Hierarchy Security
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Mastering Hierarchy Security in Microsoft Dataverse
Introduction: The Architecture of Organizational Trust
In any enterprise-grade application, managing who can see and modify data is as critical as the data itself. When building solutions on Microsoft Dataverse, you are often dealing with sensitive information—customer records, financial data, or internal performance metrics. While standard role-based security allows you to define access based on Business Units or individual ownership, real-world organizational structures are rarely that simple. Employees work in teams, report to managers, and operate within hierarchies that necessitate dynamic access to information.
Hierarchy Security in Dataverse is a powerful extension of the platform's security model. It allows you to grant access to records based on the reporting structure of your organization. Instead of manually sharing records every time a manager needs to review a subordinate’s work, Hierarchy Security automates this access. This ensures that managers can oversee their teams effectively without compromising the principle of least privilege. Understanding how to configure this correctly is the difference between a secure, scalable application and one that is either too restrictive to be useful or too open to be safe.
Understanding the Fundamentals of Hierarchy Security
At its core, Hierarchy Security is an add-on to existing security roles. It does not replace the standard security model; rather, it sits on top of it. To understand how this works, we must first distinguish between the two types of hierarchies available in Dataverse: Manager Hierarchy and Position Hierarchy.
The Manager Hierarchy
The Manager Hierarchy is based on the standard managerid field found on the User entity. This is the most common approach because it aligns perfectly with the organizational charts maintained in Active Directory or Human Resources systems. When you enable this, a manager automatically gains access to the records owned by their direct reports, as well as the records owned by those who report to their direct reports, up to a specified depth.
The Position Hierarchy
The Position Hierarchy is more flexible and is designed for organizations where reporting lines are based on job functions rather than direct management. In this model, you define positions within the organization and assign users to these positions. A person in a higher position can access the data of those in lower positions, regardless of their formal reporting relationship. This is particularly useful in matrix organizations or sales territories where a regional director might need access to all data within their region, even if they don't directly manage every individual contributor.
Callout: Manager vs. Position Hierarchy The Manager Hierarchy is strictly hierarchical and relies on the
manageridfield, making it easy to set up if your Active Directory is accurate. The Position Hierarchy is non-linear and decoupled from the reporting line, allowing for more complex organizational structures where access needs to follow the functional role rather than the supervisor.
Configuring Hierarchy Security: Step-by-Step
Before you can leverage these features, you must ensure that your environment is prepared. Hierarchy security is not enabled by default, as it introduces a significant shift in how data access is calculated.
Step 1: Enabling Hierarchy Security
To start, navigate to the Power Platform Admin Center. Select your environment and go to Settings > Users + permissions > Hierarchy security. You will see a toggle to "Enable Hierarchy Modeling." Once you toggle this on, you can choose between Manager Hierarchy or Position Hierarchy.
Step 2: Defining the Hierarchy Depth
One of the most important settings is the "Depth" configuration. This determines how many levels down the reporting chain a manager can see. If you set the depth to 2, a manager can see their direct reports and their indirect reports (the people who report to their direct reports). If you set it to 1, they only see their immediate subordinates. Setting a deep hierarchy (e.g., 5 or 10 levels) might seem convenient, but it can impact system performance because the platform has to calculate access rights across a much larger set of records.
Step 3: Configuring the Manager Hierarchy
If you have chosen the Manager Hierarchy, you must ensure the managerid field is populated for all relevant users. You can do this through the user management interface in the Microsoft 365 admin center, which syncs to Dataverse, or by importing user records directly into Dataverse via Power Query or the Data Import wizard.
Step 4: Configuring the Position Hierarchy
If you choose the Position Hierarchy, you must navigate to the "Positions" entity in the Dataverse environment. You will create positions, give them a name, and then assign a parent position. Once the tree is built, you assign users to these positions. This is a manual process that requires ongoing maintenance as staff turnover occurs or organizational restructuring happens.
Practical Examples: When to Use Which
To truly grasp the power of Hierarchy Security, consider these three common scenarios encountered in business application development.
Example 1: The Sales Manager Scenario
A company has a sales team organized by region. A Sales Manager needs to see all opportunities owned by their Sales Representatives to provide coaching and track performance.
- Solution: Use the Manager Hierarchy. As long as the
manageridis set on the Sales Rep’s user record, the manager will automatically gain "Read" access to all opportunities owned by their team. - Benefit: No manual sharing or team-based access rules are required. When a new rep joins the team, they are simply assigned a manager, and the security access is granted instantly.
