Você está na página 1de 46

Chapter 2: Configuring Security

CHAPTER 2: CONFIGURING SECURITY


Objectives
The objectives are:

• Identify how privileges, access levels, and security roles are used by
Microsoft Dynamics® CRM to ensure data integrity and privacy.
• Differentiate between the five types of access levels used within the
security roles.
• Create new security roles
• Create new security roles by copying privileges and access levels
from existing security roles.
• Review how security roles are automatically created and updated
within an organizational hierarchy.
• Identify the limitations on maintaining inherited roles.
• Identify best practices that should be considered before configuring
security

Introduction
Microsoft Dynamics CRM provides a security model that helps protect data
integrity and privacy, supports efficient data access and collaboration, and
supports recommended security best practices.

Configuring Security reviews the Microsoft Dynamics CRM Security model, the
components that make up the model, and how to manage them. This includes:

• Identifying the basic concepts of security privileges and access


levels. Includes security components that control what actions a user
can perform on each entity and the records the user can perform
those actions upon.
• Using security roles in the Microsoft Dynamics CRM system.
Includes a review of the predefined security roles automatically
created in Microsoft Dynamics CRM during installation of the
product. It also examines how security roles are created and
maintained in business units.

Microsoft Official Training Materials for Microsoft Dynamics ® 2-1


Your use of this content is subject to your current services agreement
Administration in Microsoft Dynamics® CRM 4.0

Microsoft Dynamics CRM Security Features


The goals of the Microsoft Dynamics CRM security model include the following:

• Give users access to the appropriate levels of information that is


required to do their jobs.
• Categorize types of users to define roles and restrict access based on
those roles.
• Support data sharing so that users can be granted access to objects
they do not own for a specified collaborative task.
• Prevent a user from accessing objects that the user does not own or
share.

FIGURE 2.1: FUNCTION OF ROLES

Types of Security
Goals of the Microsoft Dynamics CRM securirty model are accomplished
through the use of two types of security models, each of which is incorporated in
security roles.

• Role-based security in Microsoft Dynamics CRM focuses on


grouping a set of privileges together that describe the tasks
performed by a user in a specific job function.
• Object-based security in Microsoft Dynamics CRM focuses on user
rights to the primary business objects such as Leads, Opportunities,
Contacts, Accounts, and Incidents (Cases). This kind of security
forms the core of the Microsoft Dynamics CRM solution.

2-2 Microsoft Official Training Materials for Microsoft Dynamics ®


Your use of this content is subject to your current services agreement
Chapter 2: Configuring Security

The combination of role-based security and object security defines the overall
security rights that users possess within Microsoft Dynamics CRM. Default roles
are automatically created by the Microsoft Dynamics CRM Server Setup
program to make implementations simpler, quicker, and less costly. Custom roles
can also be created to satisfy unique security requirements.

Security Configuration Options


Microsoft Dynamics CRM implementers and administrators must clearly
understand the use of security roles in their Microsoft Dynamics CRM
implementations. Three options are available when users configure system
security:

• Microsoft Dynamics CRM can be quickly deployed if you assign


each user one or more default roles that map to their job functions.
• For some businesses, the privileges and access levels included in the
default roles do not provide the preferred security level. In those
cases, the default roles serve as a template to create customized roles.
• In some businesses, custom roles can be used to represent tiers of
security. Some front-line users with different job functions may all
need the same privileges and access levels.

In those cases, a “base” role is assigned to all users in the organization. Other
users (like front-line managers) may all need additional privileges. A new
security role with only those additional privileges can be created and assigned to
those users.

This topic examines the privileges and access levels built into each role, and
reviews the steps involved in creating new roles and customizing existing roles to
fit your business requirements.

Privileges and access levels work together through the use of security roles.

• Privileges. Privileges define what actions a user can perform on each


entity in Microsoft Dynamics CRM. Privileges are pre-defined in
Microsoft Dynamics CRM and cannot be changed. A few examples
of privileges include:
o Create
o Read
o Write
o Delete

• Access Levels. Access levels indicate which records associated with


each entity the user can perform actions upon. Although default
access levels are assigned to each privilege, the access level can be
changed.

Microsoft Official Training Materials for Microsoft Dynamics ® 2-3


Your use of this content is subject to your current services agreement
Administration in Microsoft Dynamics® CRM 4.0

EXAMPLE: If a role allows the user to delete accounts, the access level
associated with the account delete privilege indicates which accounts the user
can delete.

• Security roles. Each role provides a combination of privileges and


access levels specific to a Microsoft Dynamics CRM job function. A
licensed user must be assigned one or more roles before accessing
Microsoft Dynamics CRM.

FIGURE 2.2: ACCESS LEVEL, PRIVILEGE, AND ROLE RELATIONSHIP

Privileges
Data access is controlled through a combination of privileges and access levels
within security roles. Defining access levels for each entity and action through
security roles gives a System Administrator control over every record and action
a user can perform upon them.

Sharing Data

Although data sharing is controlled through access levels, it can also be


controlled through specific data sharing capabilities on each record. For more
information about sharing specific records, refer to the user help menu or the
Applications in Microsoft Dynamics CRM 4.0 training course.

2-4 Microsoft Official Training Materials for Microsoft Dynamics ®


Your use of this content is subject to your current services agreement
Chapter 2: Configuring Security

There are two basic types of privileges used in Microsoft CRM security roles.

• Most privileges map to specific entities, such as delete Accounts,


read Contacts, and assign Service Cases.
• Other privileges are more administrative or task-based privileges that
do not map to a specific entity. These include privileges such as
Print, Export to Excel, and Assign Roles.

FIGURE 2.3: PRIVILEGE OVERVIEW

The net result is that administrators are provided with precise control over every
action each user can perform in the system.

EXAMPLE: A section of the default Sales Manager role is displayed in Figure


2.4. Privileges such as Create, Read, Write, and Delete are displayed along the
top of the tab, and the entities to which each privilege is associated are displayed
in the left column (Account and Contact). The icon under each privilege/entity
combination refers to the access level associated with that privilege and entity.

FIGURE 2.4: PRIVILEGES WITHIN A ROLE

Microsoft Official Training Materials for Microsoft Dynamics ® 2-5


Your use of this content is subject to your current services agreement
Administration in Microsoft Dynamics® CRM 4.0

Common Privileges for each Entity


The primary security privileges available for most entities are shown in the
following table.

Privileges Description
Create Allows the user to create a record for the specified
entity.
Note: One additional stipulation exists when you
create records for an entity. As an added security
measure, the role must provide both the Create and
Read privileges for that entity for the user to create a
record.
Read Allows the user to read a record for this entity. This
controls which records are displayed on views and
reports.
Write Allows the user to update (change) a record for this
entity.
Delete Allows the user to delete a record for the entity.
Append Allows the user to append (attach) this entity to
another entity.
Append To Allows the user to append other entities to this entity.

