Business units

  • 10 minutes

Business units provide security and structure for grouping users. Often, you would use business units to mimic an organization’s departmental structure (but they don't need to). Business units are hierarchical, and every Dataverse instance has a single root business unit. Beneath the root business unit, you can create child business units to further segment and secure your data.

To configure business units, go to the Settings area of the Microsoft Power Platform admin center. The following image shows that the HR and Finance business units have a parent business unit of Contoso Root BU, while the other business units have Finance BU or HR BU as their parent business unit.

Screenshot of business units in the Power Platform admin center.

Displaying this information as a list makes visualizing the information as a hierarchy difficult. The security structure of this environment resembles the following image.

Diagram of a hierarchy of business units to visualize security structure.

You can secure data at different levels of the hierarchy, or everyone in all business units can have access to all data. The decision depends on who needs access to what data.

Other information about business units to consider:

  • Every user who's assigned to a Dataverse environment belongs to a business unit.

  • You can create multiple child business units as needed.

  • You can delete child business units; however, you can't delete the root business unit.

  • Child business units can have other child business units.

  • A parent business unit is any business unit with one or more business units that report to it in the hierarchy.

  • A child business unit is a business unit that's immediately under another business unit in the business hierarchy of an organization.

You can structure business units by following a traditional organizational structure for hierarchical data access. Alternatively, you can structure business units so that data is compartmentalized in a tree-like hierarchy, and then users can work with and access any business unit's data regardless of what business unit the user is assigned to. For more information, see Matrix data access structure (Modernized Business Units).

Important

If you move a user to a different business unit, you need to reassign their security roles. Each user is a member of only one business unit, but a team can have user members from multiple business units.

Security role access levels

You can secure data to the business unit by using security role access levels.

Teams (including group teams)

Teams are important security building blocks. Business units own teams. Every business unit has a default team that the system automatically creates when you create the business unit. Dataverse manages members of the default team, which contains all users who are associated with that business unit. You can’t add or remove members from the default team manually. Instead, the system dynamically adjusts the members as you add new users to or remove them from business units.

The two types of teams are:

  • Owning teams - Can own records, which give any team member direct access to that record.

  • Access teams - Are discussed later in this module as part of record sharing.

Note

Users can be members of multiple teams, which allows for a powerful way of granting permissions to users without micromanaging access at the individual user level.