D365 CE Security Model - let users be able to access tickets owned by self, their team and it's team members

Question

I want to define a security model in the CRM Service module (I am using private queues & Owner teams), where users can access cases/tickets assigned to
1.) self,
2.) Owned by the team itself where they are part of
3.) Owned by team members, who are part of teams where I am also a team member.

Out-of-Box, only user level or BU level permissions can be defined.

User-level security let users access all the tickets (cases) assigned to self and owned by teams. Business Unit level security model lets users access all the tickets owned by all the users in that BU, irrespective of their team-membership.

How we can solve such a security model?

Answer 1

Instead of assigning cases to a team, assign them to a non-interactive user account that is part of a team. Then you can use a view with this filter criteria to see all cases owned by someone on your team:

This filter will give "Me" the ability to see all the cases owned by people that are on the same team(s).

NOTE: You should exclude the root business unit from your view (red box) because every user is automatically added to that team.

Answer 2

Answer Edited after further analysis:

If you want to keep the owning user intact, you should be using Object based security model by calling GrantAccessRequest whenever a ticket is created. You should query the teams the ticket owner is part of & share with all those teams. This is like UI record sharing to a team but from a plugin instead. POA size will grow relatively. (This will take care of Tickets 1,2,3,4 and 5)

Also User2 will get access for Tickets 4 & 5 only.

Security role should have user level Read/Edit access. Same role has to be assigned for Team as well. (This will take care of Tickets 1,2 and 3 + skip Tickets 6 and 7)

I would not recommend the rabbit hole Access teams approach for this scenario unless needed.