Manage teams and business units

  • 3 minutes

In addition to configuring individual roles, you can configure business units and teams to control access and permissions within your environment.

Business units

A business unit is a logical grouping of related business activities.

If your organization is structured around departments or divisions that have separate products, customers, and marketing lists, you might want to create business units. Business units are mapped to an organization’s departments or divisions. Users can securely access data in their own business unit, but they can’t access data in other business units.

Business units, security roles, and users are linked together in a way that conforms to the role-based security model. Use business units together with security roles to control data access so people see just the information they need to do their jobs.

Keep the following in mind when creating business units:

  • The organization (also known as the root business unit) is the top level of a business unit hierarchy. Model-driven apps in Dynamics 365 automatically create the organization when you install or provision model-driven apps in Dynamics 365. You can’t change or delete the organization name.

  • Each business unit can have just one parent business unit.

  • Each business unit can have multiple child business units.

  • Security roles and users are associated with a business unit. You must assign every user to one (and only one) business unit.

  • You can assign a team to just one business unit, but a team can consist of users from one or many business units. Consider using a team if you have a situation where users from different business units need to work together on a shared set of records.

Create a new business unit

These settings can be found in the Power Platform Admin center by going to Environments > [select your model-driven app environment] > Settings > Users + permissions > Business units.

Make sure you have the System Administrator or System Customizer security role or equivalent permissions to update the setting.

  1. Select your Dynamics 365 model-driven app environment and go to Settings > Users + permissions > Business units.

  2. On the Actions bar, select New.

  3. In the Business Unit dialog box, type a name for the new business unit. Model-driven apps in Dynamics 365 automatically fills in the Parent Business field with the name of the root business unit. (If you want to change the parent business unit, select the Lookup button, Look Up More Records, and then either select an existing business unit or select New and create a new one.)

  4. In the Business Unit dialog box, fill in any of the other optional fields, such as the Division, Website, contact information, or addresses.

  5. When you’re done making entries, select Save and Close.

Teams

Using teams as part of your security model is totally optional. However, teams provide an easy way to share business objects and let you collaborate with other people across business units. While a team belongs to one business unit, it can include users from other business units. You can associate a user with more than one team. Teams are typically used to allow users in different business units as Marketing, Sales and Support all work with the same entity (like the Account record of a large customer).

When configuring teams, you need to decide between the two types: owner and access teams.

  • Owner teams: An owner team owns records and has security roles assigned to the team. The team’s privileges are defined by these security roles. In addition to privileges provided by the team, team members have the privileges defined by their individual security roles and team member’s privilege inheritance roles, and by the roles from other teams in which they are members. A team has full access rights on the records that the team owns. Team members are added manually to the owner team.

  • Access teams: An access team doesn’t own records and doesn’t have security roles assigned to the team. The team members have privileges defined by their individual security roles and by roles from the teams in which they are members. The records are shared with an access team, and the team is granted access rights on the records, such as Read, Write, or Append.

Create a new owner team

  1. Go to Settings > Security.

  2. Select Teams.

  3. On the Actions toolbar, select New button.

  4. Enter a team name.

  5. Select a business unit. If you don’t select the business unit to which the team will belong, by default, the root business unit is selected.

  6. Enter an administrator.

  7. Select Owner in Team Type.

  8. Complete other required fields, and then select Save.