July 29th, 2015

Record Level Security in Microsoft Dynamics CRM


Record level security in Microsoft Dynamics CRM refers to a user’s permissions regarding a record in CRM.  First, below are a couple of definitions relating to permissions:

  • Entity – You can think of an entity as a database table.  An example would be contact or account.  Each “table” in Microsoft CRM is referred to as an entity.

  • Record – This is a single account, contact, activity, lead, opportunity, case or other entity with which you can open and work.  For example, each individual contact in your database is considered a single record.

  • Privilege – A privilege refers to what you can do with a record.  The most common options are create, read (or view), write, delete, append, append to and share.

  • Access Level – This is applied to each privilege to indicate what degree of privilege you have.  There are a few options:

    • none

    • user

    • business unit

    • parent: child business unit

    • organization

  • Business Unit – This is a hierarchical structure to which users can be assigned.  A user can only belong to a single business unit in the hierarchy.  There is always a root business unit at the top of the hierarchy with the same name as your database.

  • Record Owner – Most records have an “owner” field.  The owner field must be set to a Microsoft Dynamics CRM user or team.  This article only covers situations where the owner is a user.  Since each user can only belong to a single business unit, we can safely say that each record belongs to a single business unit.  An example would be for a contact.  A contact can only have a single user as the owner.  Since a user can only belong to a single business unit, we can say that a contact belongs to the same business unit to which the user belongs.

In Microsoft Dynamics CRM, permissions are set via security roles.  See below for an example.

A security role is made up of many rows similar to the above.  The entity in this example is activity.  There will be rows for many different entities including accounts, contacts, leads and opportunities.  The circles to the right indicate the user’s permission for records at that entity.  The degree to which the circle is filled in indicates the access level.

A full circle indicates organizational level access, meaning that a user can perform this action for any record in the database regardless of the owner of that record.  If you look at the example above, the read circle is completely filled in which means that a user who is assigned this security role can read every activity in the database regardless of the owner of that activity.

If the circle is empty, this indicates that the user has no access at all.  In our example above, if the read circle was completely empty, this would mean that the user could not view any activities in the database at all.

If the circle is a quarter-filled, this indicates user-level access, meaning that the user can only perform this action on records where that user is the owner of the record.  In our example above, the write circle is a quarter-filled, so a user with this security role can only write (or edit) an activity record where they are the owner of that activity.

If the circle is half-filled, this indicates business unit level access meaning that the user can only perform this action on records where that user, or any other user in the same business unit, is the owner of the record.  If the write circle is half-filled, this would mean that a user with that role could edit any activity where they, or any other user in the same business unit, are the owner.

If the circle is three-quarters-filled, this indicates parent: child business unit level access, which is similar to the business unit level access.  The difference between the two levels is that in addition to the ability to perform an action on your own records or the records of others in your business unit, you can also perform actions on any record where the owner is a user who is below you in the business unit hierarchy.  This level would be a great option for a manager who supervises many other departments.

This article provides only a very high level overview of security in Microsoft Dynamics CRM, covering the most common area to manage security levels.  However, keep in mind that there are many other aspects to managing CRM security.  Setting the proper record-level security can a difficult task and making mistakes can cause headaches for your users.  We recommend that you rely on an experienced Microsoft Dynamics CRM professional to guide you in your security settings.  Contact TopLine Results for more information about CRM security, 800-880-1960.