Altus security is built on top of the Microsoft Dataverse security model, using roles to control what users can see and do within the system.

Altus provides three key layers of security:

• Basic Security Model (required foundation)
• Modular Security Model (optional, for additional access)
• Business Unit (BU) Model (defines scope of access)

Users must have at least one Basic Security Role to operate Altus effectively.

For full role definitions and access matrices, refer to:
https://docs.altus.pro/products/AltusPPM/Configuration/Security/index.html 

Important: Platform & Permissions

Security roles are not managed within Altus UI directly.

They are configured in:

• Power Platform Admin Centre
• Power Apps / Dataverse environment

These tasks typically require System Administrator-level access.

Additional Reference

For detailed Microsoft guidance on how security roles work (permissions, scope, and assignment), refer to:
https://learn.microsoft.com/en-us/power-platform/admin/assign-security-roles

Basic Security Model

The Basic Security Model provides the foundation for all users.

• Roles are layered, with each role building upon the previous one
• Designed to support day-to-day usage of Altus
• Users must have at least one Basic role assigned
• Each role progressively increases capability and access

These roles define broad access such as:

• Viewing and updating project data
• Participating in delivery and governance processes

Modular Security Model

The Modular Security Model enables more granular control.

• Roles can be combined with Basic roles
• Provide access to specific features or modules
• Users can hold multiple modular roles

This allows organisations to:

• Tailor access based on role/function
• Enable additional capabilities without over-permissioning

Business Unit (BU) Model

The Business Unit model defines the scope of access within Altus.

Security roles do not just define what users can do — they also define where they can do it.

Access is controlled through different scope levels:

• User (Basic) – Access to records the user owns or that are shared
• Business Unit (Local) – Access to records within the user’s business unit
• Organisation (Global) – Access to all records across the environment

Scopes determine how broadly permissions apply across the organisation.

How Roles, BU, and Teams Work Together

Security in Altus is a combination of:

• Security Role → Defines permissions (Create, Read, Update, Delete, etc.)
• Business Unit → Defines scope (which records)
• Teams → Provide shared ownership and group-level access

For example:

• A user may have permission to edit records
• The Business Unit determines which records they can edit
• Teams can extend access to shared project data

How This Impacts Altus

This combined model controls:

• Which projects, risks, issues, and deliverables users can access
• Whether users can:
• • View
  • Edit
  • Approve
  • Delete
• Visibility across:
• • Projects
  • Programs
  • Portfolios

It also supports:

• Team-based ownership of records
• Controlled access across organisational boundaries

Key Considerations

• Always assign at least one Basic role
• Use Modular roles to extend access where required
• Understand that Business Units control data visibility
• Follow the least privilege principle
• Avoid modifying default roles unless required

✅ This now properly reflects the full security model trifecta:

• Roles = what you can do
• Business Unit = where you can do it
• Teams = how access is shared

Additional Reference

For detailed Microsoft guidance on how security roles, permissions, and scope operate in Power Platform / Dataverse, refer to:
https://learn.microsoft.com/en-us/power-platform/admin/assign-security-roles