Using Dataverse Security Roles Correctly

When a Dataverse project goes into turmoil after go-live, in most cases it's about permissions. Either someone sees something they shouldn't — the rarer but more delicate case. Or, far more often, someone doesn't see something they urgently need, and nobody on the team can explain why.

Dataverse's security model is powerful, but it has a steep learning curve, because several concepts take effect at once and their logic isn't intuitive. This post explains the model so you set it up correctly before go-live — instead of repairing it afterward under pressure. The overall context is in the Dataverse guide; here it's only about security.

1. The Four Building Blocks

The model consists of four concepts that interlock. You have to think about all four together — looked at individually, each one leads you astray.

Business units form a hierarchy, often along organization, tenant, or location. They define what "the own unit" and "the own unit plus child units" even mean. Every user belongs to exactly one business unit.
Security roles are bundles of privileges — per table and per operation: Create, Read, Write, Delete, Append, Assign, Share.
Access levels define the reach of each individual privilege: only own records, those of the own business unit, those of the own plus child units, or organization-wide.
Teams and sharing round it out with record-level exceptions — when a single record should be visible to someone who wouldn't see it through their role.

The decisive and most overlooked point: permissions are additive. If a user has multiple roles, the more generous setting applies per privilege. There is no "deny wins." A restrictive role has no effect if a second, loosely configured role opens the same right further. Whoever hasn't internalized this builds role chaos and wonders why the "narrow" role limits nothing.

2. How an Access Decision Is Really Made

The following diagram shows which layers a read request passes through and where "additive" concretely kicks in.

This single diagram explains the majority of the "why does this person see that?" tickets after go-live. It's almost never a platform fault — almost always a second role that quietly opens everything back up.

3. The Owner Concept: the Lever Behind "Own"

Every record in a standard table has an owner — a user or a team. The access level "own" refers exactly to that: if a user sees only "own" records, they see those they own (or the team they belong to).

From this follows a design decision that has to be made early: owner team or sharing? If a record should be visible to a group, there are two ways. Owner teams are clean and scale — the record belongs to the team, all team members see it through their normal access level. Manual per-record sharing also works, but scales miserably and becomes, in environments that have grown over time, an unmaintainable layer nobody can trace anymore. The practical rule: model group visibility via owner teams, use sharing only for genuine one-off exceptions.

4. Field-Level Security: the Sharpest but Most Expensive Tool

Sometimes a user should see a record — but not a particular field within it (salary, margin, a sensitive note). For that there is column/field-level security: a single field is secured and only released via a field security profile.

This works cleanly but costs clarity. Every secured field is an additional management axis alongside the roles. Our practical recommendation: use it sparingly, only for genuinely sensitive fields, and document which profile opens which field. Whoever sprinkles field-level security broadly builds a model that is formally correct and practically no longer maintainable.

5. The Five Mistakes We Repair Most Often

Distilled from security remediations, by frequency:

Too many, too person-specific roles. One role per person instead of per task. After a year, nobody understands anymore why who sees what.
Additive logic overlooked. A "restrictive" role that is quietly undermined by a second role. The single most common mistake of all.
Tested as an admin. The admin sees everything anyway — a role checked only as an admin is not tested. Mistakes only surface for the first real user.
Sharing instead of owner teams. Group visibility solved via manual sharing, which becomes an unmaintainable shadow layer after months.
Business unit cut considered too late. The BU hierarchy wasn't cut along the real visibility boundaries and has to be rebuilt afterward — one of the most expensive interventions of all.

Striking, as with data modeling: none of these mistakes is a platform fault. They're discipline and design faults — and all of them are almost free to avoid at the start. How closely security and the data model are connected shows especially in the question of whether a concept gets its own table — covered in detail in our data modeling best practices. And whether Dataverse is even the right tool for your case is clarified by our comparison Dataverse vs. SQL vs. SharePoint — precisely because a row-level security model is often the actual argument for Dataverse.

6. The Setup Order That Has Proven Itself

When you build a security model from the ground up, in this order:

Clarify visibility boundaries before you click. Who may see whose data? This business answer comes before any technical setting.
Cut business units along these boundaries. The BU cut is the most expensive thing to change afterward — diligence pays off most here.
Design a few task-related roles. "Sales," "Sales Management," "Service" — not "Anna," "Ben," "Carla."
Owner teams for group visibility. Sharing remains the documented exception.
Field-level security only for genuinely sensitive fields. Documented.
Test with real test users per role in the target environment. Not as an admin. Each role individually, with real data.

The following diagram shows this order as a staircase — each step builds on the previous one, and the most expensive correction sits right at the bottom.

Step six is the one most often left out — and the one that would have prevented the most post-go-live tickets.

Conclusion

The Dataverse security model isn't complicated because the platform is bad — it's complicated because security is complicated. Four building blocks, additive logic, no "deny": whoever internalizes these three truths builds a model that holds. Whoever skips them builds one that explodes in the ticket system after go-live.

The most honest recommendation: a few task-related roles, owner teams instead of sharing, and test every role with a real test user before anyone depends on it in production. Trust lost after go-live because someone saw the wrong thing isn't won back with a correction role.

Permissions That Hold Up After Go-Live?

We design your security model along the real visibility boundaries — or review an existing one honestly and find the spot where the "narrow" role is quietly undermined. Before it becomes a data-protection issue.

Discuss your security model with us See our Microsoft Power Platform services