Dynamics CRM 2011 Security Roles and Access Rights

Security roles are probably the most complex concept in the Dynamics CRM security model. Here are my notes on Security Roles and Access Rights in CRM. Hope this will help us to overcome some confusion

Roles

• In Microsoft Dynamics CRM 2011 the fundamental concept in role-based security is that a role contains privileges that define a set of actions that can be performed within the organization
• Each role is associated with a set of privileges that determines the user or team’s access to information within the company
• A user must be assigned to at least one role

Privileges

• These are the verbs in CRM: Create, Read, Write, Delete, Append, Append To, Share, Assign
• A privilege authorizes the user to perform a specific action on a specific entity type
• There are over 580 privileges that are predefined system-wide during setup
• We cannot add or remove privileges, or change how privileges are used to grant access to certain functionality
• For example, the Salesperson role could contain the privileges Read Account with User access and Write Account with User access, whereas the Sales Manager role might contain privileges like Read Account with Business Unit access and Assign Contact with User access

Access Levels

• The Access Level determines, for a given entity, at which levels within the organization hierarchy a user can access
• Organization This access level gives a user access to all records within the organization, regardless of the business unit hierarchical level
• Parent: Child Business Units This access level gives a user access to records in the user’s business unit and all business units subordinate to the user’s business unit
• Business Unit This access level gives a user access to records in the user’s business unit
• User This access level gives a user access to records he or she owns, objects that are shared with the user, and objects that are shared with a team of which the user is a member

Access right	Description
Read	Controls whether the user can read a record.
Write	Controls whether the user can update a record.
Assign	Controls whether the user can assign a record to another user.
Append	Controls whether the user can attach another record to the specified record.The Append and Append To access rights work in combination. Every time that a user attaches one record to another, the user must have both rights. For example, when you attach a note to a case, you must have the Append access right on the note and the Append To access right on the case for the operation to work.
Append To	Controls whether the user can append the record in question to another record.The Append and Append To access rights work in combination.
Share	Controls whether the user can share a record with another user or team. Sharing gives another user access to a record.
Delete	Controls whether the user can delete a record.

 Create Access

• The right to create a record for an entity type is not included in the previous table because this right does not apply to an individual record, but instead to a class of entities.
• Example When we are creating a record, we may need Append and Append To privileges on other entities which are used as part of record creation

Share.

• Any user who has share privileges on a given entity type can share records of that type with any other user or team.
  Access rights on a shared record can be different for each user with whom the record is shared. However, you cannot give a user any rights that he or she would not have for that type of entity, based on the role assigned to that user. For example, if a user does not have Read privileges on accounts and you share an account with that user, the user will be unable to see that account.
• A user might have access to the same record in more than one context. For example, a user might share a record directly with specific access rights, and he or she might also be on a team in which the same record is shared with different access rights. In this case, the access rights that this user has on the record are the union of all the rights.

Dependencies between Access Rights

Action	Access rights required
To Create a record as owner	CREATE, READ
To Share a record	SHARE. This right is required by the person doing the share operation.READ. This right is required by the person doing the share operation and also by the person with whom the record is being shared.
To Assign a record	ASSIGN, WRITE, READ
To Append To a record	READ, APPENDTO
To Append a record	READ, APPEND