User and team tables
User and team management is the area of Microsoft Dataverse where you can create and maintain user accounts and profiles.
A user is any person who works for a business unit who uses Dataverse. Each user has a user account. All users must be associated with only one business unit. This association controls which customer data the user will have access to. Included in the user's account is information such as the user's telephone numbers, email address, and a link to the user's manager. Each user has privileges and rights to manage their own personal settings. Each user corresponds to a user in the Microsoft Entra ID for that organization. When you create a user, you must assign the user to at least one security role. Even if the user is part of a team that has assigned roles, the user should be assigned to a role. For more information about access levels and roles, see Security concepts for developers.
A team is a group of users. Teams let users across an organization collaborate and share information. For more information about teams, see Use Teams to Collaborate and Share Information.
Records can be owned by users or teams. Set the OwnershipType to OwnershipTypes.
UserOwned or OwnershipTypes.
TeamOwned to enable ownership. You can use the ReassignObjectsOwnerRequest message or the ReassignObjectsSystemUserRequest message to do bulk reassignment of all records for an owner.
The following illustration shows the relationships for users and teams.
The following table provides details about the significant attributes for the system user table.
|Specifies the type of access that this user has to Dataverse. This is sometimes referred to as the type of user.
- Administrative – The user has access to the Settings area but does not have access to the Sales, Marketing, and Service areas.
- Non-Interactive – The user can access the system but only through the Web service.
- Read – The user has read-only access.
- Read-Write – The user has both read and write access.
- Support User – The user was created by the Dataverse support team.
|Specifies the user’s license type.
- Administrative – The user has administrative user rights.
- Device Full – The user who is using the device running Dataverse has both read and write access.
- Device Limited – The user who is using the device running Dataverse has only read access.
- Full – The user has both read and write access.
- Limited – The user has only read access.
|Specifies whether the user is disabled. Only licensed users or users who have an access mode of support or non-interactive can be enabled. Support users cannot be disabled.
|Specifies whether the user is licensed. This applies to customers who access Dataverse through the Microsoft Online Services Environment. This attribute is read-only, and is updated by the system.
|Specifies whether the user is synchronized with the Microsoft 365 directory. This applies to customers who access Dataverse through the Microsoft Online Services Environment. This attribute can only be set on create and is otherwise read-only.
|Specifies the default queue for the user.
Access checks are additive. You can access tables based on the roles assigned to the user plus the roles assigned to the team that a user is a member of. This allows a user to have privileges outside their business unit.
A user's set of privileges is a union of privileges from the user's roles and privileges from all teams’ roles in which the user is a member.
Non-interactive users are often used when writing service-to-service code because they do not use up a license. Dataverse allows for seven free non-interactive users. To disable a non-interactive user, update the user record changing the
accessmode value to any other value. The user will be disabled automatically.
To find the user who is currently logged on or who is impersonated, call the WhoAmIRequest message.
Delete a user
In Dataverse, users can be disabled and deleted. You can delete a user from Power Platform (Dataverse) assuming you have the required access permission to the SystemUser table row. There is a sequence of tasks to follow. You cannot simply delete the row in a single call. You must first delete the user registered in Microsoft Entra ID and then delete the user in Dataverse. The procedure to follow is outlined below.
Log into Microsoft Azure portal, and then follow these steps:
- Select Microsoft Entra ID, and then under Manage select Users
- Delete the user - this is called a 'soft delete' as the user record remains until permanently deleted
- Permanently delete the user either manually or wait thirty days until Azure permanently deletes the user through automation
After the system user is soft or permanently deleted in Azure, the user status will be shown as disabled in Dataverse. You can find this user row in the SystemUser table.
- Reassign any existing table rows the user is assigned to - there should be no table rows assigned to the user prior to deleting the user
- Delete the user by using an SDK or Web API call - this is a soft delete
- Permanently delete the system user by an API call a second time
There is an over-ride where the user row in Dataverse can be deleted without permanently deleting the user's Microsoft Entra ID record. This can be done by setting the OrgDbOrgSetting
AuthorizationSkipAadUserStateValidation=true. This removes the need to do step #2 in the above Azure procedure.
User Settings Utility is a tool that XrmToolbox community developed for Dataverse. Please see the Developer tools topic for community-developed tools.
The community tools are not a product of Dataverse and does not extend support to the community tools. If you have questions pertaining to the tool, please contact the publisher. More Information: XrmToolBox.
Use Teams to Collaborate and Share Information
Team table reference
Specify time zone settings for a user
Sample: Share Records Using GrantAccess, ModifyAccess and RevokeAccess Messages
Sample: Share a record using an access team