We have been working a lot with security roles recently. Earlier we had the issue with insufficient permissions and then a few days later we had a request to fix a new security role created by a power user.
Defining a Security Role has always been a daunting task. One needs to be very careful while selecting privileges for the Security Role creator.
Dynamics CRM ships with few of the most commonly used Security Role Profiles like Salesperson, Sales Manager, etc. However, not all businesses revolve around these profiles or roles.
Most of the businesses have their own set of Roles, which do tend to differ from the predefined Security Role Profiles.
For a start, the predefined Security Role Profiles could come handy where your task would be to just turn on or off the privileges for a few of the entities, from say Salesperson profile and there you have the Security Profile that you are trying to create.
But, there could be a scenario where you are trying to create a Security Role Profile, that is completely different from any of the predefined Security Role Profiles. With this case, it might be better to start from the scratch and add the privileges rather than pick one of the existing and start modifying it.
Login Security Role
Create a Security Role, with bare minimum privileges. Sounds Good!
But, what could be the bare minimum privileges for a user to at least log-in into the Dynamics CRM?
This blog post will drive you through it!
Let’s create a new Security Role by the name “Log-In”.
This Security Role would hold only those privileges that allow a user to login into Dynamics CRM or to phrase it in another way, without these privileges, you would receive the error “You do not have permission to access these records. Contact your Microsoft Dynamics 365 administrator.”
Now, the next step is to assign those Golden Privileges that grants you Bare Minimum Privileges required to access Dynamics CRM.
Navigate to Business Management Tab,
- Grant Read (Organization Level) Privilege for the Organization entity.
- Grant Read (Business Unit Level) Privilege for the User entity.
- Grant Read (Organization Level), Append (Organization Level), Append To (Organization Level) Privilege for the Currency entity.
This is it for the Business Management Tab.
Next, navigate to Core Records Tab,
- Grant Create (Organization Level), Read (Organization Level), Append (Organization Level), Append To (Organization Level) Privilege for the Post Entity.
- Grant Create (User Level), Read (User Level) Privilege for the User Entity UI Settings
Next, navigate to Customization Tab,
Grant the Privileges as per the below screenshot.
This is it for the Log-In Role.
With the above role assigned, a user would be able to login. But note that we have not yet provided the user with any privileges to the core records. You can now add the privileges for the operations allowed by this user.
Ability to record leads and activities against leads.
You can create a new role “Lead Access” and provide the user level privileges for Read, Create, Write, Append, and Append To.
To allow access to record activities against leads, user level privileges for Activity entity needs to be provided.
Dynamics CRM View
A user with the “Log-in” role and “Lead Access” Role would be able to login to the web client and would see the following navigation options.
The user will be able to create a new lead
And add an activity through the social pane
Note: Using this role the user could perform the said operations on the web client. But depending on the use case at your end, you will have to tweak the privileges to match your specific needs.
It is always advisable to use the OOB security roles and start tweaking them to match your requirements rather than start from a blank role as apart from the entity privileges there are other special privileges embedded within a security role that might hamper smooth functioning of the system and block user from performing certain operations.
Granted permissions to Dynamics 365 users? Now evaluate what your users are up to using User Adoption Monitor!