Configure Hierarchy Security

In the last activity, we discussed Manage Security Roles and Business Units. We will now learn about Configure Hierarchy Security.

The hierarchy security model extends other Common Data Service security by allowing managers to access the records of their subordinates or do work on their behalf. It can be used in conjunction with all other existing security models.

Two security models can be used for hierarchies, the Manager hierarchy and the Position hierarchy. With the Manager hierarchy, a manager must be within the same business unit as the subordinate, or in the parent business unit of the subordinate’s business unit, to have access to the subordinate’s data. The Position hierarchy allows data access across business units.

For example, if you are a financial organisation, you may prefer the Manager hierarchy model, to prevent managers’ accessing data outside of their business units. However, if you are a part of a customer service organisation and want the managers to access service cases handled in different business units, the Position hierarchy may work better for you.

Manager Hierarchy

The Manager hierarchy security model is based on the management chain or direct reporting structure, where the manager’s and the subordinate’s relationship is established by using the Manager field on the user entity. With this security model, the managers are able to access the data that their subordinates have access to. They are able to perform work on behalf of their direct reports or access information that needs approval.

The manager can have the full access to the subordinate’s data for the direct reports. For non-direct reports, a manager can only have the read-only access to their data.

Position Hierarchy

With the position hierarchy security, various job positions in the organisation can be defined and arranged in the hierarchy using the Position entity. You can then add users to any given position using the Position lookup field on the user record. Users at the higher positions in the hierarchy have access to the data of the users at the lower positions, in the direct ancestor path. Similar to manager hierarchy, the parent positions have full access to the child positions’ data but the positions higher than a direct parent have read-only access.

Access Rights

In both hierarchy models, a user higher in the hierarchy must have at least the user level Read privilege on an entity, to see the subordinates’ data. For example, if a manager doesn’t have the Read access to the Case entity, the manager won’t be able to see the cases that their subordinates have access to.

Set Up Hierarchy Security

To set up the security hierarchy, you must have an Administrator security role.

The hierarchy security is disabled by default. To enable:

1. Navigate in the browser to the Power platform admin portal at https://admin.powerplatform.microsoft.com and select the target environment

2. Select Settings then select Hierarchy Security under Users + permissions

3. Select Enable Hierarchy Modelling

The Hierarchy Security window shown below:

After you have enabled the hierarchy modelling, choose the specific model by selecting the Manager Hierarchy or Custom Position Hierarchy.

Set the Depth to a desired value to limit how many levels deep a manager has Read-only access to the data of their subordinates. For example, if the depth equals to 2, a manager can only access his records and the records of the subordinates two levels deep.

All system entities are enabled for hierarchy security out-of-the-box, but, you can exclude selective entities from the hierarchy.

Select Configure under Custom Position Hierarchy to configure Position records that can be then applied to individual users. For each position, you would need to specify the Name and optional Parent Position that defines the hierarchy.

Select Configure under Manager Hierarchy to open list of users in the environment. When you open an individual user record you can configure either or both Manager Hierarchy and Position Hierarchy for that user. These entries are configured in Organisation Information section on the user form:

The Hierarchy Model selected for the organisation earlier will define which field, Manager or Position needs to have their value set to apply for the hierarchy permissions.

To change either manager or position for multiple users, select one or more user records in the user list, select More (…) command, then select either Change Manager or Change Position to change the value for all selected records.

Performance Considerations

To improve the performance:

• Keep the effective hierarchy security to 50 users or less under any given manager/position counting all the subordinate records. If your hierarchy has more than 50 users, use the Depth setting to reduce the number of levels and to keep the effective number of users under a manager/position to 50 users or less.

• Use hierarchy security models in conjunction with other existing security models for more complex scenarios. Avoid creating a large number of business units, instead, create fewer business units and add hierarchy security.

Next up, we’ll be summarizing Configure Hierarchy Security.