Owner teams vs access teams in Dataverse
How Dataverse's two team types differ — owner teams own records and have security roles, access teams grant ad-hoc record-level access — and when to use which.
Dataverse supports two distinct team concepts — owner teams and access teams — that look similar but solve different problems. Understanding the distinction is essential for designing security cleanly.
Owner teams.
An owner team is a group of users that can own records and have security roles assigned. Owner teams behave like users in many ways:
- A record can be owned by an owner team (the Owner field references the team, not a user).
- The team has security roles assigned; team members inherit those roles when the team owns the record.
- All team members get the same access — equal members.
- Records owned by the team are queryable as "team-owned" in views and reports.
Use cases:
- A regional sales team collectively owns regional accounts and opportunities. Records routed to the team; any team member can work them.
- A customer-service queue is owned by the queue team; members process from the shared queue.
- A project team owns project-related records during the engagement; deactivated on project end.
Owner team membership is stable — you add and remove members through team administration. Changes affect all team-owned records' visibility for added / removed members.
Access teams.
An access team is a lightweight, dynamic group used for ad-hoc record-level access. Unlike owner teams:
- Access teams can't own records directly.
- Access teams are typically created per record dynamically.
- Access teams grant specific record-level privileges (read, write, append, share) without granting broader access.
- Access teams are managed through access team templates that define what privileges members get.
The classic use case: a sales rep adding ad-hoc collaborators to a specific opportunity. The rep adds three colleagues to the opportunity's access team; those three get read / append access just to that opportunity for the duration. When the opportunity closes or members leave the team, access is removed.
Auto-created access teams. Access teams are commonly auto-created when a record's "team" subgrid is populated:
- On the opportunity form, a "Sales Team" subgrid lists users with access.
- Adding a user to the subgrid (with an access role: "Account Manager", "Technical Specialist", "Executive Sponsor") triggers:
- The access team for that opportunity is created (if not already).
- The user is added with the appropriate role's privileges.
- The user gains record-level access to that specific opportunity.
The user doesn't need a broad security role granting access to all opportunities — they have access to just this one through the access team.
Comparison.
| Aspect | Owner team | Access team | |---|---|---| | Owns records | Yes | No | | Security roles | Yes (assigned to team) | No (roles per template) | | Visibility | Records owned by team are team-visible | Records shared via access team are member-visible | | Membership stability | Stable | Often dynamic per record | | Use case | Shared ownership of many records | Ad-hoc per-record collaboration |
Choosing.
- Owner team when a group of users collectively owns a collection of records (regional teams, service queues, project teams).
- Access team when an individual record needs additional access beyond its primary owner (deal team, case escalation, project consultant).
Both can be used in the same environment for different scenarios.
Microsoft 365 group integration. Owner teams can be linked to Microsoft 365 groups — sync membership from M365 group to Dataverse owner team. Useful when team composition is already managed in M365 (Teams, SharePoint, Exchange group structures).
Manager and position hierarchies. Owner teams don't replace hierarchical security; they coexist. A user might have:
- Security role X (granting BU-scoped access).
- Owner team Y membership (granting team-scoped access).
- Hierarchical security depth 2 (granting access to direct and indirect reports' records).
The user's effective access is the union of all three.
Limits.
- Access team templates are bound to a specific table — you can't share one template across many tables.
- Auto-created access teams can produce many small access teams over time; Dataverse cleans up automatically but heavy use creates schema clutter.
- Owner teams' members can't easily be drilled out for record-by-record access — it's all-or-nothing.
Common pitfalls.
- Using owner teams for ad-hoc collaboration — produces many narrow owner teams; admin nightmare. Use access teams.
- Using access teams for systematic ownership — auto-creation overhead, no central security-role assignment. Use owner teams.
- Manager hierarchy plus owner team — overlapping access can be confusing; users see the same record via multiple paths.
Operational reality. Modern Dynamics 365 implementations use both: owner teams for systematic ownership patterns, access teams for ad-hoc per-record collaboration. The two together enable rich security models without forcing every user into restrictive global roles.
Related guides
- Business units and teams in Dataverse — a deep diveHow business units, owner teams, access teams, and Microsoft 365 group teams compose the security model in Dataverse — what each is for, how they interact, and the common design mistakes.
- Async jobs in DataverseHow Dataverse runs background work — system jobs, async plug-ins, workflow runs, and how to monitor, troubleshoot, and prevent the async backlog from getting out of hand.
- Bulk delete jobs in DataverseHow Dataverse's bulk delete handles mass record cleanup — scheduling, filters, retention policies, and the operational discipline around storage management.
- Business rules in DataverseHow business rules let you add field-level logic to forms without code — set value, lock field, show error, recommendation, and the limits of the engine.
- Calculated and rollup columns in DataverseHow calculated columns and rollup columns work in Dataverse — what each does, the performance trade-offs, and when to use a formula column or a Power Automate flow instead.