Intro:
In Dataverse, managing record permissions is crucial for maintaining data security and integrity. Similar to file system permissions, Dataverse uses a structured approach to define who can access and modify records.
ππ°π§ππ«π¬π‘π’π©:
Every record in Dataverse is assigned three types of ownership:
πΉ Owner π€ : The owner is the user who created the record or to whom the record has been assigned. Owners have full control over their records.
πΉ Team π₯ : A team can consist of multiple users. All members of the team have the same permissions to access and manage the record. Teams are useful for collaborative environments.
πΉ Organization π: This refers to all users within the organization. Permissions can be set at the organization level to allow broader access to records.
πππ«π¦π’π¬π¬π’π¨π§π¬
Dataverse permissions are defined through security roles, which determine what actions users can perform on records
πΉ Create: Allows users to create new records.
πΉ Read: Allows users to view records.
πΉ Write: Allows users to modify the content of records.
πΉ Delete: Allows users to remove records.
πΉ Append: Allows users to associate the current record with another record.
πΉ Append To: Allows users to associate another record with the current record.
πΉ Assign: Allows users to change the owner of a record.
πΉ Share: Allows users to share records with other users or teams, specifying the level of access (read, write, delete).
Access Mask rightes in the platform is as below
When a user shares a record in Dataverse and grants specific permissions like Read, Write, and Append, the access rights are recorded using a combination of bitwise values. Each permission corresponds to a specific bit value, and the combination of these values determines the overall access rights.
Dataverse uses the PrincipalObjectAccess table to store sharing information. When a record is shared, an entry is created in this table with the following key fields:
PrincipalId: The ID of the user or team with whom the record is shared (User B in this case).
ObjectId: The ID of the record being shared.
AccessRightsMask: The combined bit value representing the granted permissions (7 in this case).
Detailed Access Mask Rights Value are as below:
Read | Write | Append | AppendTo | Share | Value of Access Mask Rights |
---|---|---|---|---|---|
Yes | Yes | Yes | Yes | Yes | 262167 |
Yes | Yes | Yes | Yes | No | 23 |
Yes | Yes | Yes | No | Yes | 262151 |
Yes | Yes | Yes | No | No | 7 |
Yes | Yes | No | Yes | Yes | 262163 |
Yes | Yes | No | Yes | No | 19 |
Yes | Yes | No | No | Yes | 262147 |
Yes | Yes | No | No | No | 3 |
Yes | No | Yes | Yes | Yes | 262165 |
Yes | No | Yes | Yes | No | 21 |
Yes | No | Yes | No | Yes | 262149 |
Yes | No | Yes | No | No | 5 |
Yes | No | No | Yes | Yes | 262161 |
Yes | No | No | Yes | No | 17 |
Yes | No | No | No | Yes | 262145 |
Yes | No | No | No | No | 1 |
πππ¬π ππ«ππππ’πππ¬
When configuring permissions in Dataverse, consider the following best practices:
πΉ Least Privilege: Grant users the minimum permissions necessary to perform their tasks. This reduces the risk of unauthorized access and data breaches.
πΉ Training: Educate users on the importance of data security and proper use of permissions to foster a culture of responsibility.
πΉ Regular Audits: Periodically review and update security roles and sharing settings to ensure they align with current business needs and compliance requirements.
Further Read: