Escolar Documentos
Profissional Documentos
Cultura Documentos
• Identify how privileges, access levels, and security roles are used by
Microsoft Dynamics® CRM to ensure data integrity and privacy.
• Differentiate between the five types of access levels used within the
security roles.
• Create new security roles
• Create new security roles by copying privileges and access levels
from existing security roles.
• Review how security roles are automatically created and updated
within an organizational hierarchy.
• Identify the limitations on maintaining inherited roles.
• Identify best practices that should be considered before configuring
security
Introduction
Microsoft Dynamics CRM provides a security model that helps protect data
integrity and privacy, supports efficient data access and collaboration, and
supports recommended security best practices.
Configuring Security reviews the Microsoft Dynamics CRM Security model, the
components that make up the model, and how to manage them. This includes:
Types of Security
Goals of the Microsoft Dynamics CRM securirty model are accomplished
through the use of two types of security models, each of which is incorporated in
security roles.
The combination of role-based security and object security defines the overall
security rights that users possess within Microsoft Dynamics CRM. Default roles
are automatically created by the Microsoft Dynamics CRM Server Setup
program to make implementations simpler, quicker, and less costly. Custom roles
can also be created to satisfy unique security requirements.
In those cases, a “base” role is assigned to all users in the organization. Other
users (like front-line managers) may all need additional privileges. A new
security role with only those additional privileges can be created and assigned to
those users.
This topic examines the privileges and access levels built into each role, and
reviews the steps involved in creating new roles and customizing existing roles to
fit your business requirements.
Privileges and access levels work together through the use of security roles.
EXAMPLE: If a role allows the user to delete accounts, the access level
associated with the account delete privilege indicates which accounts the user
can delete.
Privileges
Data access is controlled through a combination of privileges and access levels
within security roles. Defining access levels for each entity and action through
security roles gives a System Administrator control over every record and action
a user can perform upon them.
Sharing Data
There are two basic types of privileges used in Microsoft CRM security roles.
The net result is that administrators are provided with precise control over every
action each user can perform in the system.
Privileges Description
Create Allows the user to create a record for the specified
entity.
Note: One additional stipulation exists when you
create records for an entity. As an added security
measure, the role must provide both the Create and
Read privileges for that entity for the user to create a
record.
Read Allows the user to read a record for this entity. This
controls which records are displayed on views and
reports.
Write Allows the user to update (change) a record for this
entity.
Delete Allows the user to delete a record for the entity.
Append Allows the user to append (attach) this entity to
another entity.
Append To Allows the user to append other entities to this entity.
NOTE: The Append and Append To privileges work in combination with each
other. For example if a Note is attached to a Case, you must have the Append
privilege on the Note and the Append To privilege on the Case.
Privileges Description
Assign Allows the user to assign ownership of a record for
this entity to another user.
Share Allows the user to share a record for this entity with
another user or team. Sharing enables another user to
access a record.
Task-Based Privileges
The Business Management tab in each security role includes several task-based
privileges that are not related to a specific entity.
NOTE: While task-based privileges are located in most of the tabs within a
security role, the majority of tasks are located at the bottom of the Business
Management tab. This tab is displayed in Figure 2.5 for the Salesperson role.
Access Levels
Privileges indicate what actions a user can perform on each entity, whereas
access levels define which records for that entity the user can perform those
actions upon. Access levels are based on a combination of:
• User ownership
• The business unit to which the user belongs
Microsoft Dynamics CRM supports the following five access levels for each
privilege and entity (these are presented in “most-restrictive” to “least-
restrictive” order).
Hierarchical Access
Each access level includes records that are made available by all access levels
below the level that the privilege granted to the user. For example, if you have
Parent:Child Business Unit Read access for Accounts, by default you have
Business Unit and User Read access for Accounts as well. Figure 2.6 displays
this relationship.
EXAMPLE: Gail Erickson is the Sales Manager for Adventure Works’ Western
Region. Adventure Works has decided that there are some privileges the Sales
Manager must be restricted from performing, such as creating, writing, and
deleting Views. To guarantee this, the System Administrator creates a copy of the
default Sales Manager role and assigns the None access level to the Create,
Write, and Delete privilege for the Views entity. Gail is assigned this new,
customized role instead of the default Sales Manager role.
