Security RolesSecurity roles in Microsoft Dynamics CRM are a matrix of privileges and access levels for the various entities. They are grouped under different tabs based on their functionality. These groups include: Core Records, Marketing, Sales, Service, Business Management, Service Management, Customization and Custom Entities.

Privileges Privileges are the basic security units that delineate what action a user can perform on the CRM system. These cannot be added or deleted but only modified. The common privileges in Microsoft Dynamics CRM for each entity are as follows: Create — Allows the user to add a new record Read — Allows the user to view a record Write — Allows the user to edit a record Delete — Allows the user to delete a record

Append — Allows the user to attach other entities to, or associate other entities with a   parent record

Append to — Allows the user to attach other entities to, or associate other

entities with the record

The bottom level lists miscellaneous privileges such as viewing audit history/summary, bulk delete, publish e-mail templates/reports/articles and so on.

Levels of AccessThis is indicated by the degree of fill and color of the little circles against each entity for each privilege. These levels determine the records of an entity upon which the user can perform a given privilege. The 5 levels of access are as follows: None — No privileges given User — Privileges to the records owned by the user or shared with the user. Also

includes the privileges owned by the team to which the user belongs. Business Unit — Privileges for all records owned in the business unit to which

the user belongs Parent: Child Business Unit — Privileges for all records owned in the business

unit to which the user belongs and to all the child business units subordinate to that business unit

Organization — Privileges for all records in the organization regardless of who owns it

what are the Business Unit

 

To Create a business unit navigate

Setting->Security->Business Unit.

Business units are the foundation of security structure in Microsoft Dynamics CRM. Each user in the CRM has to be part of business unit. There is a default business

units that is create when a CRM is installed. This is called the root business unit and it can’t be deleted or disabled only can be rename. More business unit can be created if different level of action to information is required for different group in organization. There must be at least one business unit in the CRM and only one root business unit. The root business unit is the top most point of the CRM organization hierarchy and all other business units are children.

How to create a Security Role

Usually a base security role is assigned to each user. Additional privileges assigned adding a role with more privileges since the higher authority prevails. If the default security role is not meeting the organization’s security needs, new role can be created in one of these way as bellow…

*Modify the default role.

Or

*Create a new custom role from scratch.

Or

*Coping an existing role as a new role.

Note:

Do not create a new security role from sketch. Copy an existing role and modify it. There are 580 pre-defined privileges. Hence it is better way of doing it and it also maintains consistency.

A role can’t be copied to another business unit.

User

Users in Microsoft dynamics CRM are individuals who have specific login and password. Each user can have one or more security role but each user should belong to at least one security role to able to access the CRM. Each user is part of a business unit and can be assigned to only one business unit.

Microsoft dynamics CRM provide following functionality for user maintenance .

*Creating Users.

*Creating Team.

*Enabling and Disabling Users.

*Deleting Users.

*Assigning Security Role to the Users.

*Identifying managers for Users.

*Assigning Users to Teams.

To Create Users

Setting->Security->Users.

Or

Setting->Administration->Subscription Management.

Note:

It is always better to disable a user than delete him and before doing this all the user record of this user assigned to another user.

Team

Microsoft Dynamics CRM teams are collection of Users who can belong to same or different business unit.

To Create Team

Setting->Security->Team.

Important privilegesAppend and Append To basically deals with entities that are basically parties 1:N or N:1 relationship.

Append-When a entity has lookup of another entity on it form. It is important that the user have append privilege on this entity so that it can set the value on the lookup on this entity.

E.g->Contact has a lookup account on its form so the here the user need to have the append privilege to be able to set the parent account.

If you not provide append to privilege the parent account will be disabled means you can’t set parent account record.

Append To-when a entity available as a lookup on another entity form. It is important that the user can have Append To privilege on the entity that referred to in the lookup so that it can get the value of lookup of this entity on another form.

E.g-Account has a lookup primary contact so here the user need to have append To privilege to be able to set primary contact of account field.

Otherwise primary contact field will be diabled.

Assigning RecordAnyone with Assign privileges on a record can assign that record to another user. When a record is assigned, the new user or team becomes the owner of the record and its related records. The original user or team loses ownership of the record, but automatically shares it with the new owner.

In Microsoft Dynamics CRM, the system administrator can decide for an organization whether records should be shared with previous owners or not after the assign operation. If Share with previous owner is selected, then the previous owner shares the record with all access rights after the assign operation. Otherwise, the previous owner does not share the record and may not have access to the record, depending on his or her privileges. The Organization.ShareRoPreviousOwnerOnAssign attribute controls this setting.

Sharing and inheritanceIf a record is created and the parent record has certain sharing properties, the new record inherits those properties. For example, Joe and Mike are working on a high priority lead. Joe creates a new lead and two activities, shares the lead with Mike, and selects cascade sharing. Mike makes a telephone call and sends an email regarding the new lead. Joe sees that Mike has contacted the company two times, so he does not make another call.Sharing is maintained on individual records. A record inherits the sharing properties from its parent and also maintains its own sharing properties. Therefore, a record can have two sets of sharing properties—one that it has on its own and one that it inherits from its parent.

Removing the share of a parent record removes the sharing properties of objects (records) that it inherited from the parent. That is, all users who previously had visibility into this record no longer have visibility. Child objects still could be shared to some of these users if they were shared individually, not from the parent record.

Example=>Create a Admin user and who have the privilege to a access all the business units and inside the business units teams ,users and all the business units which have parent child relationship. Create a manager who has privilege to access their related employees record but manager does not has the privilege to admin access in the same way employee does not has privilege to manager access .

Solution=>Sign in the admin now create a business unit as bellow …

Go to Setting->Security->Business Units->New

Now create on Employee Business Units as bellow…

Now add user in manager business unit…

First of all create Custom entity Test A and Test B by the Admin.

Go to->Setting->User->Admin->Active User->Add User.

now add the User in Manager Business unit..

samplemanager@crm264.onmicrosoft.com

In the same way add another user in a Employee Business unit..

sampleemployee@crm264.onmicrosoft.com

now create security role for manager as bellow..

And assign it to samplemanager@crm264.onmicrosoft.com user which have a managerial access.

Now same as add a user to Employee Business Unit sampleemployee@crm264.onmicrosoft.com and create on another security role for that as bellow..

And assign it to sampleemployee@crm264.onmicrosoft.com ..

Now in Test A entity create one field named mobile and which should have the field security enable it means except admin no any no any user can the see the record because the contact is confidential. We can enable the field security on the creation of the field as bellow…

By default the field security is disabled you can make it enable.

Now start to create the record which is will be shown you for the field security field except admin to manager and employee as bellow and manager can have employee access ,employee can have only own record access and admin have manager as well as employee record access…

The field security field mobile is looking ***** which have the field security enable.

thanks