NOTE: The Append and Append To privileges work in combination with each
other. For example if a Note is attached to a Case, you must have the Append
privilege on the Note and the Append To privilege on the Case.

Privileges Description
Assign Allows the user to assign ownership of a record for
this entity to another user.
Share Allows the user to share a record for this entity with
another user or team. Sharing enables another user to
access a record.

Task-Based Privileges
The Business Management tab in each security role includes several task-based
privileges that are not related to a specific entity.

• Some of these privileges are administrative type tasks, such as


Assign Role and ISV Extensions.
• Other privileges are more user-oriented, daily tasks that can be
applied to any entity, such as Export to Excel and Print.

2-6 Microsoft Official Training Materials for Microsoft Dynamics ®


Your use of this content is subject to your current services agreement
Chapter 2: Configuring Security

NOTE: While task-based privileges are located in most of the tabs within a
security role, the majority of tasks are located at the bottom of the Business
Management tab. This tab is displayed in Figure 2.5 for the Salesperson role.

FIGURE 2.5: TASK-BASED PRIVILEGES IN EACH ROLE

Access Levels
Privileges indicate what actions a user can perform on each entity, whereas
access levels define which records for that entity the user can perform those
actions upon. Access levels are based on a combination of:

• User ownership
• The business unit to which the user belongs

Microsoft Dynamics CRM supports the following five access levels for each
privilege and entity (these are presented in “most-restrictive” to “least-
restrictive” order).

Access Level Description


None You cannot perform the action on that entity.
User You can only perform the action upon the records for
the entity you own, records shared with you, and
records shared with any team in which you are a
member.
Business Unit This gives user access in addition to the ability to
perform the action on all records for an entity owned
by users assigned to your business unit.

Microsoft Official Training Materials for Microsoft Dynamics ® 2-7


Your use of this content is subject to your current services agreement
Administration in Microsoft Dynamics® CRM 4.0

Access Level Description


Parent:Child This provides you with Business Unit access.
Business Unit Additionally, you have the ability to perform the
action on all records for an entity owned by users
assigned to business units subordinate to your
business unit, regardless of how far down in the
organizational hierarchy the subordinate business
units may appear.
Organization You can perform the action on all records for an
entity, regardless of who owns the record within the
organization.
TABLE 2-2: ACCESS LEVELS

Hierarchical Access
Each access level includes records that are made available by all access levels
below the level that the privilege granted to the user. For example, if you have
Parent:Child Business Unit Read access for Accounts, by default you have
Business Unit and User Read access for Accounts as well. Figure 2.6 displays
this relationship.

FIGURE 2.6: HIERARCHICAL ACCESS LEVELS

2-8 Microsoft Official Training Materials for Microsoft Dynamics ®


Your use of this content is subject to your current services agreement
Chapter 2: Configuring Security

Access Level - None


The None access level restricts the user from performing an action on any
records within that entity - even on records owned by the user. A privilege is not
assigned to a security role if the access level is set to None. Conversely, a
privilege is assigned to a role when the access level is changed from None to
another value.

EXAMPLE: Gail Erickson is the Sales Manager for Adventure Works’ Western
Region. Adventure Works has decided that there are some privileges the Sales
Manager must be restricted from performing, such as creating, writing, and
deleting Views. To guarantee this, the System Administrator creates a copy of the
default Sales Manager role and assigns the None access level to the Create,
Write, and Delete privilege for the Views entity. Gail is assigned this new,
customized role instead of the default Sales Manager role.

FIGURE 2.7: NONE ACCESS LEVEL

Microsoft Official Training Materials for Microsoft Dynamics ® 2-9


Your use of this content is subject to your current services agreement
Administration in Microsoft Dynamics® CRM 4.0

Access Level - User


Except for the None access level, User access is the most restrictive of the
remaining levels that provide some form of access. If your role provides User
access for a specific entity and privilege, you can only perform that action on the
following records for that particular entity:

• Records you own


• Records owned by someone else but are shared with you
• Records shared with a team in which you are a member

EXAMPLE: In Adventure Works Cycle, Douglas Hite is a Customer Service


Representative in the Customer Support business unit. Douglas has “User
Account Create” and “User Account Write” access. The User level access for
these two privileges enables Douglas to create new Accounts and edit (change)
any records that are assigned to him, shared with him by other users, or shared
with any team in which he is a member.

FIGURE 2.8: USER ACCESS LEVEL

2-10 Microsoft Official Training Materials for Microsoft Dynamics ®


Your use of this content is subject to your current services agreement
Chapter 2: Configuring Security

Access Level - Business Unit


Business Unit access is the next step up from User level access. Business Unit
access for a specific entity and privilege gives you the following:

• User access rights


• Access to records owned by or shared with other users assigned to
the same business unit as you

EXAMPLE: Stefan DelMarco is the Customer Support Manager at Adventure


Works Cycle. He manages the Customer Service representatives and is required
to assign and review all accounts and cases assigned to these representatives.
Assigning him “Business Unit Case Create” access enables him to create cases
for any customer assigned to the Customer Support business unit. Similarly, if
Stefan has “Business Unit Account Delete” access, he can delete any Account
record that is owned by him or any user who is assigned to the Customer
Support Business Unit.

FIGURE 2.9: BUSINESS UNIT ACCESS LEVEL

Microsoft Official Training Materials for Microsoft Dynamics ® 2-11


Your use of this content is subject to your current services agreement
Administration in Microsoft Dynamics® CRM 4.0

Access Level - Parent:Child Business Unit


Parent:Child Business Unit access is the next step up from Business Unit access.
Parent:Child Business Unit access for a specific entity and privilege gives you
the following:

• User and Business Unit access rights.


• Access to records owned by users and shared with users who are
assigned to any business unit subordinate to your business unit,
regardless of how deep in the organizational structure the user's
business unit appears.

EXAMPLE: Mary Baker is VP of Sales and Marketing for Adventure Works


Cycle. She manages all the Sales and Marketing representatives for the Field
Sales and Marketing Divisions. By assigning Mary “Parent:Child Opportunity
Read” access, she can view all opportunities owned by any user assigned to the
Sales & Marketing business unit or any one of its child business units. Because
the Adventure Works Cycle, Customer Care, Customer Support, and OEM
Support business units are not subordinate to Mary's business unit, she cannot
view opportunities owned by users assigned to those business units.