Example 2: The Project Matrix Scenario
A consultant works on various projects. The Project Lead needs to see all project-related tasks, but the Project Lead does not officially supervise the consultants (who report to a Resource Manager).
- Solution: Use the Position Hierarchy. Create a "Project Lead" position and a "Consultant" position. The "Project Lead" position is the parent of the "Consultant" position.
- Benefit: Even though there is no direct reporting line in HR, the Project Lead maintains the necessary data access to oversee project progress.
Example 3: The Executive Oversight Scenario
An executive needs to see all sales data across the entire organization to report to the board.
- Solution: Set the executive as the top of the hierarchy and set the "Depth" to a high number (e.g., 5 or 10, depending on the organizational size).
- Benefit: The executive gains visibility into all records without needing "Organization-level" read access on their security role, which is a safer way to grant broad visibility without making them an administrator.
Technical Implementation and Performance Considerations
While Hierarchy Security is often managed through the user interface, developers should understand how it functions under the hood. Dataverse manages this access through "PrincipalObjectAccess" (POA) records. When you enable hierarchy security, the platform dynamically calculates who has access to what based on the hierarchy tree.
Performance Impact
Every time you add a user to the hierarchy or move a user to a different manager, the platform must recalculate the access rights for that user and all their subordinates. If you have a massive organization with thousands of users, frequent changes to the hierarchy can lead to system-wide performance degradation.
Note: Always perform significant hierarchy changes during off-peak hours. If your organization has thousands of users, consider using the "Hierarchy Security" settings to limit the depth to only what is strictly necessary to reduce the overhead of access calculations.
Handling Security Roles
Hierarchy Security does not grant "Write," "Delete," or "Append" permissions by default. It only grants "Read" access to the records owned by subordinates. If a manager needs to edit their subordinate's records, they must still have the appropriate security role that grants them "Write" access to that entity.
For instance, if a Sales Manager needs to edit their rep's opportunities, they need a security role that provides "Business Unit" or "Organization" level Write access, or they must be given manual access to those specific records. Hierarchy security is primarily a "Read-only" expansion tool.
Best Practices and Industry Standards
Implementing security is not just about making it work; it is about making it maintainable and secure over the long term. Follow these industry-standard practices to ensure your Dataverse environment remains stable.
- Start with the Principle of Least Privilege: Never enable hierarchy security for the entire organization if only one department needs it. While the setting is global, you can manage the impact by keeping the depth shallow.
- Audit Regularly: Use the "Audit User Access" features to ensure that managers are not seeing more data than they require. Periodically review the
manageridfields to ensure they reflect the current reality of your company. - Use Active Directory Sync: Do not manually manage user hierarchies in Dataverse if you can avoid it. Use Azure Active Directory (Microsoft Entra ID) to manage reporting lines. When a user is updated in Entra ID, the
manageridfield in Dataverse should reflect that change automatically, ensuring your security model stays in sync with HR reality. - Avoid Over-Reliance on Deep Hierarchies: If you find yourself needing a depth of 10+, you might be using the wrong tool. Consider using "Access Teams" or "Owner Teams" for scenarios where access is based on specific project needs rather than rigid reporting lines.
- Test in Sandboxes: Before applying hierarchy changes to your production environment, test the impact in a sandbox environment that mirrors your production user count and data volume.
Common Pitfalls and How to Avoid Them
Even experienced administrators can fall into traps when configuring Hierarchy Security. Here are the most common mistakes and how to steer clear of them.
Mistake 1: Assuming Hierarchy Security overrides all other rules
Users often think that if they are a manager, they can "do anything" to their subordinate's records. Remember: Hierarchy Security is essentially a "Read" expansion. It does not grant elevated privileges for other actions. If a subordinate has a record that is private, the manager will see it, but they cannot delete it unless their security role allows them to delete that entity type.
Mistake 2: Ignoring the "Depth" setting
Setting the depth to the maximum value (10) for every organization is a common mistake. It adds unnecessary complexity to the platform’s security lookup tables. Always set the depth to the minimum level required for the manager to do their job effectively. If a manager only needs to see their direct reports, set the depth to 1.
Mistake 3: Forgetting to educate users
When you enable hierarchy security, managers might suddenly see records they didn't see before. If they aren't expecting this, it can cause confusion. Communicate clearly with the management team about what they can see and why.