Security Roles
A security role is the combination of privileges and access levels for a specific
job function. Although you can create custom roles for individual users,
Microsoft Dynamics CRM's focus from an implementation standpoint is on
security roles at the job function level. This enables a specific role to be assigned
to one or more users, each of whom performs the same job function.
Default Roles
When Microsoft Dynamics CRM is installed, the Microsoft Dynamics CRM
Server Setup program automatically creates a series of default security roles in
the root business unit. The Microsoft Dynamics CRM 4.0 Enterprise,
Professional, and Workgroup editions install 13 default roles.
The security models for each Microsoft Dynamics CRM edition correspond
directly with the typical job functions performed within their target business
environments. For each default role:
Administrative
CEO-Business Manager
System Administrator
System Customizer
Customer Service
Customer Service Manager
Customer Service Representative
Scheduler
Schedule Manager
In small businesses, individual users generally perform multiple roles that are
typically split among multiple workers in medium to large-sized organizations.
This means the small business administrator may have to assign multiple
functional roles to each user because the default roles are associated with job
titles that may not exist in the small business.
• Because the access level settings within each default role are based
on extensive Microsoft market research, users are typically not
provided with privileges that fall outside the boundaries of
acceptable actions for their job function.
• Following deployment, each user's specific requirements relative to
those provided by their default role(s) can be analyzed and adjusted.
Role Characteristics
When users create a Microsoft Dynamics CRM security role, it must be assigned
to a specific business unit. The relationship between roles and business units
includes the following characteristics:
• A user can only be assigned roles that belong to the same business
unit to which the user is assigned.
• When a role is assigned to a user, the user has access to all the
privileges specified in that role as dictated by its access levels.
• A user can be assigned more than one role.
• If a user is assigned multiple roles, the user's privileges are the union
of access rights assigned to all those roles.
• If a user is assigned more than one role and the access level for a
specific entity and privilege conflicts between the roles, the access
level granted to the user is the least restrictive for that entity and
privilege.
EXAMPLE: Adventure Works assigned Mary Baker both the Sales Manager
and Marketing Professional roles. The Sales Manager role has Business Unit
Account Delete access, and the Marketing Professional role has User Account
Delete access.
This means Mary has Business Unit Account Delete access, because this access
level is less restrictive than User Account Delete.
Any attempt to perform one of these actions causes an error. If your organization
requires modification to the privileges defined in the System Administrator role,
copy the role as a new role and modify the security rights in the new role.
To ensure that the default System Administrator role is assigned during the
installation of Microsoft Dynamics CRM Server 4.0 or during an upgrade from a
prior release, the following procedure has been implemented within the setup and
upgrade processes:
When running the Microsoft Dynamics CRM Server Setup program in a new
deployment, the System Administrator role is automatically assigned to the user
running the Setup program.
If the System Administrator role exists during an upgrade but is not assigned to a
user account in the Microsoft Dynamics CRM 3.0 implementation, the upgrade
program automatically assigns it to the user running the upgrade.
When a subsequent business unit is created within the organization, all the
security roles assigned to its parent business unit are copied to the new business
unit. This includes the default roles and any custom roles manually created at the
parent business unit.
NOTE: As you create each new business unit, the roles are copied from the new
business unit's Parent. The parent is the root when creating business units one
level down from the root. If the created business unit is more than one level
down from the root, the roles are copied from its parent and not from the root.
NOTE: When you create a security role for a business unit, the system
automatically creates the same role for all the child business units subordinate
to that business unit, regardless of how many subordinate business units there
may be.
In this example, assume you create a custom role titled Marketing Representative
and assign it to the Channel Marketing business unit. When you save the role, the
following occurs:
For a custom role to be assigned to all business units, create it at the root business
unit. Because all other business units are subordinate to the root, the system
automatically creates the role at all business units in the organizational structure.
Changing a Role
When you perform maintenance on a role, the changes are automatically applied
to the role at each child business unit. Using the graphic in Figure 2.17, assume
that after the Marketing Representative role was created the Director of
Marketing in the Channel Marketing business unit has requested that you change
the Account Delete privilege from User to Business Unit for the Marketing
Representative role.
Inherited Roles
When a user creates a custom role at a business unit, Microsoft Dynamics CRM
automatically copies the custom role to each of the business unit's child business
units. The new roles created at the child business units are referred to as
“inherited roles.” Those roles inherit the security rights of the custom role created
at the parent business unit.
The following rules control how inherited rules can be maintained in Microsoft
Dynamics CRM 4.0:
Microsoft Dynamics CRM 4.0 requires that all maintenance to security roles is
performed at the parent role level.