FIGURE 2.10: PARENT:CHILD BUSINESS UNIT ACCESS LEVEL

2-12 Microsoft Official Training Materials for Microsoft Dynamics ®


Your use of this content is subject to your current services agreement
Chapter 2: Configuring Security

Access Level - Organization


Organization access is the least restrictive of all access rights. Organization
access for a specific entity and privilege allows you to perform that action on
records owned by any user within the entire organization, regardless of the
business unit to which the owner belongs. There are no access restrictions with
Organization access.

EXAMPLE: David Lawrence is the System Administrator for Adventure Works


Cycle. He requires the ability to reassign ownership of any record in the system,
regardless of the business unit to which the owner of the record belongs. If his
System Administrator role gives him Organization Lead Assign access, David
can reassign any lead that is entered in the system, regardless of who owns the
record.

FIGURE 2.11: ORGANIZATION ACCESS LEVEL

Microsoft Official Training Materials for Microsoft Dynamics ® 2-13


Your use of this content is subject to your current services agreement
Administration in Microsoft Dynamics® CRM 4.0

Security Roles
A security role is the combination of privileges and access levels for a specific
job function. Although you can create custom roles for individual users,
Microsoft Dynamics CRM's focus from an implementation standpoint is on
security roles at the job function level. This enables a specific role to be assigned
to one or more users, each of whom performs the same job function.

Default Roles
When Microsoft Dynamics CRM is installed, the Microsoft Dynamics CRM
Server Setup program automatically creates a series of default security roles in
the root business unit. The Microsoft Dynamics CRM 4.0 Enterprise,
Professional, and Workgroup editions install 13 default roles.

The security models for each Microsoft Dynamics CRM edition correspond
directly with the typical job functions performed within their target business
environments. For each default role:

• Access levels for read privileges are usually more liberal


(Organization and Parent:Child)
• Access levels for update privileges are strategically limited to the
operational requirements of each role

Microsoft Dynamics CRM includes the following default security roles:

Administrative
CEO-Business Manager
System Administrator
System Customizer

Customer Service
Customer Service Manager
Customer Service Representative
Scheduler
Schedule Manager

2-14 Microsoft Official Training Materials for Microsoft Dynamics ®


Your use of this content is subject to your current services agreement
Chapter 2: Configuring Security

Sales & Marketing


Vice President of Sales
Sales Manager
Salesperson
Vice President of Marketing
Marketing Manager
Marketing Professional

Default Roles – Microsoft Dynamics CRM Workgroup


Edition
There is no difference in the default roles automatically installed by the
Microsoft Dynamics CRM Server Setup program for the Enterprise Edition,
Professional Edition, and Workgroup Edition of Microsoft Dynamics CRM.
However, there may be a difference in how the roles are treated by organizations
running the Workgroup Edition.

In small businesses, individual users generally perform multiple roles that are
typically split among multiple workers in medium to large-sized organizations.
This means the small business administrator may have to assign multiple
functional roles to each user because the default roles are associated with job
titles that may not exist in the small business.

Consider the following issues when planning security roles in a Microsoft


Dynamics CRM Workgroup Edition deployment:

• The small business administrator may extend more privileges to each


user than desired if multiple functional roles are assigned to a user to
satisfy the user's security needs.
• Custom roles may be created to assign the exact combination of
privileges required by small businesses.

The Importance of Default Roles


There are several advantages to using Microsoft Dynamics CRM's default roles:

• The Microsoft Dynamics CRM user accounts can be quickly


activated, while providing a 360-degree view of customers.
• Each user can be assigned default roles based on job functions to
reduce system startup time.

Microsoft Official Training Materials for Microsoft Dynamics ® 2-15


Your use of this content is subject to your current services agreement
Administration in Microsoft Dynamics® CRM 4.0

• Because the access level settings within each default role are based
on extensive Microsoft market research, users are typically not
provided with privileges that fall outside the boundaries of
acceptable actions for their job function.
• Following deployment, each user's specific requirements relative to
those provided by their default role(s) can be analyzed and adjusted.

Role Characteristics
When users create a Microsoft Dynamics CRM security role, it must be assigned
to a specific business unit. The relationship between roles and business units
includes the following characteristics:

• Each role must be assigned to a specific business unit.


• The security roles created for a business unit are automatically
inherited by each of its “child” business units when each child
business unit is created.
• Multiple business units may each contain a role that has the same
name, but the access levels for each privilege and entity may differ.

WARNING: Although it is possible to create multiple business units that have


the same name, this is generally not considered a best practice. It is better to
have roles with different names if the access levels are different. This prevents
confusion between roles.

When a Microsoft Dynamics CRM user account is created, it must be assigned at


least one security role to access Microsoft Dynamics CRM. The relationship
between roles and users includes the following characteristics:

• A user can only be assigned roles that belong to the same business
unit to which the user is assigned.
• When a role is assigned to a user, the user has access to all the
privileges specified in that role as dictated by its access levels.
• A user can be assigned more than one role.

EXAMPLE: Adventure Works Cycle has ten sales representatives in their


organization, four of whom maintain customer service information for the
corporate accounts. The System Administrator assigns the default Salesperson
role to each representative. This gives each representative the ability to view
both sales and customer service information about each account. However, it
does not give representatives the ability to add or maintain customer service
cases or other service-related information. Because four of the representatives
need this update capability, the System Administrator assigns them the Customer
Service Representative role. Therefore, six of the representatives have the
Salesperson role, and four have both the Salesperson and Customer Service
Representative roles.

2-16 Microsoft Official Training Materials for Microsoft Dynamics ®


Your use of this content is subject to your current services agreement
Chapter 2: Configuring Security

• If a user is assigned multiple roles, the user's privileges are the union
of access rights assigned to all those roles.
• If a user is assigned more than one role and the access level for a
specific entity and privilege conflicts between the roles, the access
level granted to the user is the least restrictive for that entity and
privilege.

FIGURE 2.12: ROLE CHARACTERISTICS

EXAMPLE: Adventure Works assigned Mary Baker both the Sales Manager
and Marketing Professional roles. The Sales Manager role has Business Unit
Account Delete access, and the Marketing Professional role has User Account
Delete access.
This means Mary has Business Unit Account Delete access, because this access
level is less restrictive than User Account Delete.

FIGURE 2.13: ROLE TERMINOLOGY

Microsoft Official Training Materials for Microsoft Dynamics ® 2-17


Your use of this content is subject to your current services agreement
Administration in Microsoft Dynamics® CRM 4.0

System Administrator Role


The System Administrator role is unlike any other default role because it
provides administrative control over security and maintenance to the entire
application. A unique set of restrictions is placed on this role that are not
included with any other default role. This includes the following:

• The default System Administrator role cannot be deleted or


modified.
• The last user account assigned the System Administrator role cannot
be disabled.

