Security concepts for developers
A brief summary of key security concepts that developers should understand is listed below. For more details about Microsoft Dataverse security see Security concepts in Microsoft Dataverse.
Dataverse uses security roles to control what data operations users can perform.
Each security role defines a set of privilege and access level combinations for each table. The combination of privilege and access provides access rights.
A privilege is the capability to perform specific operation: Create, Read, Write, Delete, Append, AppendTo, Assign, and Share.
- There are also some privileges that do not apply to tables, but to specific capabilities.
Access level applies to operations that depend on how tables are owned.
There are five access levels: Global, Deep, Local, Basic, and None.
Some tables are owned by the organization. These access levels can only be Global or None, which are effectively on/off switches.
Some tables are owned by teams or users, which together are referred to as security principals.
For tables owned by security principals, the access levels refer to where the security principals are defined within a potential hierarchy of business units.
- By default, there is one business unit. Organizations can configure multiple business units when they want to limit access or permissions within their organization.
- Each security principal is associated with a single business unit.
- Within a business unit, Local provides access to all data for that table within the business unit.
- Basic provides access to a record that a user owns, either directly or by virtue of belonging to the team that owns the table record, or because the record was shared with them.
- None prevents access to any records for the table.
- Global and Deep only apply when there is a hierarchy of business units. Global provides access to all levels, and Deep provides access to the current business unit and any below it in the hierarchy.
Each user can be associated with one or more security roles.
Users can be associated with teams that can have security roles associated with them.
The user’s access to perform specific operations on a given table record is the least restrictive evaluation of all the security roles that apply.
See Also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for