Check effective user rights within a record
Effective user rights in Altus determine what a user can actually see and do within a specific record (e.g. project, risk, issue, or financial item).
These rights are not defined by a single setting—they are the result of multiple factors combined, including:
- Security roles
- Business Unit scope
- Team membership
- Record ownership and sharing
Understanding how to check effective user rights is essential for troubleshooting access issues and validating governance configuration.
Important: Platform & Permissions
Effective access is governed by:
- Power Platform / Dataverse security roles
- Business Units (scope)
- Teams and sharing
These are configured in:
- Power Platform Admin Centre
- Power Apps / Dataverse
How to Check Effective User Rights in Altus
Altus provides a built-in function to review effective access directly from within a record.
Method: Use “Check Effective Rights”
- Open the relevant Altus record (e.g. Project, Risk, Issue)
- Locate the Command Bar (ribbon) at the top of the record
- Select Check Effective Rights
- Choose the user you want to review (if prompted)
This will display the user’s effective permissions for that specific record, including:
- Whether they can read (view) the record
- Whether they can write (edit) the record
- Whether they can perform actions such as delete, assign, or share
👉 This provides the most accurate view of a user’s actual system access
Additional Validation (Optional)
You can also validate access by observing behaviour:
- Can the user open the record?
- Are fields editable or read-only?
- Can they perform actions (update, assign, approve)?
This complements the Check Effective Rights function with real-world validation.
What Determines Effective Access
Effective rights are determined by a combination of:
1. Security Roles
- Define what actions are allowed (Create, Read, Update, Delete, etc.)
2. Business Unit Scope
- Defines the data boundary (which records are accessible)
3. Team Membership
- Users inherit access from teams
- Teams may:
- Have roles assigned
- Own records
4. Record Ownership
- Records owned by:
- The user
- A team the user belongs to
5. Record Sharing
- Records can be shared directly with users or teams
- Can extend access beyond role-based permissions
Common Access Scenarios
Scenario 1: User Cannot See a Record
Possible causes:
- Business Unit restriction
- No role-based read access
- Not part of the owning team
Scenario 2: User Can See but Cannot Edit
Possible causes:
- Read-only permissions in role
- Limited privilege scope
Scenario 3: Different Access Between Users
Possible causes:
- Different role combinations
- Team membership differences
- Record ownership differences
How This Impacts Altus
Effective access determines:
- Which projects and work items users can access
- What actions users can perform (edit, approve, manage)
- Visibility across portfolios and reporting
- Governance and compliance enforcement
Additional Reference
For detailed Microsoft guidance on how roles and permissions combine to determine access, refer to:
https://learn.microsoft.com/en-us/power-platform/admin/assign-security-roles
Key Considerations
- Effective access is cumulative across roles and teams
- Business Units define visibility boundaries
- Teams and sharing can extend access beyond roles
- The Check Effective Rights function is the most accurate way to validate access
Tips
- Always use Check Effective Rights first when troubleshooting access
- Validate using real user scenarios where needed
- Compare users to identify differences in configuration
- Trace access back through:
- Role → BU → Team → Ownership