Any attempt to perform one of these actions causes an error. If your organization
requires modification to the privileges defined in the System Administrator role,
copy the role as a new role and modify the security rights in the new role.

To ensure that the default System Administrator role is assigned during the
installation of Microsoft Dynamics CRM Server 4.0 or during an upgrade from a
prior release, the following procedure has been implemented within the setup and
upgrade processes:

When running the Microsoft Dynamics CRM Server Setup program in a new
deployment, the System Administrator role is automatically assigned to the user
running the Setup program.

If the System Administrator role exists during an upgrade but is not assigned to a
user account in the Microsoft Dynamics CRM 3.0 implementation, the upgrade
program automatically assigns it to the user running the upgrade.

FIGURE 2.14: SYSTEM ADMINISTRATOR ROLE

2-18 Microsoft Official Training Materials for Microsoft Dynamics ®


Your use of this content is subject to your current services agreement
Chapter 2: Configuring Security

System Customizer Role


Microsoft Dynamics CRM 4.0 includes a System Customizer role designed for
users who customize forms, views, and mappings through the System
Customization tool.

• The System Customizer role enables non-system administrators to


customize forms, views, and mappings.
• By default, the System Customizer role has fewer administrative
privileges than the System Administrator role.

Roles and Business Units


Roles are configurable within Microsoft Dynamics CRM and may be modified or
removed as required to fit the needs of the organization. Assigning roles to
business units enables each role to be customized to fit each business unit's
security model.

Creating Security Roles in Microsoft Dynamics CRM


During the Microsoft Dynamics CRM Server Setup process, each default security
role is automatically created and assigned to the root business unit. See Figure
2.15 to view the list of default roles that are installed with Microsoft Dynamics
CRM 4.0.

FIGURE 2.15: SYSTEM ADMINISTRATOR ROLE

When a subsequent business unit is created within the organization, all the
security roles assigned to its parent business unit are copied to the new business
unit. This includes the default roles and any custom roles manually created at the
parent business unit.

Microsoft Official Training Materials for Microsoft Dynamics ® 2-19


Your use of this content is subject to your current services agreement
Administration in Microsoft Dynamics® CRM 4.0

NOTE: As you create each new business unit, the roles are copied from the new
business unit's Parent. The parent is the root when creating business units one
level down from the root. If the created business unit is more than one level
down from the root, the roles are copied from its parent and not from the root.

Custom Security Roles and Child Business Units


Each security role you create must be assigned to a business unit. This lets you
create custom security roles that apply to one business unit and not another.

NOTE: When you create a security role for a business unit, the system
automatically creates the same role for all the child business units subordinate
to that business unit, regardless of how many subordinate business units there
may be.

This concept may be easier to visualize by looking at an organization chart and


walking through an example. This exercise uses the Adventure Works Cycle
organization chart in Figure 2.16.

FIGURE 2.16: DEFAULT ROLES IN MICROSOFT DYNAMICS CRM 4.0

2-20 Microsoft Official Training Materials for Microsoft Dynamics ®


Your use of this content is subject to your current services agreement
Chapter 2: Configuring Security

In this example, assume you create a custom role titled Marketing Representative
and assign it to the Channel Marketing business unit. When you save the role, the
following occurs:

• The system automatically creates an identical copy of the Marketing


Representative role for all the Marketing business units’ child
business units.
• As illustrated in Figure 2.17, Microsoft Dynamics CRM adds the
Marketing Representative role to the National Marketing, Retail
Marketing, Bicycle Parts Marketing, and Bicycle Marketing business
units.

For a custom role to be assigned to all business units, create it at the root business
unit. Because all other business units are subordinate to the root, the system
automatically creates the role at all business units in the organizational structure.

FIGURE 2.17: ADDING A ROLE TO A PARENT BUSINESS UNIT

Changing a Role

When you perform maintenance on a role, the changes are automatically applied
to the role at each child business unit. Using the graphic in Figure 2.17, assume
that after the Marketing Representative role was created the Director of
Marketing in the Channel Marketing business unit has requested that you change
the Account Delete privilege from User to Business Unit for the Marketing
Representative role.

Microsoft Official Training Materials for Microsoft Dynamics ® 2-21


Your use of this content is subject to your current services agreement
Administration in Microsoft Dynamics® CRM 4.0

The change is automatically applied to all Marketing Representative roles that


were previously created for each of the four child business units in Figure 2.17.

In this manner, the privileges available in a specific role remain consistent


throughout the originating business unit's hierarchy.

Inherited Roles

When a user creates a custom role at a business unit, Microsoft Dynamics CRM
automatically copies the custom role to each of the business unit's child business
units. The new roles created at the child business units are referred to as
“inherited roles.” Those roles inherit the security rights of the custom role created
at the parent business unit.

EXAMPLE: In Figure 2.17, the Marketing Representative roles in the National


Marketing, Retail Marketing, Bicycle Parts Marketing, and Bicycle Marketing
business units are “inherited roles” because they were automatically created
from a similar role at the Marketing business unit.

The following rules control how inherited rules can be maintained in Microsoft
Dynamics CRM 4.0:

• Inherited roles cannot be modified or deleted.


• To change an inherited role, you must modify the parent role from
which the inherited role originated. All inherited roles associated
with the parent role are modified accordingly.
• To delete an inherited role, you must delete the parent role from
which the inherited role originated. All inherited roles associated
with the parent role are deleted.

Microsoft Dynamics CRM 4.0 requires that all maintenance to security roles is
performed at the parent role level.

2-22 Microsoft Official Training Materials for Microsoft Dynamics ®


Your use of this content is subject to your current services agreement
Chapter 2: Configuring Security

Parent role changes and deletions are automatically propagated down the
hierarchy and applied to the inherited role at each child business unit. This
ensures that all parent and inherited roles remain synchronized.

FIGURE 2.18: INHERITED ROLES

Reassigning Users and Its Impact on their Roles


Security roles are similar to user accounts in that each must be assigned to a
specific business unit. However, because security roles in different business units
can have the same name and possess different privileges, the following occurs to
a user's security roles when the user is reassigned from one business unit to
another:

• When a user is reassigned to a new business unit, no security roles


are assigned to the user's account in the new business unit.
• Microsoft Dynamics CRM cannot assume that the privileges in the
same role(s) in the new business unit match those from the security
role(s) in the old business unit.
• New roles must be manually assigned to the user in his or her new
business unit.

EXAMPLE: Mary Baker is reassigned from Adventure Works’ Central Region


business unit to the Retail Marketing business unit. At the Central Region, Mary
was assigned the Marketing Professional role. Although a similarly named role
exists in Retail Marketing, Microsoft Dynamics CRM does not automatically
assign Mary a security role when she is reassigned to the Retail Marketing
business unit. The System Administrator must review Mary's requirements for
this role in comparison to her current access rights when she attended the
Central Region business unit.

Microsoft Official Training Materials for Microsoft Dynamics ® 2-23


Your use of this content is subject to your current services agreement
Administration in Microsoft Dynamics® CRM 4.0

Creating and Copying New Roles


Two options are available if the default roles, or custom roles, do not meet your
organization's security requirements for a given job function.

• An existing role can be modified


• A new role can be created

BEST PRACTICE: If any one of the default roles do not fit your organization's
security needs, copy the role to a new role, modify the new role as required, and
leave the default role unchanged. This permits the default security roles to act
as templates and ensures a consistent set of security privileges across all
business units.

The focus of this lesson is on ways in which you can create a new role. You can
do so in one of two ways:

• Copy an existing role as a new role.


• Create a new role, in which case none of the access levels are set for
any one of the privilege and record types.

Note on Business Units


To successfully copy and create new roles, you can consider several issues
regarding business units and security roles.

• When you create a new role, you must select the business unit to
which the role will be assigned when entering role information in the
New Role form.
• If you create a new role by copying an existing role, the business unit
associated with the role being copied is the same business unit to
which the new role will be assigned.

FIGURE 2.19: COPYING ROLES WITHIN A BUSINESS UNIT

2-24 Microsoft Official Training Materials for Microsoft Dynamics ®


Your use of this content is subject to your current services agreement
Chapter 2: Configuring Security

Business Units and Copied Roles

When you create a new role by copying an existing one, you cannot copy a role
from one business unit to another. You must display the roles for the target
business unit, and from that list, select the role you want copied. The new role
you create is assigned to that same target business unit.

Procedure: Create a New Role by Copying an Existing


Role
Use the following procedure to create a new security role by copying an existing
role:

1. In the Navigation Pane, click Settings.


2. In the Administration sub-area, click Security Roles.
3. Select the security role you want to copy.
4. On the Actions toolbar, click More Actions, and then Copy Role.
5. In the Copy Role dialog box, in the New Role Name field, type the
name for the new role. You can enter only alphanumeric characters;
no symbols are allowed.
6. If you want to change the privileges for the new security role, select
the Open role when copying is complete check box.
7. Click OK.

NOTE: If you select the Open a new security role when copying is complete
check box, the system creates the new role from the existing role and then opens
the new role so that it can be edited. After you make the required edits to the new
role, click Save or Save and Close.

Procedure: Create a New Role


Use the following procedure to create a new security role:

1. In the Navigation Pane, click Settings.


2. In the Administration sub-area, click Security Roles.
3. On the Actions toolbar, click New.
4. On the Details tab, type the name of the role. Business unit is
automatically populated with the business unit selected on the
Security role page.
5. The following tabs contain access levels associated with each entity
for each privilege.
o Core Records
o Marketing
o Sales
o Service

Microsoft Official Training Materials for Microsoft Dynamics ® 2-25


Your use of this content is subject to your current services agreement
Administration in Microsoft Dynamics® CRM 4.0

o Business Management
o Service Management
o Customization
o Custom Entities

After creating the security role, you can edit any one of the entities.

6. Click None Selected in each row of the table to change the privilege
depth. With each click, the symbol cycles through the applicable
symbols for that record and access level. Depending on the record
and access level, you can advance one or more levels.

For example, for Account, Contact, or Lead, you can set User,
Business Unit, or Organization levels. However, for Relationship
Role, you can only set it at the Organization level. One or more of
the following privileges might be available for a specific entity:
o User
o Business Unit
o Parent: Child Business Units
o Organization

7. Click Save or Save and Close.

A Simpler Way to Create a New Role

You do not have to click through the access levels for each of the 300 privileges
when creating a new role. When you create a new role, all the access levels are
set to None by default. To speed up the process of assigning access levels, you
can do one of the following:

• Click the column (privilege) header


• Click the row (entity) header

In either case, Microsoft Dynamics CRM automatically pre-fills appropriate


access level combinations for that privilege or entity. Continuing to click the
same header means that various combinations of access levels are displayed,
starting with the most restrictive through the least restrictive combinations. This
allows you to quickly set all the access levels for a specific privilege or entity at
the same time.

After finding a set of access levels combinations that are generally acceptable to
your organization, you can change any individual exceptions to meet your
requirements. This process is faster than clicking through the combinations of
access levels for each privilege and entity.

2-26 Microsoft Official Training Materials for Microsoft Dynamics ®


Your use of this content is subject to your current services agreement
Chapter 2: Configuring Security

Using the Privilege Shortcut

Figure 2.20 and Figure 2.21 display a sequence of screens to create a new role
using the privilege shortcut. This example clicks a specific privilege and cycles
through the various combinations of access levels for that privilege and each
entity in that tab.

As shown in Figure 2.20, all access levels are set to None when the role is
created.

FIGURE 2.20: NEW ROLE WITH NO ACCESS LEVELS


ALL ACCESS LEVELS ARE SET TO NONE FOR A NEW ROLE.

Next, click the Create column heading. In Figure 2.21, the screen displays a
combination of access levels for this privilege and each entity in this tab.

When you continue to click the Create column heading, the combinations of
access levels change from the most restrictive (User access) to the least
restrictive (Organization access).

FIGURE 2.21: PREDEFINED ACCESS LEVELS PER PRIVILEGE


KEEP CLICKING THE CREATE COLUMN HEADING TO SEE EACH GROUP
OF DEFAULT ACCESS LEVELS FOR THIS PRIVILEGE.

Microsoft Official Training Materials for Microsoft Dynamics ® 2-27


Your use of this content is subject to your current services agreement
Administration in Microsoft Dynamics® CRM 4.0

Using the Entity Shortcut


You can let the system automatically pre-fill the access levels for a specific
entity.

Clicking the entity displays a set of default access levels for each privilege on
that tab. A different set of access levels appears each time you click the privilege.
The system displays combinations of the most restrictive access levels through
the least restrictive.

In another example, Figure 2.22 displays a new role where access levels are set to
None when the role is created.

FIGURE 2.22: NEW ROLE WITH NO ACCESS LEVELS AGAIN, ACCESS


LEVELS ARE SET TO NONE FOR A NEW ROLE.

After you click the List entity in Figure 2.23, note the change to the access levels
for each privilege on the tab. If you continue to click the List entity, note that the
combinations of access levels change from the most restrictive (User access) to
the least restrictive (Organization access).

