BETA DRAFT CONTENT: Portfolio Security & Access

Project Management Context

Organizations are not always able to have entirely open access to their portfolio of projects, but rather need to take a more granular approach to security and access, while others are fine with users having access to the entire portfolio of projects. BrightWork 365 provides several options to accommodate both of these security requirements through a flexible security and access model.  


  • Requests, Power BI reports and SharePoint libraries are not in scope for the access restriction functions of BrightWork 365. These resources will still be open to all users of BrightWork 365.
  • Request Templates and Project Templates are not in scope for the access restriction functions of BrightWork 365. If you have confidential programs and portfolios, do not create Request Templates or Project Templates with this information. Leave the Portfolio and Program fields blank, otherwise everyone can potentially become aware of their existence
  • Users with the BrightWork PMO Manager security role get access to everything in the solution, including confidential projects, regardless of the chosen security model or their assigned business unit. 
  • Customers are advised to use generic names for confidential projects as the project names will be visible to all users in various places in the app and in PowerBI / SharePoint (Approvals, Content Templates). Confidential projects should not contain confidential information in the project name.

Security Model 1: Open Access (Default Model)

In the default open access model, all BrightWork 365 users have access to all portfolios, programs, and projects within the BrightWork 365 app. Note that open access can be mixed together with a restricted security model as needed.

Security Model 2: Project Security (Bottom-Stop)

After securing portfolios to a subset of users you may need to provide access to specific projects for some users outside the configured access boundaries. This can be accomplished with the project security option which provides this capability. For more information see Project Security & Access.

Security Model 3: Portfolio Security (Top-Down)

The Portfolio Security model uses Power Platform business unit membership combined with BrightWork security roles to grant users access to the Portfolio attached to the business unit, as well as all of the portfolio's child projects and records. This article details the Portfolio Security Model.

Portfolio Security Steps - In a Nutshell

Here's a summary of the steps needed to implement portfolio security in a BrightWork 365 environment from start to finish as it operates out of the box:

  1. Design your intended business unit and Portfolio hierarchy "on paper".
  2. Enable Modern business units in the BrightWork 365 environment.
  3. In the Power Platform admin center:
    1. Create all necessary business units.
    2. Assign child business units to parent business units as needed to meet your hierarchy design.
    3. Assign BrightWork 365 users a home business unit.
    4. Give users security roles in secondary business units as needed.
  4. In the BrightWork 365 app:
    1. Create Portfolios that will act as the parent levels of the BrightWork 365 app hierarchy (Portfolios > Programs > Projects).
    2. Within each Portfolio select an Owning Business Unit. 
    3. Within each Program choose a parent Portfolio that is associated with the business unit that is desired for itself and its child Projects.

If you need to manage project access for individual users by exception, see Project Security & Access.



  • Only users with the System Administrator security role can manage business units and security roles in the BrightWork 365 environment.
  • Customers that wish their custom tables to be included in the Project move Program and Program move Portfolio flows will need to request assistance from their Customer Success Partner to update the child flows in their custom solution.

Portfolio Security - Details

Step 1: Enable Modern Business Units

  1. Enable Record Ownership across business units in the Power Platform admin center – this enables a user having security roles from another business unit.
  2. Turn off Move Records to New business unit in Org Settings (can be done with XRM Toolbox or with the legacy Microsoft Organization Settings Editor tool) – this stops records from moving business unit when a user moves to a different business unit.

Step 2: Create the Business Unit Hierarchy

Business Units
  • Business units are created in Power Platform Admin center by a user with System Admin.
  • All business units, apart from the Default Business Unit, have a parent business unit.
  • New business units get non-editable copies of all the security roles found in the Default Business Unit (e.g., all the security roles that ship with BrightWork 365).
Business Unit Hierarchy
  • Setting the Owning Business Unit in a Portfolio sets what child users will see or not see.
  • Portfolios are the top-level grouping for Projects.
  • Programs are a second-level grouping for projects.

Step 2a: Create Business Units

In the Microsoft Power Platform admin center:

  1. Select the BrightWork 365 environment.
  2. Navigate to Settings > Business Units.
  3. Click New business unit.
  4. Fill in the necessary field details and click Save.
  5. Select child business units for the created business unit as necessary to further form your security access hierarchy.

