Microsoft Dynamics CRM 2011 and Microsoft Dynamics CRM Online - The Security Framework
Microsoft Dynamics CRM 2011 has a robust security framework. There are various ways I can restrict or allow users to access and use the CRM data.
In this blog I will provide an overall overview of the security framework available to us in Microsoft Dynamics CRM 2011. Later on I will write separate detailed blog on each of the topics covered. Dynamics CRM security framework includes number of settings combining security roles, privileges, access levels, sharing record access rights, assigning record access rights and field level security profiles.
The security framework can be further enhanced through JScript web resources. In JScript you can further restrict someone's access. For example, you might disable a complete section in an entity form, in case a CRM user belongs to a particular security role. Sometimes it is easier to restrict access to fields rather than going through an overhead of creating a field level security profile. You cannot do the other way round. Meaning if a person is not supposed to view records, you cannot script (JScript) in CRM to display those records for that user.
Custom SSRS Reports in Microsoft Dynamics CRM will automatically implement the security setup if filtered views or FetchXML is used.
I will start explaining each of the above terms and displaying a screenshot.
1) Entity Level Security Manipulation through Security Roles
- The security roles can be created by going to Settings -> Administration.
http://ashishmahajancrm.files.wordpress.com/2013/03/entity-level-security-manipulation-through-security-roles1.jpg
Entity Level Security Manipulation through Security Roles
- There are 2 ways of creating a security role. One way is to create a totally new security role. The second way is to create a security role based on an existing security role. In the second way you can copy an existing security role into a new security role. The benefit is that all the existing privileges and access levels migrate to the new security role and is faster. In below screenshot I am creating a new security role based on an existing security role "Vice President of Sales".
http://ashishmahajancrm.files.wordpress.com/2013/03/copy-a-security-role.jpg
Copy a Security Role
- A security role consists of privileges. These privileges define what a security role can do with entity records. This is applied at entity level and hence will be applied to all records for that entity. For example, if a user with this security role has edit access, he or she will be able to edit all the records. As seen below, the privileges are:
Create: Create an entity record.
Read: Open an entity record.
Write: Update an entity record.
Delete: Delete an entity record.
Append: Associate this entity record to another entity record.
Append To: Associate another entity record to this entity record.
Assign: Change the owner of the entity record.
Share: Give access, to other users, to the entity records.
http://ashishmahajancrm.files.wordpress.com/2013/03/privileges.jpg
Privileges
- A security role also consists of access levels. The access levels define how deep the privileges for this security role inside Dynamics CRM 2011 are. Please note, each of these is defined by the colour and amount of the filling in the circle. As seen below, the access levels are:
None Selected: No access to records.
User: Gives user the access to those records whose owner they are. Gives user the access to those records which are shared with them.
Business Unit: This level gives access to all records which fall in the user's business unit.
Parent: Child Business Units: This level gives access to all records which fall in the user's business unit or in any of the child business units.
Organization: This level gives access to any records in the entire organization.
http://ashishmahajancrm.files.wordpress.com/2013/03/access-levels.jpg
Access Levels
- A security role combines both privileges and access levels to form a robust security. This security role can be applied directly to a user or to a team.
For example, if a security role has "Write" privileges on a custom entity "Movies". The access level for that privilege is "Organization". This combination means the user with this security role can update all the "Movies" entity records within this organization.
http://ashishmahajancrm.files.wordpress.com/2013/03/movies-entity-write-privilege-and-organization-access-level1.jpg
Movies Entity "Write" Privilege and "Organization" Access Level
- When you install and setup a new Microsoft Dynamics CRM 2011 environment, there are few system generated security roles. You can either start using them or create your own roles based on these. Below is the list of out of the box security roles:
http://ashishmahajancrm.files.wordpress.com/2013/03/out-of-the-box-security-roles.jpg
Out of the Box Security Roles
2) Entity Records Level Security Manipulation
As we have seen above the entity level security applies to all records in the entity. The second scenario is entity records level security which can be applied to a record or records.
- I have the following records in my "Movie" entity.
http://ashishmahajancrm.files.wordpress.com/2013/03/movie-entity-records.jpg
"Movie" Entity Records
- I will open the first record, the movie Skyfall. There are 2 ribbon buttons (as highlighted in circle): Assign and Sharing. These ribbon buttons can be used to provide access to this record.
http://ashishmahajancrm.files.wordpress.com/2013/03/movie-skyfall1.jpg
Movie Record - Skyfall
http://ashishmahajancrm.files.wordpress.com/2013/03/skyfall-ribbon.jpg
Skyfall Ribbon buttons Assign and Sharing
- Assign can be used to change the owner for this Movie record - Skyfall. If I click this button I will get a screen as seen below. The owner of a record, is a user, who has complete access to a record. By changing the owner or assigning the record to someone, that person (new owner) will have complete access to the record.
http://ashishmahajancrm.files.wordpress.com/2013/03/assign-movie-record-window.jpg
Assign Movie Record Window
- Sharing can be used to share a record with one or many users. Sharing is used over assign when we don't want to change the owner but want another users or set of users to access this record. If I click this button I will get screens as seen below.
