Security roles in Microsoft Dynamics CRM 2011 are deceptively simple in CRM. Just click a few bubbles and you good. Truth is they can become very difficult to manage if not setup and maintained properly. Here are some best practices to keep in mind.
- Never use the Out-Of-Box Security roles, rather always clone them.
- Business Units are data security related and not a business hierarchy.
- Security Roles are roles not job titles.
- Limit sharing to a minimum. If you must share, share to teams.
- Do not let anyone function as system administrator or system customizer roles. IT and Admins should log in with special accounts to make changes. Example CRM Admin account (Which would have System Administrative access)
- Keep the number of security roles as minimal as is practical.
- Use meaningful roll names.
The SQL below will give you a listing of each entity and role interaction and setting.
SELECT DISTINCT FilteredRole.name, EntityView.PhysicalName AS [Entity Name], CASE Privilege.AccessRight WHEN 1 THEN 'READ' WHEN 2 THEN 'WRITE' WHEN 4 THEN 'APPEND' WHEN 16 THEN 'APPENDTO' WHEN 32 THEN 'CREATE' WHEN 65536 THEN 'DELETE' WHEN 262144 THEN 'SHARE' WHEN 524288 THEN 'ASSIGN' END AS [Access Level], CASE PrivilegeDepthMask WHEN 1 THEN 'User' WHEN 2 THEN 'Business Unit' WHEN 4 THEN 'Parent: Child Business Unit' WHEN 8 THEN 'Organisation' END AS [Security Level] FROM RolePrivileges INNER JOIN FilteredRole ON RolePrivileges.RoleId = FilteredRole.roleid INNER JOIN PrivilegeObjectTypeCodes ON RolePrivileges.PrivilegeId = PrivilegeObjectTypeCodes.PrivilegeId INNER JOIN Privilege ON RolePrivileges.PrivilegeId = Privilege.PrivilegeId INNER JOIN EntityView ON EntityView.ObjectTypeCode = PrivilegeObjectTypeCodes.ObjectTypeCode WHERE (FilteredRole.roletemplateid IS NULL) ORDER BY FilteredRole.name, [Entity Name]