Dynamics CRM 2011 Security Roles Best Practices

Security roles in Microsoft Dynamics CRM 2011 are deceptively simple in CRM.  Just click a few bubbles and you good.  Truth is they can become very difficult to manage if not setup and maintained properly.  Here are some best practices to keep in mind.

  • Never use the Out-Of-Box Security roles, rather always clone them.
  • Business Units are data security related and not a business hierarchy.
  • Security Roles are roles not job titles.
  • Limit sharing to a minimum. If you must share, share to teams.
  • Do not let anyone function as system administrator or system customizer roles. IT and Admins should log in with special accounts to make changes. Example CRM Admin account (Which would have System Administrative access)
  • Keep the number of security roles as minimal as is practical.
  • Use meaningful roll names.

 

The SQL below will give you a listing of each entity and role interaction and setting.

 

SELECT DISTINCT
                      FilteredRole.name, EntityView.PhysicalName AS [Entity Name],
                      CASE Privilege.AccessRight WHEN 1 THEN 'READ' WHEN 2 THEN 'WRITE' WHEN 4 THEN 'APPEND' WHEN 16 THEN 'APPENDTO' WHEN 32 THEN 'CREATE' WHEN 65536
                       THEN 'DELETE' WHEN 262144 THEN 'SHARE' WHEN 524288 THEN 'ASSIGN' END AS [Access Level],
                      CASE PrivilegeDepthMask WHEN 1 THEN 'User' WHEN 2 THEN 'Business Unit' WHEN 4 THEN 'Parent: Child Business Unit' WHEN 8 THEN 'Organisation' END AS [Security Level]
FROM         RolePrivileges INNER JOIN
                      FilteredRole ON RolePrivileges.RoleId = FilteredRole.roleid INNER JOIN
                      PrivilegeObjectTypeCodes ON RolePrivileges.PrivilegeId = PrivilegeObjectTypeCodes.PrivilegeId INNER JOIN
                      Privilege ON RolePrivileges.PrivilegeId = Privilege.PrivilegeId INNER JOIN
                      EntityView ON EntityView.ObjectTypeCode = PrivilegeObjectTypeCodes.ObjectTypeCode
WHERE     (FilteredRole.roletemplateid IS NULL)
ORDER BY FilteredRole.name, [Entity Name]
Advertisements