Warning: Be cautious when using the "Position Hierarchy" with large, complex organizational structures. If a position is incorrectly assigned as a parent, you could inadvertently grant an entire department access to sensitive data owned by a different department. Always double-check the tree structure before finalizing changes.
Comparison Table: Access Control Methods
To help you decide when to use Hierarchy Security versus other methods, use this reference table.
| Method | Best For | Complexity | Performance Impact |
|---|---|---|---|
| Hierarchy Security | Reporting-based access | Medium | Moderate |
| Access Teams | Ad-hoc, project-based collaboration | Low | Low |
| Owner Teams | Functional groups (e.g., Finance, HR) | Low | Low |
| Business Units | Large-scale structural separation | High | Very Low |
| Manual Sharing | One-off, exceptional cases | Low | None |
Advanced Concepts: Programmatic Interaction
While the UI is the primary way to configure these settings, you may occasionally need to interact with the hierarchy programmatically, especially if you are building custom integration tools. You can use the Dataverse Web API or the SDK to retrieve hierarchy information.
Retrieving Hierarchy Data
To check who reports to a specific user, you can query the systemuser entity. Here is a simple example of how you might retrieve a user and their manager using the Web API:
// Example of a Web API call to get a user's manager
GET [Organization URI]/api/data/v9.2/systemusers(user-guid)?$select=fullname&$expand=managerid($select=fullname)
This request retrieves the user's name and expands the managerid lookup to retrieve the manager's name as well. This is useful for building custom dashboards that show managers which of their subordinates are currently active.
Automating Hierarchy Maintenance
If your organization does not use Azure Active Directory for reporting lines, you might need to automate the population of the managerid field using Power Automate. You can create a flow that triggers when a user record is created or updated in a source system (like an HRIS) and then updates the corresponding user record in Dataverse.
// Conceptual JSON payload for updating a user's manager in Dataverse
{
"[email protected]": "/systemusers(guid-of-manager)"
}
This ensures that your security model is always up to date without manual intervention. Automation is the key to maintaining a secure environment as your company grows.
Frequently Asked Questions (FAQ)
Q: Does Hierarchy Security apply to all entities? A: It applies to all custom entities and most system entities. However, some system entities have hard-coded security restrictions that may not respect hierarchy settings. Always test on a specific entity before assuming it will work.
Q: Can I have both Manager and Position hierarchies enabled? A: No. You must choose one or the other. You cannot mix them in the same environment. Choose the one that best fits your organizational culture.
Q: What happens if a manager is deactivated? A: If a manager is deactivated, they lose access to their subordinates' records. However, the hierarchy structure remains. If you reactivate the manager, their access is restored automatically.
Q: Does Hierarchy Security affect record ownership? A: No. Hierarchy security is purely for access (visibility). It does not change who owns a record. The owner remains the original creator or the person to whom the record was assigned.
Summary and Key Takeaways
Hierarchy Security is an essential tool in the Dataverse administrator’s toolkit. It provides a structured, automated way to manage data access based on organizational reporting lines. By following the best practices outlined in this lesson, you can create a secure and efficient environment that supports your organization's needs without compromising data integrity.
Key Takeaways:
- Understand the Model: Choose between Manager Hierarchy (reporting-based) and Position Hierarchy (function-based) based on your organization's unique structure.
- Respect the Depth: Configure the hierarchy depth to the minimum required level to maintain optimal system performance and security.
- Combine with Security Roles: Remember that Hierarchy Security is a "Read-only" tool; ensure managers have the necessary security roles for any actions beyond viewing data.
- Leverage Automation: Use Azure Active Directory or Power Automate to keep your hierarchy data synchronized with your source of truth, minimizing manual maintenance.
- Prioritize Security Audits: Regularly review who has access to what, especially after organizational changes, to prevent "privilege creep."
- Test Before You Deploy: Always validate your hierarchy configuration in a sandbox environment to understand the potential impact on performance and data visibility.
- Communicate: Ensure managers understand the scope of their access so they can effectively use the data they are entrusted with.
By mastering Hierarchy Security, you are not just configuring software; you are establishing a framework of accountability and transparency that allows your organization to work effectively while keeping your data safe. Take the time to implement these configurations thoughtfully, and your users will benefit from a system that is intuitive, secure, and perfectly aligned with how they work every day.
Continue the course
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons