Manage user roles and access

Microsoft Cloud for Sustainability Tech Summit November 2024.

You can assign roles and access management in Microsoft Sustainability Manager based on individual user needs. To provide these enhanced security and privacy capabilities, Microsoft Sustainability Manager uses the role-based security model in Dataverse.

Business units define a security boundary in Dataverse. They segment your users and data across the organization. You can align your structure in Microsoft Sustainability Manager to Dataverse's business units to accomplish your required role-based access.

For more information about role-based security and business units in Dataverse, go to Security concepts in Microsoft Dataverse.

For best practices around deploying Cloud for Sustainability, go to Well-Architected for Microsoft Cloud for Sustainability.

Important

The security roles in Dataverse don't impact Power BI views, so the insights and dashboard in Microsoft Sustainability Manager have the following limitations:

  • The dashboard and insights are only governed by organization scope role access.
  • The business unit reporting role only impacts report generation access and data. It doesn't apply to dashboard and insights views.

Microsoft Sustainability Manager provides some sample roles that you can copy and apply to your business units to create your security segmentation. The roles control access to data and user interface (menus, grid views, and forms) across the application.

Security role Usage purpose Security scope
Sustainability all – full access RW access for all areas and data Organization
Sustainability all – read only RO access for all areas and data Organization
Sustainability all – ingest – full access role Access for ingestion actions Organization
Sustainability all – reports – full access role Access to view and edit reports Organization
Sustainability BusinessUnit – full access role RW access for all areas - Data view is restricted to business unit scope Business unit
Sustainability BusinessUnit – ingest – full access role Access for ingestion actions only - Data view is restricted to business unit scope Business unit
Sustainability BusinessUnit – read only role RO access for all areas - Data view is restricted to business unit scope Business unit
Sustainability BusinessUnit – reports – full access role Access to view and edit reports - Data view is restricted to business unit scope Business unit

Note

When you add users, be sure they're assigned the Basic user role. This role is required for data ingestion.

Segment access by role or department

To segment your organization access by role or department, perform the following steps:

  1. Create business units in Dataverse aligned to your organization structure. For instructions on creating business units in Dataverse, go to Create a new business unit.

  2. Copy the roles in the table above to each business unit (or use default roles).

  3. Assign the roles to users or groups according to required privileges.

For example, an administrator might provision roles within business units and assign users accordingly to segment access to data and user interface based on user responsibilities or sub-organization internal boundaries.

First example of setting up business units for an organization.

Second example of setting up business units for an organization.

Fine tune segmentation

Important

Default business unit roles only apply to activities and emissions. Specifically, reference data is scoped at the organizational level by default. Most reference data is applicable across business unit boundaries, such as factor libraries, transport mode, or fuel type. If they're precluded from a sibling business unit, calculations would be unavailable or fail.

Some organizations require stricter segmentation, such that for example, facilities or organizational units aren't visible across business units. In this case, you can perform the following procedure to copy and edit the default roles so you can fine tune role-based user access according to your needs.

Important

Non-default roles that you create can potentially cause backend support to fail due to privilege issues. Use the following procedure with caution.

  1. In the Power Platform admin center, select your environment. Select Settings > Users + permissions > Security roles.

  2. Select the role you want to base your new role on.

  3. Select the ellipsis next to the role name, and then select Copy.

  4. Enter the Name for your new role, and then select Copy.

  5. After the copy completes, open your new role, and then edit tables under Custom Tables as needed.

    Edit the new role.