Record Sharing in Dynamics 365 CE

While Business Units, Security Roles, and Teams provide the foundation for controlling access to records in Dynamics 365 CE, sometimes users need to collaborate on specific records that fall outside their normal security scope.

For these scenarios,

Record Sharing

offers a flexible, granular mechanism to grant access to individual records - without changing ownership or modifying the security model.

What is Record Sharing?

Record Sharing enables users or processes to explicitly grant access to an individual record to other users or teams. Ownership of the record does not change - instead, the system creates an Access Control Entry (ACE) that specifies which privileges the recipient will have on that particular record.

This allows organizations to maintain strict control over data ownership while still supporting dynamic collaboration.

How Record Sharing Works

When a user (or a process) shares a record, Dynamics 365 CE creates an ACE in the PrincipalObjectAccess (POA) table.

The POA entry links:

• the target record,

• the recipient (user or team),

• and a list of granted privileges.

Privileges that can be shared:

• Read → view the record.

• Write → update the record.

• Delete → delete the record.

• Append → link this record to another.

• Append To → allow other records to link to this one.

• Assign → reassign ownership of the record.

• Share → further share the record with others.

Ownership is not impacted - only the granted privileges are changed for the specific user or team.

Typical Use Cases

Cross-BU Collaboration:

A Salesperson needs to collaborate with a colleague from another BU who normally wouldn’t have access to their Opportunities.

Ad-hoc Collaboration:

A Service Agent wants to give a manager temporary access to a high-profile Case.

Compliance Scenarios:

Granting Read-only access to sensitive records to an auditing team - without changing ownership or affecting the base security model.

Process-driven Sharing:

Power Automate flows or custom plugins can automatically share records with users/teams as part of business processes.

How to Share a Record

Manual Sharing

Users can share records manually via:

• the Share button on model-driven forms (if they have the "Share" privilege for the entity).

• Advanced Find → Share.

• Related Subgrids → Share.

Programmatic Sharing

You can programmatically share records via:

• Power Automate → "Grant access to record" action.

• Dataverse Web API → via GrantAccessRequest message.

• Plugins / SDK → use GrantAccessRequest or manipulate the POA table (advanced scenarios).

Viewing and Managing Shared Access

Users with "Share" privileges can manage shared access via:

• the Share dialog on the record.

• Advanced Find queries on shared records (with careful configuration).

Admins can audit shared access using:

• the POA table (PrincipalObjectAccess).

• XrmToolBox → User Access Manager, POA Analyzer plugins.

Limitations

• POA Table Growth:

• Difficult to Audit:

• Privilege Dependency:

• Re-sharing:

Advanced Considerations for Record Sharing

POA Table Design Implications

The PrincipalObjectAccess (POA) table is critical to Record Sharing - but it comes with architectural limitations:

• The POA table is not indexed as efficiently as core entity tables.

• It can grow very large when high - cardinality sharing is used (e.g. thousands of records shared to hundreds of users/teams).

• Large POA tables slow down:

Security checks.

Record retrieval.

“My Records” views.

Bulk record queries and Advanced Find.

Microsoft recommendation:

For high-volume sharing scenarios - such as mass portal access or multi-tenant scenarios - it is better to use:

• Access Teams with templates, or

• Custom logic with a dedicated access model (virtual entity, Azure Function controlled access), instead of raw record sharing.

Cascading Behavior

Record sharing does not cascade automatically to related child records.

Example: Sharing an Account does not share its Contacts or Opportunities.

If Cascading sharing is required:

• Implement it explicitly in Power Automate or in a plugin.

• Be careful - automatic cascade can cause POA bloat.

Complementary Strategies

To reduce over-reliance on direct Record Sharing:

• Use Owner Teams when ownership can be shared cleanly.

• Use Access Teams for dynamic collaboration on specific records.

• Use hierarchical security where appropriate for manager visibility.

• Build virtual views or portals for controlled external user access - avoid mass sharing to external users through the core CRM model.

Best Practices

• Use Teams for structured and reusable access where possible - reserve Record Sharing for one-off or ad-hoc scenarios.

• Regularly audit shared records - especially for high-value or sensitive data.

• Monitor POA table growth - implement cleanup processes if needed.

• Leverage Power Automate or custom logic to manage sharing consistently across business processes.

• Restrict Share privilege to trusted roles to avoid uncontrolled sharing.

Summary

Record Sharing is a powerful tool in Dynamics 365 CE that enables fine-grained, flexible access control at the individual record level - without disturbing ownership or the role-based security model.

When used thoughtfully, it allows organizations to enable secure cross-team collaboration and dynamic access to data.

However, overuse of Record Sharing can lead to performance, auditing, and complexity issues - it should be combined with Teams and Security Roles for a clean, maintainable security design.