Hey everyone,
I'm building a model-driven app (FAQ/info hub) backed by Dataverse for a store chain with multiple locations. The requirement is simple: everyone can read everything, but employees should only be able to edit records belonging to their own store.
After researching this, it seems like the "correct" approach is:
- Create a Business Unit per store
- Create an Entra security group per store
- Link them together as Dataverse group teams
- Assign a security role with Read = Organization, Write = Business Unit
- Migrate all existing records to the correct Owning Business Unit
And every time a new store opens, repeat steps 1-3 again.
It works, I get it. But coming from Power BI where you can set up RLS with a simple DAX filter like [Store] = USERPRINCIPALNAME() or look up the user's location from a mapping table, this feels really heavy for what's essentially the same problem.
I wish Dataverse had something similar where you could define a security rule that says "match this column to a user profile attribute" without having to spin up new BUs, Entra groups, and group teams every time a location is added.
So my questions:
- Is the BU-per-location approach really the standard for this? Or is there a more dynamic/scalable way?
- Has anyone used row-level security or plugins to achieve something more flexible?
- For those managing something similair, how do you handle the overhead of creating new BUs + Entra groups every time?
- Any thoughts on automating this with Power Automate or the Dataverse API to make it less painful?
Would love to hear how others are solving this. Thanks!