[Dataverse] Does “Parent: Child Business Units” access include grandchild units? Verifying hierarchy depth

The Microsoft documentation states “all subordinate business units,” but does this mean just the immediate direct children? Or does it include everything down to the bottom (grandchildren, great-grandchildren)?
The phrasing can be ambiguous, so I verified the actual behavior using a real Dataverse environment.

スポンサーリンク

Parent: Child Business Units (Deep Access)

The “Parent: Child Business Units” access level in a Security Role grants access to records owned by the user’s business unit, as well as records owned by “subordinate business units” or users in those units.

The official documentation describes it as follows:

User has access to records in the user’s business unit and all business units subordinate to the user’s business unit.
Users with this access level automatically have Business Unit and User access levels.
Because this access level gives access to information throughout the business unit and subordinate business units, you should limit this access to match your organization’s data security plan. usually, this access level is reserved for managers with authority over the business units.
Source: Microsoft Learn

The question here is whether “all subordinate business units” means “Directly below only” or “All levels down (Recursive)”.
Since I couldn’t immediately answer this with 100% confidence, I decided to test it.

The Conclusion:
It includes “All levels down (Recursive)” (Grandchildren included).

Verification Scenario

I prepared 3 Business Units in a hierarchy and assigned a user to each.
Hierarchy Diagram: Gorilla (Top) > Rabbit (Middle) > Dog (Bottom)” width=”739″ height=”1024″ class=”alignnone size-large wp-image-14072″ /></div><p>I will verify if a user with the “Parent: Child Business Units” security role can access records owned by a user in a <strong>grandchild</strong> business unit (i.e., Can Mr. Gorilla see Mr. Dog’s records?).</p><ul><li><strong>Top (Parent):</strong> Mr. Gorilla</li><li><strong>Middle (Child):</strong> Mr. Rabbit</li><li><strong>Bottom (Grandchild):</strong> Mr. Dog</li></ul><div class=

Preparation

First, I created a custom table and added records owned by different users.
Records list
Next, I created a Security Role with “Parent: Child Business Units” read access for this table.
Security Role settings
Then, I set up 3 Business Units in a parent-child-grandchild hierarchy.
Business Unit hierarchy
Finally, I assigned users to each Business Unit and gave them the Security Role created earlier.
User assignment 1
User assignment 2
User assignment 3

Preparation is complete.

Behavior Check

1. Mr. Dog (Bottom Level)
When logged in as Mr. Dog, he can only see his own records.
Mr. Dog's view
2. Mr. Rabbit (Middle Level)
When logged in as Mr. Rabbit, he can see his own records AND the records of Mr. Dog (who is in the direct child BU).
Mr. Rabbit's view
3. Mr. Gorilla (Top Level)
Finally, when logged in as Mr. Gorilla, he can see:

  • His own records
  • Mr. Rabbit’s records (Direct Child)
  • Mr. Dog’s records (Grandchild / Multiple levels down)

Mr. Gorilla's view showing all records

Conclusion

The “Parent: Child Business Units” security role grants access not only to the immediate child Business Unit but also recursively to all lower-level Business Units in the hierarchy.

コメント

Copied title and URL