FIGURE 2.23: PREDEFINED ACCESS LEVELS PER ENTITY


KEEP CLICKING THE ENTITY NAME TO SEE EACH DEFAULT SET OF
ACCESS LEVELS FOR THAT ENTITY.

2-28 Microsoft Official Training Materials for Microsoft Dynamics ®


Your use of this content is subject to your current services agreement
Chapter 2: Configuring Security

Demonstration: Creating and Copying Security Roles


As an aid to managing security, Microsoft Dynamics CRM provides default
security roles. Default security roles are represented by a position title, such as
Sales Manager or Customer Service Representative. Assigned to each role are
privileges typically required by people serving in that position.

Besides default roles, you can also create custom security roles for your
organization, create a new role, or copy an existing default or custom role. When
you create a new role, you must assign it to a specific business unit. All child
business units of the business unit in which you create the new security role are
assigned the new security role. As new roles are propagated down the
organizational hierarchy, so are changes and deletions made to security roles.

Demonstration: Create a New Role


Start by creating a new role called Program Manager in Adventure Work's
Marketing business unit. Set up a few of the privileges and entities for the new
role.

1. Navigate to the Security Roles page.


a. On the Home page, click the Settings side tab.
b. In the Administration sub-area, click Security Roles.

2. On the Actions toolbar, click New.


3. In the role form, on the Details tab, type Program Manager in the
Role Name field. In the Business Unit drop-down list, click
Marketing.
4. Using the Privilege shortcut. Define a set of access levels using the
Privileges shortcut. In the Core Records tab, click the Read
privilege. Note the change to the access levels for each entity. This
sets almost every access level to User access. Click the Read
heading again until the access levels are set to Business Unit.
5. Individual access level changes. Change individual access levels
that are exceptions to this Business Unit access level. Click the
access levels for the Read privilege and the Account, Contact,
Lead, and Opportunity entities and change them to Organization.
Clicking each access level two more times changes it to
Organization.
6. Using the Entity shortcut. Navigate to the Sales tab and click the
Quote entity until all privileges are set to Organization.
Click on the Competitor entity. Notice how all the access levels
change from None to Organization with one click. If you click on the
Competitor entity again, it cycles back to None. This is an example
of an entity that has limited access levels for each privilege.
7. Save the changes by clicking Save and Close.

Microsoft Official Training Materials for Microsoft Dynamics ® 2-29


Your use of this content is subject to your current services agreement
Administration in Microsoft Dynamics® CRM 4.0

Demonstration: Copy a Role


Even when you use the privilege and entity shortcuts, creating a role can be a
lengthy process. There is another approach to creating a new role, which
includes: 1) copying an existing role over as a new role; and then 2) changing the
access levels in the new role that differ from the existing role.

1. To copy a role, first change the Security Roles view to display the
roles in the business unit associated with the role you are copying.
This is also the business unit to which the new role will be assigned.
Click NationalChannelMarketing from the Business Unit drop-
down list.

Since NationalChannelMarketing is a child business unit of


ChannelMarketing, notice how the Program Manager role created in
the prior exercise for the Marketing business unit has also been
automatically created at this child business unit.

2. On the Actions bar, click Copy Role.


3. In the Copy Role dialog box, click Marketing Manager from the
Role to copy drop-down list.
4. In the New Role Name field, type Product Group Manager.
5. To change privileges for the new security role, select the Open role
when copying is complete check box. Click OK.
6. Click the Core Records tab. Product Group Managers want to delete
any one of the core records, regardless of the owner. Additionally,
the Product Group Manager wants to assign any Account or Contact
record in the organization.
a. The quickest way to change the Delete privilege for all core
entities is to click the Delete privilege column heading once
(using the Privilege shortcut). Notice all the access levels change
to User. Continue to click until it cycles through the different
combinations and all entities (except User Query) are set to
Organization.
b. Next, click the individual access levels for the Assign Account
privilege and set it to Organization. Repeat for the Assign
Contact privilege.

7. Click Save and Close.

2-30 Microsoft Official Training Materials for Microsoft Dynamics ®


Your use of this content is subject to your current services agreement
Chapter 2: Configuring Security

Demonstration: Create a New Business Unit and Verify


the Roles
The prior exercise demonstrates how the Program Manager role created for the
Marketing business unit was automatically copied down to the National
Marketing business unit, which is a child of the Marketing business unit. This
exercise verifies that all the roles of a parent business unit-which include both
default roles and the two custom roles that were just created-are copied down to
child business units whenever a new child business unit is created.

1. Click the Administration sub-area, then click Security Roles.


2. Click Business Units.
3. On the Actions bar, click New Business Unit.
4. In the business unit form, type OEM Marketing in the Name field.
Click NationalMarketing in the Parent Business drop-down list.
5. Click Save and Close.
6. Click the Business Unit Settings hyperlink in the Location trail.
7. Click Security Roles.
8. Click OEM Marketing from the Business Unit drop-down list.
9. The Program Manager and Product Group Manager roles appear in
the list with the other default roles copied down from the National
Marketing parent business unit.

Open these two roles and verify the settings made earlier.

Microsoft Official Training Materials for Microsoft Dynamics ® 2-31


Your use of this content is subject to your current services agreement
Administration in Microsoft Dynamics® CRM 4.0

Lab 2.1 - Copying and Creating Roles


In this Lab, you will copy and create security roles in Microsoft Dynamics CRM.
Use the information in the Scenario and Goal Description in the instructions.

Scenario

Adventure Works Cycle is implementing Microsoft Dynamics CRM. As


Technical Consultant, you will configure the system to meet their specific needs.
During the needs analysis, the organizational chart was reviewed and analyzed,
and the appropriate business units have been created in Microsoft Dynamics
CRM. The next task is to make sure that all users have the appropriate
permissions to the data.

Goal Description
The testing phase uncovers that Gail Erickson requires different permissions than
what the Sales Manager role provides. Because the recommended best practice is
to refrain from modifying the default roles, it is decided that you will copy the
Marketing Professional role in the Adventure Works Cycle business unit as a
new Marketing Representative role, and then customize the new role to meet
Gail's requirements.

The Testing department also discovers that Roger Van Houten can provide better
support for OEM customers if a unique OEM Support role is created in the
Customer Support business unit and tailored to meet the needs of this market.

You have been asked by the Project Team to create the two new roles.

Copy the Marketing Professional Role as a New Role

Copy the Marketing Professional role in the Adventure Works Cycle business
unit as a new Marketing Representative role. In the Marketing Representative
role, modify the following access levels:

• In the Sales tab, change the Write, Delete, and Share privileges from
Business Unit access to User access for the Quote entity.
• In the Marketing tab, change all the privileges for the Marketing List
and Campaign entities to Organization access. Use the entity shortcut
method to expedite this change.