Parent role changes and deletions are automatically propagated down the
hierarchy and applied to the inherited role at each child business unit. This
ensures that all parent and inherited roles remain synchronized.
BEST PRACTICE: If any one of the default roles do not fit your organization's
security needs, copy the role to a new role, modify the new role as required, and
leave the default role unchanged. This permits the default security roles to act
as templates and ensures a consistent set of security privileges across all
business units.
The focus of this lesson is on ways in which you can create a new role. You can
do so in one of two ways:
• When you create a new role, you must select the business unit to
which the role will be assigned when entering role information in the
New Role form.
• If you create a new role by copying an existing role, the business unit
associated with the role being copied is the same business unit to
which the new role will be assigned.
When you create a new role by copying an existing one, you cannot copy a role
from one business unit to another. You must display the roles for the target
business unit, and from that list, select the role you want copied. The new role
you create is assigned to that same target business unit.
NOTE: If you select the Open a new security role when copying is complete
check box, the system creates the new role from the existing role and then opens
the new role so that it can be edited. After you make the required edits to the new
role, click Save or Save and Close.
o Business Management
o Service Management
o Customization
o Custom Entities
After creating the security role, you can edit any one of the entities.
6. Click None Selected in each row of the table to change the privilege
depth. With each click, the symbol cycles through the applicable
symbols for that record and access level. Depending on the record
and access level, you can advance one or more levels.
For example, for Account, Contact, or Lead, you can set User,
Business Unit, or Organization levels. However, for Relationship
Role, you can only set it at the Organization level. One or more of
the following privileges might be available for a specific entity:
o User
o Business Unit
o Parent: Child Business Units
o Organization
You do not have to click through the access levels for each of the 300 privileges
when creating a new role. When you create a new role, all the access levels are
set to None by default. To speed up the process of assigning access levels, you
can do one of the following:
After finding a set of access levels combinations that are generally acceptable to
your organization, you can change any individual exceptions to meet your
requirements. This process is faster than clicking through the combinations of
access levels for each privilege and entity.
Figure 2.20 and Figure 2.21 display a sequence of screens to create a new role
using the privilege shortcut. This example clicks a specific privilege and cycles
through the various combinations of access levels for that privilege and each
entity in that tab.
As shown in Figure 2.20, all access levels are set to None when the role is
created.
Next, click the Create column heading. In Figure 2.21, the screen displays a
combination of access levels for this privilege and each entity in this tab.
When you continue to click the Create column heading, the combinations of
access levels change from the most restrictive (User access) to the least
restrictive (Organization access).
Clicking the entity displays a set of default access levels for each privilege on
that tab. A different set of access levels appears each time you click the privilege.
The system displays combinations of the most restrictive access levels through
the least restrictive.
In another example, Figure 2.22 displays a new role where access levels are set to
None when the role is created.
After you click the List entity in Figure 2.23, note the change to the access levels
for each privilege on the tab. If you continue to click the List entity, note that the
combinations of access levels change from the most restrictive (User access) to
the least restrictive (Organization access).
Besides default roles, you can also create custom security roles for your
organization, create a new role, or copy an existing default or custom role. When
you create a new role, you must assign it to a specific business unit. All child
business units of the business unit in which you create the new security role are
assigned the new security role. As new roles are propagated down the
organizational hierarchy, so are changes and deletions made to security roles.
1. To copy a role, first change the Security Roles view to display the
roles in the business unit associated with the role you are copying.
This is also the business unit to which the new role will be assigned.
Click NationalChannelMarketing from the Business Unit drop-
down list.
Open these two roles and verify the settings made earlier.
Scenario
Goal Description
The testing phase uncovers that Gail Erickson requires different permissions than
what the Sales Manager role provides. Because the recommended best practice is
to refrain from modifying the default roles, it is decided that you will copy the
Marketing Professional role in the Adventure Works Cycle business unit as a
new Marketing Representative role, and then customize the new role to meet
Gail's requirements.
The Testing department also discovers that Roger Van Houten can provide better
support for OEM customers if a unique OEM Support role is created in the
Customer Support business unit and tailored to meet the needs of this market.
You have been asked by the Project Team to create the two new roles.
Copy the Marketing Professional role in the Adventure Works Cycle business
unit as a new Marketing Representative role. In the Marketing Representative
role, modify the following access levels:
• In the Sales tab, change the Write, Delete, and Share privileges from
Business Unit access to User access for the Quote entity.