Step 2b: Assign an Owning Business Unit to a Portfolio



  • Only users with the BrightWork PMO Manager or System Administrator security role can configure a Portfolio's Owning Business Unit.
  • If a Portfolio's Owning Business Unit is changed to one that is above its current Owning Business Unit in the hierarchy, the change will be automatically reversed, and an email notification of this reversal will be sent to the person who attempted the change.
  1. In the Portfolio's Statement tab, select the relevant Owning Business Unit in the Owning Business Unit field.
  2. Read the warning message, choose the new OBU, and click Confirm or Cancel.
  • If the Owning Business Unit of a Portfolio is changed, the Owning Business Unit of all the child Program and Project related records will also be updated. This means that some users in the previous business unit may lose access to this portfolio and the other records. It also means that users in the new Business Unit will now be able to access records in this Business Unit.
  • Concurrent usage is not supported, e.g., before moving a Portfolio's Owning Business Unit, the BrightWork PMO Manager should inform the team to exit any child Projects of the Portfolio.

Step 2c: Associate Programs with a Parent Portfolio

Programs inherit the Owning Business Unit from their parent Portfolio. To associate a Program with a parent Portfolio, select the relevant Portfolio as you normally would in the Program's Statement tab.

If a Program is moved to a different Portfolio with a different associated business unit, or if a Portfolio's associated business unit is changed, some users who never had access to that part of the hierarchy will now have access, and some that had access previously will no longer have access; this will be determined by either their own business unit, or from access granted at the Project level.

Step 3: Add Users to the Business Unit Hierarchy



  • A user with the BrightWork PMO security role will have organization-wide global access regardless of their assigned business unit. They will have access to all content within BrightWork 365 including confidential projects.
  • If a user’s business unit is changed, all of their security roles are removed from all business units. They will need to be reassigned all of their security roles in the new business unit, even if they already had security roles in that new business unit. It is recommended to make note of their current security role assignments prior to the business unit change.

Assign Users to a Business Unit

Assigning users to a business unit will in turn control which Portfolios, Programs, and Projects they have access to. 

  • It can take 30-60 seconds per user when their business unit is changed using the admin center Modern UI.
  • User Business Units can be viewed in person views in the Admin Area.

In the Microsoft Power Platform admin center:

  1. Select the BrightWork 365 environment.
  2. Navigate to Settings > Users.
  3. Select the relevant user.
  4. Click Organization Information > Change business unit.
  5. Select the business unit that will be the user's home business unit.
  6. Click Ok.

(Optional) Give Users Security Roles in Secondary Business Units

Users can only be a member of one business unit but can be given security roles in another business unit to broaden their access to Portfolios, Programs, and Projects. 

For example, Alex is a BrightWork Project Manager in Marketing, which is his home business unit. He can also be given the BrightWork Team Member security role in the Product Development business unit.

In the Microsoft Power Platform admin center:

  1. Select the BrightWork 365 environment.
  2. Navigate to Settings > Users.
  3. Select the relevant user.
  4. Click Roles > Manage roles.
  5. Select the desired secondary business unit in the Business unit drop-down.
  6. Select the Basic User and BrightWork Team Member security roles (at a minimum), and any other desired security roles the user needs.
  7. Click Save.

Hierarchy Examples

Open Access - No Security Model Implemented

One portfolio, and everything is in it. All users see all projects. 

Portfolio Security Model - Projects Secured by Department

Engineering users only see Engineering projects, and Marketing users only see Marketing projects.

Portfolio Security Model - Confidential Projects

Users who needed to see everything would be in the Contoso All Access business unit, users who needed to see all non-confidential projects would be in the Contoso Projects business unit, and there would be no users in the Confidential Projects business unit. 

Access to projects in the Confidential Projects business unit is managed by the Access Level in each project team member record in the confidential project.  

Frequently Asked Questions

If a user does not have any access to a Project, Program, or Portfolio by any method, will they still display as a choice option in user drop-down fields?

Yes, this is by design.

Related Articles

Copyright © BrightWork. All rights reserved.