2-32 Microsoft Official Training Materials for Microsoft Dynamics ®


Your use of this content is subject to your current services agreement
Chapter 2: Configuring Security

Create a New OEM Support Role

Add a new role titled OEM Support to the Customer Support business unit.
Assign the following access levels and privileges to this role (for the purposes of
the exercise, ignore the other entities in these two tabs).

Entity Create Read Write Delete Append Append Assign Share


To
Core
Records
tab
Account O N N N N N O N
Contact O N N N N N O N
Lead O N O N O O O N
Opportunity O N O N O O O N
Service tab

Case O N N N N N N N
Contract O N N N O O N N
TABLE 2-3: OEM SUPPORT PRIVILEGES

U = User Level

BU = Business Unit Level

P:C = Parent:Child Level

O = Organization Level

N = None

Challenge Yourself!

1. Create the Marketing Representative role in the Adventure Works


Cycle business unit with the privileges defined in the Goal
Description.
2. Assign the Marketing Representative role to Gail Erickson's user
account. Remove all other roles from Gail's account.

Microsoft Official Training Materials for Microsoft Dynamics ® 2-33


Your use of this content is subject to your current services agreement
Administration in Microsoft Dynamics® CRM 4.0

3. Create a new OEM Support role in the Customer Support business


unit and assign the access levels as defined in Table 2-3 in the Goal
Description. Use the shortcut methods to expedite the data entry
process where appropriate.
4. Assign the OEM Support role to Roger Van Houten.

Need a Little Help?


Step 1 - Copy the Marketing Professional Role

1. Ensure that you are logged in as CRM Administrator on the


ReadyServer virtual machine. If necessary, open Microsoft
Dynamics CRM by launching Internet Explorer.
2. Navigate to the Administration sub-area of the Settings area and
then click Security Roles.
3. Copy the existing Marketing Professional role as a new Marketing
Representative role and update the privileges according to the
instructions in the Goal Description.
4. Assign the Marketing Representative role to Gail Erickson's user
account. Remove any other roles assigned to her.

Step 2 - Create a New Role

1. Create a new role titled OEM Support in the CustomerSupport


business unit.
2. Assign to this role the access levels defined in Table 2-3 in the Goal
Description.
a. For the privileges and entities listed in the Core Records tab,
use the Privilege Shortcut method to quickly assign each
combination of access levels for each privilege and make any
necessary changes to the default settings on an exception basis.
b. For the Service tab, use the Entity shortcut method to quickly
assign the majority of access levels for each entity and make any
changes on an exception basis.

3. Assign this role to Roger Van Houten.

Step by Step
Step 1 - Copy the Marketing Professional Role

1. Ensure that you are logged in as CRM Administrator on the


ReadyServer virtual machine. If necessary, open Microsoft
Dynamics CRM by launching Internet Explorer.
2. Navigate to the Administration sub-area of the Settings area.
3. Click Security Roles.
4. Click the Marketing Professional role to highlight it.

2-34 Microsoft Official Training Materials for Microsoft Dynamics ®


Your use of this content is subject to your current services agreement
Chapter 2: Configuring Security

5. Click More Actions on the Action toolbar. Click Copy Role.


6. In the Copy Security Role dialog box, type Marketing Representative
in the New Role Name field. Leave the check box marked to open
the role when copying is complete. Click OK.
7. When the Marketing Representative role is opened, change the
access levels as follows:
o In the Sales tab, change the Write privilege from Business Unit
access to User access, and change the Share privilege from
Organization access to User access for the Quote entity.
o In the Marketing tab, change all the privileges for the Marketing
List and Campaign entities to Organization access. Use the entity
shortcut method to expedite this change.

8. When complete, click Save and Close.


9. Click the Administration navigation element to return to the
Administration sub-area.
10. Click Users.
11. Click the Gail Erickson user to highlight it.
12. Click the More Actions button on the view toolbar.
13. Select Manage Roles... from the More Actions menu.
14. Select the Marketing Representative role, and then clear the Sales
Manger role. Click OK.
15. Click Save and Close.

Step 2 - Create a New Role

1. Click the Administration navigation element to return to the


Administration sub-area.
2. Click Security Roles.
3. Click the New button on the view toolbar.

Microsoft Official Training Materials for Microsoft Dynamics ® 2-35


Your use of this content is subject to your current services agreement
Administration in Microsoft Dynamics® CRM 4.0

4. Enter OEM Support as the name of the role and select


CustomerSupport as the business unit to which it is assigned.
5. Assign to this role the access levels defined in the following table.

Entity Create Read Write Delete Append Append Assign Share


To
Core
Records
tab
Account O N N N N N O N
Contact O N N N N N O N
Lead O N O N O O O N
Opportunity O N O N O O O N
Service tab

Case O N N N N N N N
Contract O N N N O O N N
TABLE 1 - OEM SUPPORT PRIVILEGES

U = User Level

BU = Business Unit Level

P:C = Parent:Child Level

O = Organization Level

N = None

6. Click Save and Close.


7. Click the Administration navigation element to return to the
Administration sub-area.
8. Click Users.
9. Click on the Roger Van Houten user to highlight it.
10. Select Manage Roles... from the More Actions menu on the view
toolbar.
11. Click the OEM Support role and then click OK.
12. Click Save and Close.

2-36 Microsoft Official Training Materials for Microsoft Dynamics ®


Your use of this content is subject to your current services agreement
Chapter 2: Configuring Security

Best Practices
There are several best practices to consider when you configure an organization's
Microsoft Dynamics CRM security model.

1. Understand existing data security strategies before


implementing. You must understand whether or not existing
organizational structures must map directly to the business unit
structure and security in the deployment of Microsoft Dynamics
CRM.

In some cases, established data management strategies can be used to


control data integrity and job function privileges. Sometimes you will be
required to help formalize these strategies. As you plan the
organizational model that you will deploy with Microsoft Dynamics
CRM, you must determine if:

o Existing data security strategies are the best fit for your CRM
deployment, considering both short and long term priorities.
o Changes to strategy must be implemented given the new tools
being implemented.

