Understanding dataverse for Teams permissions

Dataverse for Teams has its own set of capabilities for granting permissions on the data. Most people working with Dataverse for Teams will either come from the SharePoint world or the Dataverse / Dynamics 365 world. For both groups the way the permissions work is different than in the tools they have previous experience with. In this article I will explain how permissions work in Dataverse for Teams and where they differ from either regular Dataverse or SharePoint.

Manage table permissions

Permissions in Dataverse for Teams are based on a fixed set of permission levels and permission groups. The permission configuration pane gives most of the information you need about these groups and levels.

To view the permissions configuration pane open the Power Apps app in Teams, select the Build tab, click on the name of a table and select Manage permissions in the ribbon.

Power Apps app in Teams > Build > Table Name > Manage permissions

The following pane will open on the right side of the page.

Dataverse for Teams manage permissions pane

Permission groups

The different groups are shown on the left: Owner, Member, Guest and Colleagues with access. There is a 1:1 relationship between a Microsoft Teams team and the Dataverse for Teams environment. The Owner, Member and Guest groups consist of the owners, members and guests of the Microsoft Teams team connected to the environment.

The Colleagues with access group is different. Power Apps apps build in Teams can be shared with people outside of the Team (no owner, member or guest). These people make up the Colleagues with access group.

The permissions for the Owner group cannot be modified. This group has always full access to all data in all tables in a Dataverse for Teams environment.

The permissions for the other groups can be updated but are default set as follows:

  • Members: Full access
  • Guests: Private
  • Colleagues with access: None

The permission groups in Dataverse for Teams are fixed. Unlike regular Dataverse or SharePoint you are not able to add additional permission groups.

Permission levels

The five available permission levels per Dataverse for Teams table are Full access, Collaborate, Reference, Private and None.
The permission levels Full access and None are pretty self explanatory. Groups with Full access have full permissions on all rows in a table. Groups with None have no access at all to data in the table. Reference gives users read only permissions on all rows in the table. The permission levels Collaborate and Private give elevated permissions on rows in the table where a user is assigned as owner of the row. Private only grants full permissions (create, update, delete) on rows owned by a user, but none on rows owned by someone else. Collaborate grants full permissions on rows owned by the user and read only permissions on rows owned by other users.

The permission levels in Dataverse for Teams are fixed. Unlike regular Dataverse or SharePoint you are not able to modify or add additional permission levels.

Owning rows

Ownership of rows is a concept that comes from big brother Dataverse – a concept not available in for example SharePoint.
The Owner field is a field apart from the Modified by and Created by fields. This owner field plays a role in determining who has access to the row. By changing the owner you also change who can interact with the row – specifically where the permission levels Collaborate and Private apply.

Changing the row owner

When creating a row the creator is automatically assigned as owner of the row. But can this owner be changed?

It seems not to be the case if you look at the owner field through the inline Edit data feature of the Table interface. The owner field is shown as read only.

Rest assured: you can change the row owner. Either through Power Automate or Power Apps.

Changing the owner in a canvas app

Changing the owner in a Canvas App can be done using the Patch function. The form control and SubmitForm are of no help here, because the owner field is always shown as read only due to the complex nature of this field.

To change ownership you need to fetch the User record of the new owner from the User table, for example by filtering on email address, name or even Azure AD Object ID. The User table is a default table part of both Dataverse and Dataverse for Teams containing rows for all users in an environment. The table is hidden in the Power Apps Teams App UI, but can be interacted with as a regular table in Canvas Apps Studio.

If you are able to lookup this record the patch function is pretty straight forward:

Patch( <TableName>, <RecordThatNeedsNewOwner>, {Owner: <NewOwnerUserRecord>}  ) 

NOTE: the new owner needs at least read permissions on the table to be able to be an owner of rows in the table. This means the new owner needs to be part of one of the available permission groups and the permission level for that group grants at least reading permissions for the corresponding table.

Changing the owner in a cloud flow

In a cloud flow you need to first load both the user record from the User table as well as the row to be updated using the Common Data Service (current environment) connector. The next step is to use the Update a row action to change the ownership of the row in question. The syntax to update a lookup field in the Common Data Service (current environment) is <PluralNameOfLookUpTable>(<RowGUID>). The plural name of the User table is actually systemusers. The update action will look something like this:


In this post I shared the basics of Dataverse for Teams permissions. I also showed how to change ownership of rows to other users.
In a future post I will spend time on how to work with owning teams.

See also