As seen below, if I take my mouse over the "Sharing" ribbon button, I get 2 options. For entity records, the first option is required. If I click on "Share" option, I get the second window. As seen there is an option to add users or teams. If I click on that option I will get a window as shown below (3rd screenshot). Here I can share this record with many users or teams. If I share this record with a team, then all the members of that team will share this record. You can toggle the permissions of Read, Write, Delete, Append, Assign and Share.
Read: Open an entity record.
Write: Update an entity record.
Delete: Delete an entity record.
Append: Associate this entity record to another entity record.
Assign: Change the owner of the entity record.
Share: Give access, to other users, to the entity records.
You can also remove the users and teams and stop sharing this record with them.
http://ashishmahajancrm.files.wordpress.com/2013/03/share-record.jpg
Share Record Option
http://ashishmahajancrm.files.wordpress.com/2013/03/share-record-form.jpg
Share Record Form
http://ashishmahajancrm.files.wordpress.com/2013/03/share-record-add-users-or-teams.jpg
Share Record - Add Users or Teams
3) Entity Fields Level Security Manipulation
This is a great feature starting from 2011 version of Dynamics CRM. In CRM 4.0 we only had one option and that was manipulating access to fields through JScript. In CRM 2011 we have another option and that is field level security profile.
We can restrict access to custom fields in CRM 2011 to only certain users. For example, there may be payroll fields which contain sensitive employee information. Only users who work in HR and Payroll department can be given access to those fields. Every user can have access to the whole form except those payroll fields. The users from HR and Payroll department can have access to the whole form including those fields. This is very easy to implement.
- Below is an example of a "Movie" entity record "Pirates of the Caribbean The Curse of the Black Pearl". In the "Financials" section there is a field "Revenue (millions)". I want to apply field level security profile to this field so that only few users and/or teams will have access to this field and its data for every "Movie" entity record. I will just show an overview and not an actual example. For an actual working example, I will write a separate detailed blog.
http://ashishmahajancrm.files.wordpress.com/2013/03/movie-pirates-of-the-caribbean-the-curse-of-the-black-pearl.jpg
Movie Record - "Pirates of the Caribbean The Curse of the Black Pearl"
- In order to include this field in any field level security profile, we need to enable the "Field Security". For this I will go to the solution and that entity. Go to the fields for that entity. Select this field "new_revenue" and open for editing.
http://ashishmahajancrm.files.wordpress.com/2013/03/revenue-field.jpg
Revenue Field
- Enable the option "Field Security" for this field. By enabling this option we make this field available to any of the security profiles. This is necessary if we want to secure this field. Save and close this Field form. Publish the changes.
http://ashishmahajancrm.files.wordpress.com/2013/03/revenue-field-field-security-option.jpg
"Revenue" Field - "Field Security" Option
- In the same solution there is a component called as "Field Security Profiles". Here I will create a new field security profile for the movie entity.
http://ashishmahajancrm.files.wordpress.com/2013/03/field-level-security-profile.jpg
"Field Security Profile" Component
- Click on "New" button. This will open the form below. I will name my new security profile as "Movies". Save but don't close the form.
http://ashishmahajancrm.files.wordpress.com/2013/03/create-new-security-profile.jpg
Create New Security Profile
- Go to the section called as "Field Permissions". This will display all the fields in the CRM organisation which has the "Field Security" enabled. I will select "Revenue" field and double click. Currently in my environment I have only one field who's "Field Security" is enabled.
http://ashishmahajancrm.files.wordpress.com/2013/03/revenue-field-in-the-new-security-profile.jpg
"Revenue" Field in the New Security Profile
- This will open the "Edit Field Security" form. This will have 3 options "Allow Read", "Allow Update" and "Allow Create" We can select "Yes" or "No" depending on whether we need to give access or deny access. Select "OK".
http://ashishmahajancrm.files.wordpress.com/2013/03/apply-field-level-security.jpg
Allow or Deny Field Level Security
- The last step is to add Teams and Users to this field security profile "Movies". Only these teams and/or users will have access based on the settings.
http://ashishmahajancrm.files.wordpress.com/2013/03/select-teams-and-users.jpg
Select Teams and/or Users
So we saw how robust the security framework is for Microsoft Dynamics CRM 2011. We can provide security at entity level, record level and also at the field level.
I hope this blog about 'Microsoft Dynamics CRM 2011 and Microsoft Dynamics CRM Online - The Security Framework' was informative. Please feel free to leave your comments.