2. Understand if existing job functions must map directly to


security roles. By having a better understanding of the
responsibilities each person has within the company, you can clearly
define what data they must access and if security roles must map
directly to job functions. People who perform the same job function
must have a standard role and privileges. This results in:
o Simpler deployment of the application
o Standardized training for the users by job function
o More efficient change management

3. Compare standard security roles with existing job functions. If


different job functions require different security privileges, a role
must be established for each job function. Map the default roles
within Microsoft Dynamics CRM to the organization's job functions.
Document any job function that cannot be mapped, and create a new
role to reflect its requirements. Consider the following during the
planning process:
o If an existing role in the system provides sufficient privileges for
the user's job functions
o If the role provides too many privileges based on the user's job
functions
o If there are unique job functions that require creating or
modifying an existing role

Microsoft Official Training Materials for Microsoft Dynamics ® 2-37


Your use of this content is subject to your current services agreement
Administration in Microsoft Dynamics® CRM 4.0

4. Create tiered security roles if several job functions require the


same security privileges and access levels. In some deployments
where there are non-traditional job functions or a large number of
different job functions, creating a separate security role for each job
function can result in unacceptable redundancies. These
redundancies slow the deployment process and create inefficiencies
when you make changes to security. To implement tiered security:
o Create a base security role that is assigned to all users. This role
must contain the most restrictive privileges and access levels, but
must include all privileges needed by all users. This role is
assigned to every new user.
o Additional security roles can be created to add specific privileges
to specific users. Where appropriate, you can add a logical set of
privileges in each additional role. For example, when you create
a custom entity, you might add only the Read privilege for the
new entity to the base role and give full access to the new entity
in the additional security role. Assign the new security role to
those users who will be managing the data in the new entity.

Summary
This course reviewed the core concepts that are part of Microsoft Dynamics
CRM security: privileges, access levels, and roles. It also examined the
procedures required to create new roles and to create new roles by copying and
modifying existing roles. Lastly, it discussed the characteristics associated with
maintaining access levels for roles that have been inherited from parent business
units.

2-38 Microsoft Official Training Materials for Microsoft Dynamics ®


Your use of this content is subject to your current services agreement
Chapter 2: Configuring Security

Test Your Knowledge


1. What is the primary purpose of the default security roles?

2. What is the most basic security unit that is used as the core of security
checks?

3. How are privileges granted to users in the Microsoft Dynamics CRM


system?

Microsoft Official Training Materials for Microsoft Dynamics ® 2-39


Your use of this content is subject to your current services agreement
Administration in Microsoft Dynamics® CRM 4.0

4. If a sales representative, Joe, has User Delete access for Leads, then what
Leads can he delete?

5. A user is assigned two security roles. One provides User Account Delete
access, and the second provides Parent:Child Business Units Account Delete
access. What access right will this user have to delete accounts?

6. True or False: If a user is assigned multiple Roles, the Privileges are the
union of all the privileges assigned to all of the user's Roles.
( ) True
( ) False

2-40 Microsoft Official Training Materials for Microsoft Dynamics ®


Your use of this content is subject to your current services agreement
Chapter 2: Configuring Security

7. List several of the key features of the Microsoft Dynamics CRM security
model.

8. Fill in the blank. When a custom role is created at a business unit and
automatically copied to each of its child business units, the new roles created
at the child business units are referred to as ___________ roles.

9. Which of the following are valid rules for the maintenance of inherited roles?
(Select all that apply.)
( ) Inherited roles cannot be modified or deleted.
( ) To change an inherited role, you must modify the parent role from which
the inherited role originated
( ) If you add a role and a role with the same name exists at the parent
business unit, the role that you create inherits all of the privileges
associated with the same role
( ) All of the above.

10. True or False. When you create a new role by copying an existing role, you
can copy any security role from any business unit in your Microsoft
Dynamics CRM deployment.
( ) True
( ) False

Microsoft Official Training Materials for Microsoft Dynamics ® 2-41


Your use of this content is subject to your current services agreement
Administration in Microsoft Dynamics® CRM 4.0

Quick Interaction: Lessons Learned


Take a moment and write down three key points you have learned from this
chapter:

1.

2.

3.

2-42 Microsoft Official Training Materials for Microsoft Dynamics ®


Your use of this content is subject to your current services agreement
Chapter 2: Configuring Security

Solutions
Test Your Knowledge
1. What is the primary purpose of the default security roles?

MODEL ANSWER - Default security roles allow you to quickly deploy

Microsoft Dynamics CRM by assigning each user one or more default roles

that map to their job functions.

2. What is the most basic security unit that is used as the core of security
checks?

MODEL ANSWER - Privileges are the most basic security unit in Microsoft

Dynamics CRM, defining what actions a user can perform on each entity in

the system.

3. How are privileges granted to users in the Microsoft Dynamics CRM


system?

MODEL ANSWER - Privileges are granted through roles.

4. If a sales representative, Joe, has User Delete access for Leads, then what
Leads can he delete?

MODEL ANSWER - Joe can delete Leads: That he owns Owned by

someone else that have been shared with him Shared with teams in which Joe

is a member

Microsoft Official Training Materials for Microsoft Dynamics ® 2-43


Your use of this content is subject to your current services agreement
Administration in Microsoft Dynamics® CRM 4.0

5. A user is assigned two security roles. One provides User Account Delete
access, and the second provides Parent:Child Business Units Account Delete
access. What access right will this user have to delete accounts?

MODEL ANSWER - The user will have Parent:Child Account Delete

privileges. This is the least restrictive of the two conflicting Account Delete

access levels provided by his or her security roles.

6. True or False: If a user is assigned multiple Roles, the Privileges are the
union of all the privileges assigned to all of the user's Roles.
( ) True
(•) False

7. List several of the key features of the Microsoft Dynamics CRM security
model.

MODEL ANSWER - The following are just a few of the key features: –

Preventing users from accessing entities that have not been shared with them.

– Allowing shared access to entities among multiple users and teams. –

Defining roles and restricting access based on those roles.

8. Fill in the blank. When a custom role is created at a business unit and
automatically copied to each of its child business units, the new roles created
at the child business units are referred to as ___________ roles.

MODEL ANSWER - inherited

9. Which of the following are valid rules for the maintenance of inherited roles?
(Select all that apply.)
(√) Inherited roles cannot be modified or deleted.
(√) To change an inherited role, you must modify the parent role from which
the inherited role originated
( ) If you add a role and a role with the same name exists at the parent
business unit, the role that you create inherits all of the privileges
associated with the same role
( ) All of the above.

2-44 Microsoft Official Training Materials for Microsoft Dynamics ®


Your use of this content is subject to your current services agreement
Chapter 2: Configuring Security

10. True or False. When you create a new role by copying an existing role, you
can copy any security role from any business unit in your Microsoft
Dynamics CRM deployment.
( ) True
(•) False

Microsoft Official Training Materials for Microsoft Dynamics ® 2-45


Your use of this content is subject to your current services agreement
Administration in Microsoft Dynamics® CRM 4.0

2-46 Microsoft Official Training Materials for Microsoft Dynamics ®


Your use of this content is subject to your current services agreement

Você também pode gostar