This article discusses the importance of security roles in protecting organizational data and demonstrates how to easily create security roles in Microsoft Dynamics CRM.
Originally published in H1 2018 D365UG/CRMUG Magazine
Security roles and business units help protect organizational data access and enable collaboration. They work together as Users can access and work on the records based on the privileges, levels of access provided, and business units they belong to. Additionally, security roles and business units are linked together to limit the records a User can see and access.
Security roles in CRM are a matrix of privileges (create, read, write, delete, append, append to, assign, and share) and access levels (none, User, business unit, parent child business units, and organization) for each entity; they are applied to both out-of-box entities and custom entities. At the bottom, there are miscellaneous privileges that provide other security options (audit, publish templates, bulk delete, etc.) that are to be applied for a security role as needed.
There are some default security roles that can be used and are created when CRM is first set up. They are created under default/root business unit. A security role can be created, managed, deleted, and assigned. Each User should have at least one role to be able to access the system, which means they can have more than one security role and every privilege in it is available, and the highest level of security role assigned will be provided. (For example, if a User has a salesperson role and a sales manager role assigned, the User will have access to the sales manager privileges as well).
To create a new security role, navigate to: Settings > Security > Security Roles. New roles can be created in one of three ways:
- New button at the top
- Modify default security role
- Copy existing role
The best way to create a new security role from the options listed above is “Copy Role,” as shown in the screenshot below, by selecting a security role you want to copy. Our organization, CMC, has also copied most of our default existing roles and modified the copied roles as needed, based on the security role. It is also easier and relatively faster to work with copying an existing role rather than creating one from scratch. This also gives us the privilege to go back and refer to the roles when needed, as once you change the out-of-box security roles they are unavailable; therefore, there’s no reference point.
Also, as mentioned, business units, teams, and User security roles work together. As seen in the above screenshot, there is an option to select business unit and edit related security roles. There is a default business unit created when CRM is initially installed, which is the primary/root business unit that cannot be removed, and it also has the same name as that of an organization’s, where there can be other business units created individually, called the child business units with a default business unit being the parent business unit. Each of these units can have one parent business unit, and when a security role is updated, created, or modified in the parent unit, it gets inherited in all of its child business units. Also, we cannot directly edit roles in child business units; the changes can only be made in parent business units and inherited to child business units, as in the below screenshot.
Here are a few points to remember about security roles:
- Copy an existing role and modify access rights.
- Create security roles with the idea of providing least privilege (access and privileges just to perform the action).
- Limit the number of people that can have the system admin role. (You can also create a security roles dashboard to keep track of the roles assigned to Users. CRM Chart Guy shows how to do this.)
- Teams can also be used to assign security roles, as they provide easy access and sharing of records to Users on top of their individual security roles assigned.