Dynamics CRM 2011 Security Features
Many of our clients have complex business requirements associated with the securtiy of their CRM application. The Madrona team employed a mix of CRM configuration and custom code in earlier CRM versions to meet the business requirements, but the tool supports many more items natively with the release of Dynamics CRM 2011. This is an overview of the security changes and provides some interesting details to consider while configuring CRM 2011.
CRM 4.0 and CRM 2011 Security Features
.jpg)
Business Units
There were not any changes to business units in CRM 2011, the same functionality that existed in CRM 4.0 exists in CRM 2011.
Security Roles
The same Secutiry Role options (Organization level, Parent / Child level, Business Unit level, Individual level) exist in CRM 2011, however, now there are many more controls to dial in.
.jpg)
Teams
There are major changes associated with teams in CRM 2011. Teams are now just like individuals, teams can own records, teams can have queues, etc. Security Roles can be assigned to a team and / or at the user level. As always, security roles are additive - the user will inherent the more permissive permissions if there is a difference between the security roles.
Important detail on Default Teams and Custom Teams: Every time a Business Unit is created a "Default" team with the same name of the Business Unit is created. Teams are associated with a single Business Unit, when users are added/removed to / from business units, Team Members are automatically updated in the business unit's "default team". "Default Teams" cannot be deleted or hidden. This is all fine if team members are always in the same business unit as the team. Default team membership cannot be edited through the Team UI. Additionally, if your team needs to have Team Members (users) from different business units, you have to create a custom team. Be sure to add the "IS DEFAULT" field in your team views and / or team form so you know exactly which team you are editing. This is especially helpful if your default team and custom team have the same name!
Note the "Is Default" field was added to this CRM 2011 team form to easily distinguish between the “default” team and custom team. Users (team members) can be added and removed from custom teams. The CRM system maintains the users in the default teams.
.jpg)
Multiple Forms
CRM deployments can now have different forms. For example, the sales users can have a different opportunity form layout than the finance users. Access to forms is controlled by the user (or team) security role. A form can be designated as a "fallback", or default, if a user doesn't have an explicit access to the form. The user will receive an "Access Denied" error when attempting to open a form that their security role doesn't allow.
CRM 2011 allows multiple forms compared to the single form for CRM 4.0. Each CRM 2011 form is maintained separately, meaning if a new field created, the field must be added separately to each form.
.jpg)
Field Security Profiles
The field security profile controls what the user can access on a specific form. For example, confidential information can now be totally hidden from certain users, or displayed with “dots”, like typing in a password. At this time, only custom fields can have an associated field security profile. Field security profiles for standard, or “out-of-the-box” data fields, are currently unsupported.
.jpg)
Fields
Again, only custom fields can be associated with field security profiles. When creating a new field, enable field security option.
.jpg)