusinessUnit to false.
3. Users can be given roles per business unit. In the example from before, it is very easy now to give a user permission to see accounts in business unit USA and Netherlands, but not in Australia
In below screenshot, I have given my user permissions to view accounts in business units Netherlands and USA, with the same security role:
When adding that same security role also in business unit Australia, the account record in business unit Australia becomes visible for my user.
Overall, the matrix data access structure (modernized business units) in Dynamics 365 is a valuable tool for organizations that need more granular control over data access and flexible management of user access rights. It’s a powerful feature that can help organizations improve data security and compliance, while also making it easier for users to access the information they need.