Security roles in Microsoft Dynamics 365 are a matrix of privileges and access levels for the various entities. They are grouped under different tabs based on their functionality. These groups include: Core Records, Marketing, Sales, Service, Business Management, Service Management, Customization and Custom Entities.
Privileges are the basic security units that delineate what action a user can perform in the CRM system. These cannot be added or deleted but only modified. The common privileges in Microsoft Dynamics 365 for each entity are as follows:
- Create — Allows the user to add a new record
- Read — Allows the user to view a record
- Write — Allows the user to edit a record
- Delete — Allows the user to delete a record
- Append — Allows the user to attach other entities to, or associate other entities with a parent record
- Append to — Allows the user to attach other entities to, or associate other entities with the record
The bottom level lists miscellaneous privileges such as viewing audit history/summary, bulk delete, publish e-mail templates/reports/articles and so on.
Levels of Access
This is indicated by the degree of fill and color of the little circles against each entity for each privilege. These levels determine the records of an entity upon which the user can perform a given privilege. The 5 levels of access are as follows:
- None — No privileges given
- User — Privileges to the records owned by the user or shared with the user. Also includes the privileges owned by the team to which the user belongs.
- Business Unit — Privileges for all records owned in the business unit to which the user belongs
- Parent: Child Business Unit — Privileges for all records owned in the business unit to which the user belongs and to all the child business units subordinate to that business unit
- Organization — Privileges for all records in the organization regardless of who owns it
The access level of all the privileges for a particular entity can be changed at one go by clicking on the row header. Similarly, the access level of a privilege across all entities can be changed in bulk by clicking on the column header.
A security role has a set of privileges and access levels associated with it. There are some pre-defined security roles that can be used.
System Administrator is the highest level role which encompasses all the privileges and has over-riding rights. The System Administrator has the authority to allow and remove access of other users and define the extent of their rights. For example, the System Administrator and the System Customizer are given access to custom entities by default while all other users need to be given access. This is the only role that cannot be edited.
The System Customizer role is similar to the System Administrator role which enables non-system administrators to customize Dynamics 365. A Customizer is a user who customizes entities, attributes and relationships.
There are some other built in organizational roles in CRM such as CEO, Marketing Manager, Sales Manager, Salesperson, etc., that can be assigned to a user.
How to Create a Security Role
Usually a base security role is assigned to each user. Additional privileges can be assigned by adding a role with more privileges since the higher authority prevails. If the default security roles are not meeting the organizations’ security needs, new roles can be created in one of three ways-
- Modifying a default role
- Creating a new custom role from scratch
- Copying an existing role as a new role
Navigate to Settings. Under the System list, click on Security then Security Roles.
- Select the Security Role that you want to copy.
- On the Actions toolbar click on More Actions. In the box that opens click Copy Role.
- A dialog box opens. In the New Role Name field type the name of the new role.
- If you want to change the privileges for the new Security Role, choose the ‘Open a new Security Role when copying is complete’ check box. Click OK.
Remember: Do not create a new security role from scratch. Copy an existing role and modify it. There are 580 pre-defined privileges, hence this is the better way of doing it and it also maintains consistency.
Also note that a role cannot be copied to another business unit.