4.2 The Power Platform Security Model (Roles, Business Units, Teams)

Key Takeaways

  • Business units model an organization's structure and scope which records a user can see based on where they sit in the hierarchy
  • Security roles bundle privileges (Create, Read, Write, Delete, Append, Append To, Assign, Share) at access levels from None up to Organization
  • A user's effective access is the most permissive combination of every security role assigned to them
  • Owner teams, Microsoft Entra ID security group teams, and access teams each share access differently — only access teams exist purely to share records without owning them
  • Environment Admin controls one environment, while the tenant-level Power Platform Administrator role controls every environment in the tenant
Last updated: July 2026

Once an environment exists, an administrator still has to control who can see and do what inside it. Power Platform answers this with a layered security model built on security roles, business units, and teams — all of which apply to environments that have a Dataverse database. Expect the exam to test whether you understand how these pieces fit together.

Business Units: Modeling the Organization

A business unit represents a division, department, or region within an organization inside a single environment. Every environment with a Dataverse database is created with one root business unit, usually named after the organization itself. Administrators can create additional child business units underneath it to mirror an org chart — for example, separate business units for Sales, Finance, and Customer Support.

Key rules about business units:

  • Every user belongs to exactly one business unit at a time
  • Business units can be nested, forming a hierarchy of parent and child units
  • Business units are primarily used to scope data visibility — a security role's access level can be limited to "just my business unit" or extended to "my business unit and its children"
  • Moving a user to a different business unit can change which records they can see, even if their security role stays the same

Security Roles: Bundles of Privileges

A security role is a named collection of privileges that determines what a user can do with each type of record (table) in Dataverse. For every table, a role can grant privileges such as Create, Read, Write, Delete, Append, Append To, Assign, and Share, and each privilege is set to one of five access levels:

Access LevelScope
NoneNo access at all
UserOnly records the user owns
Business UnitRecords owned by any user in the same business unit
Parent: Child Business UnitsRecords owned by users in the business unit and all of its child units
OrganizationEvery record in the environment, regardless of owner or business unit

Dataverse ships with predefined roles that cover common needs:

  • System Administrator — full, unrestricted access to everything in the environment; cannot be limited
  • System Customizer — can customize the environment (create tables, forms, flows) but has limited access to business data
  • Environment Maker — can create new resources such as apps, flows, and connections, but has no default access to existing Dataverse data
  • Basic User — a starting point for standard end users, typically scoped to User-level access on core tables

Users are frequently assigned more than one security role, and their effective privileges are the most permissive combination of every role they hold — Dataverse never subtracts access, only adds it.

Example: A support agent is assigned both the Basic User role (User-level access to most tables) and a custom "Case Escalation" role that grants Business Unit-level Read access on the Case table. The agent's effective access on Cases is Business Unit-level, because that is the more permissive of the two roles — even though Basic User alone would have limited them to only their own records.

Administrators are not limited to the predefined roles. A custom security role can be created (often by copying and modifying an existing one) to grant exactly the combination of table privileges and access levels a specific job function needs, which is common practice once an organization moves beyond a handful of generic user types.

Teams: Sharing Access Without Duplicating Roles

Rather than assigning a security role to every individual user, administrators often assign roles to a team, and every member of that team inherits the team's access. Power Platform supports three kinds of teams:

  1. Owner team — can directly own records and have security roles assigned to it; members inherit the team's roles in addition to their own individually assigned roles
  2. Microsoft Entra ID security group team — automatically synced from an existing Entra security group, so membership is managed centrally in Entra rather than inside Dataverse
  3. Access team — created from a team template and used to share individual records with a set of users (for example, everyone assigned to a specific project); an access team does not own records or hold security roles of its own

Environment- and Tenant-Level Administrative Roles

Two more roles sit above table-level security and control administration itself:

  • Environment Admin — has full administrative control within one specific environment, including managing security roles, business units, and settings for that environment only
  • Power Platform Administrator — a tenant-level admin role (assigned in Microsoft Entra/the Microsoft 365 admin center) that grants administrative control across every environment in the tenant, including creating and deleting environments and setting tenant-wide policies

Field-Level Security

For especially sensitive columns — a Social Security number or a salary field, for example — table-level and record-level security may not be granular enough. Field-level security profiles let administrators secure individual columns so that only specified users or teams can read, create, or update that field, layered on top of whatever table- and record-level access a user already has.

Together, business units define where a user sits in the organization, security roles define what they can do, and teams let administrators grant and share access efficiently without micromanaging every individual account.

Test Your Knowledge

A security role grants the Read privilege at the "Parent: Child Business Units" access level for the Account table. What does this allow a user to do?

A
B
C
D
Test Your Knowledge

Which type of team is used specifically to share individual records with a group of users, such as everyone staffed on one project, without that team owning any records itself?

A
B
C
D