• In the Marketing tab, change all the privileges for the Marketing List
and Campaign entities to Organization access. Use the entity shortcut
method to expedite this change.
Add a new role titled OEM Support to the Customer Support business unit.
Assign the following access levels and privileges to this role (for the purposes of
the exercise, ignore the other entities in these two tabs).
Case O N N N N N N N
Contract O N N N O O N N
TABLE 2-3: OEM SUPPORT PRIVILEGES
U = User Level
O = Organization Level
N = None
Challenge Yourself!
Step by Step
Step 1 - Copy the Marketing Professional Role
Case O N N N N N N N
Contract O N N N O O N N
TABLE 1 - OEM SUPPORT PRIVILEGES
U = User Level
O = Organization Level
N = None
Best Practices
There are several best practices to consider when you configure an organization's
Microsoft Dynamics CRM security model.
o Existing data security strategies are the best fit for your CRM
deployment, considering both short and long term priorities.
o Changes to strategy must be implemented given the new tools
being implemented.
Summary
This course reviewed the core concepts that are part of Microsoft Dynamics
CRM security: privileges, access levels, and roles. It also examined the
procedures required to create new roles and to create new roles by copying and
modifying existing roles. Lastly, it discussed the characteristics associated with
maintaining access levels for roles that have been inherited from parent business
units.
2. What is the most basic security unit that is used as the core of security
checks?
4. If a sales representative, Joe, has User Delete access for Leads, then what
Leads can he delete?
5. A user is assigned two security roles. One provides User Account Delete
access, and the second provides Parent:Child Business Units Account Delete
access. What access right will this user have to delete accounts?
6. True or False: If a user is assigned multiple Roles, the Privileges are the
union of all the privileges assigned to all of the user's Roles.
( ) True
( ) False
7. List several of the key features of the Microsoft Dynamics CRM security
model.
8. Fill in the blank. When a custom role is created at a business unit and
automatically copied to each of its child business units, the new roles created
at the child business units are referred to as ___________ roles.
9. Which of the following are valid rules for the maintenance of inherited roles?
(Select all that apply.)
( ) Inherited roles cannot be modified or deleted.
( ) To change an inherited role, you must modify the parent role from which
the inherited role originated
( ) If you add a role and a role with the same name exists at the parent
business unit, the role that you create inherits all of the privileges
associated with the same role
( ) All of the above.
10. True or False. When you create a new role by copying an existing role, you
can copy any security role from any business unit in your Microsoft
Dynamics CRM deployment.
( ) True
( ) False
1.
2.
3.
Solutions
Test Your Knowledge
1. What is the primary purpose of the default security roles?
Microsoft Dynamics CRM by assigning each user one or more default roles
2. What is the most basic security unit that is used as the core of security
checks?
MODEL ANSWER - Privileges are the most basic security unit in Microsoft
Dynamics CRM, defining what actions a user can perform on each entity in
the system.
4. If a sales representative, Joe, has User Delete access for Leads, then what
Leads can he delete?
someone else that have been shared with him Shared with teams in which Joe
is a member
5. A user is assigned two security roles. One provides User Account Delete
access, and the second provides Parent:Child Business Units Account Delete
access. What access right will this user have to delete accounts?
privileges. This is the least restrictive of the two conflicting Account Delete
6. True or False: If a user is assigned multiple Roles, the Privileges are the
union of all the privileges assigned to all of the user's Roles.
( ) True
(•) False
7. List several of the key features of the Microsoft Dynamics CRM security
model.
MODEL ANSWER - The following are just a few of the key features: –
Preventing users from accessing entities that have not been shared with them.
8. Fill in the blank. When a custom role is created at a business unit and
automatically copied to each of its child business units, the new roles created
at the child business units are referred to as ___________ roles.
9. Which of the following are valid rules for the maintenance of inherited roles?
(Select all that apply.)
(√) Inherited roles cannot be modified or deleted.
(√) To change an inherited role, you must modify the parent role from which
the inherited role originated
( ) If you add a role and a role with the same name exists at the parent
business unit, the role that you create inherits all of the privileges
associated with the same role
( ) All of the above.
10. True or False. When you create a new role by copying an existing role, you
can copy any security role from any business unit in your Microsoft
Dynamics CRM deployment.
( ) True
(•) False