Share via


Create or edit a security role

 

Applies To: Dynamics 365 (online), Dynamics 365 (on-premises), Dynamics CRM 2016, Dynamics CRM Online

You can create new security roles to accommodate changes in your business requirements or you can edit the privileges associated with an existing security role.

If you need to back up your security role changes, or export security roles for use in a different implementation of Microsoft Dynamics 365, you can export them as part of exporting customizations. More information: Help & Training: Export your customizations as a solution

Create a security role

  1. Make sure that you have the System Administrator or System Customizer security role or equivalent permissions.

    Check your security role

    • Follow the steps in View your user profile.

    • Don’t have the correct permissions? Contact your system administrator.

  2. Go to Settings > Security.

  3. Click Security Roles.

  4. On the Actions toolbar, click New.

  5. Set the privileges on each tab.

    To change the access level for a privilege, click the symbol until you see the symbol you want. The possible access levels depend on whether the record type is organization-owned or user-owned.

    Tip

    To cycle through the access levels, you can also click the privilege column heading, or click the record type multiple times.

  6. When you have finished configuring the security role, on the toolbar, click or tap Save and Close.

Edit a security role

Before you edit an existing security role, make sure that you understand the principles of data access. More information: Security roles and privileges

Note

You can’t edit the System Administrator security role. To create a security role similar to the System Administrator security role, copy the System Administrator security role, and make changes to the new role.

  1. Make sure that you have the System Administrator or System Customizer security role or equivalent permissions.

    Check your security role

    • Follow the steps in View your user profile.

    • Don’t have the correct permissions? Contact your system administrator.

  2. Go to Settings > Security.

  3. Click Security Roles.

  4. In the list of security roles, double-click or tap a name to open the page associated with that security role.

  5. Set the privileges on each tab.

    To change the access level for a privilege, click the symbol until you see the symbol you want. The possible access levels depend on whether the record type is organization-owned or user-owned.

    Tip

    To cycle through the access levels, you can also click the privilege column heading, or click the record type multiple times.

  6. When you have finished configuring the security role, on the toolbar, click or tap Save and Close.

Minimum privileges for common tasks

It's helpful to keep in mind the minimum privileges that are needed for some common tasks. This means that a user is required to have a security role with these privileges in order to run applications. These common tasks include:

  • When logging in to Microsoft Dynamics 365:

    • To render the home page, assign the following privileges on the Customization tab: Read Web Resource, Read Customizations

    • To render an entity grid (that is, to view lists of records and other data): Read privilege on the entity, Read User Settings on the Business Management tab, and Read View on the Customization tab

    • To view single entities in detail: Read privilege on the entity, Read System Form on the Customization tab, Create and Read User Entity UI Settings on the Core Records tab

  • When logging in to Dynamics 365 for Outlook:

    • To render navigation for Microsoft Dynamics 365 and all Microsoft Dynamics 365 buttons: Read Entity and Read View on the Customizations tab

    • To render an entity grid: Read privilege on the entity, Read Customizations and Read Web Resource on the Customization tab, and Read Saved View on the Core Records tab

    • To render entities: Read privilege on the entity, Read System Form on the Customization tab, and Create, Read, and Write User Entity UI Settings on the Core Records tab

We've created a solution you can import that provides a security role with the required minimum privileges.

Start by downloading the solution from the Download Center: Common Data Service minimum privilege security role.

Then, follow the directions to import the solution: Import, update, and export solutions.

When you import the solution, it creates the min prv apps use role which you can copy (see: Create a security role by Copy Role). When Copying Role is complete, navigate to each tab - Core Records, Business Management, Customization, etc - and set the appropriate privileges.

Important

You should try out the solution in a development environment before importing into a production environment.

  • When logging in to Dynamics 365 for Customer Engagement:

    • Assign the min prv apps use security role or a copy of this security role to your user.

    • To render an entity grid (that is, to view lists of records and other data), assign the following privileges on the Core Records tab: Read privilege on the entity, Read Saved View, Create/Read/Write User Entity UI Settings and assign the following privilege on the Business Management tab: Read User

  • When logging in to Dynamics 365 for Outlook:

    • To render navigation for Dynamics 365 for Customer Engagement and all Dynamics 365 for Customer Engagement buttons: assign the min prv apps use security role or a copy of this security role to your user

    • To render an entity grid: assign Read privilege on the entity

    • To render entities: assign Read privilege on the entity

Privacy notices

Licensed Dynamics 365 Online users with specific Security Roles (CEO – Business Manager, Sales Manager, Salesperson, System Administrator, System Customizer, and Vice President of Sales) are automatically authorized to access the service by using Dynamics 365 for phones, as well as other clients.

An administrator has full control (at the user security role or entity level) over the ability to access and the level of authorized access associated with the phone client. Users can then access Dynamics 365 (online) by using Dynamics 365 for phones, and Customer Data will be cached on the device running the specific client.

Based on the specific settings at the user security and entity levels, the types of Customer Data that can be exported from Dynamics 365 (online) and cached on an end user’s device include record data, record metadata, entity data, entity metadata, and business logic.

Licensed Dynamics 365 Online users with specific Security Roles (CEO – Business Manager, Sales Manager, Salesperson, System Administrator, System Customizer, and Vice President of Sales) are automatically authorized to access the service by using Dynamics 365 for tablets, as well as other clients.

An administrator has full control (at the user security role or entity level) over the ability to access and the level of authorized access associated with the tablet client. Users can then access Dynamics 365 (online) by using Dynamics 365 for tablets, and Customer Data will be cached on the device running the specific client.

Based on the specific settings at the user security and entity levels, the types of Customer Data that can be exported from Dynamics 365 (online) and cached on an end user’s device include record data, record metadata, entity data, entity metadata, and business logic.

If you use Microsoft Dynamics 365 for Outlook, when you go offline, a copy of the data you are working on is created and stored on your local computer. The data is transferred from Dynamics 365 (online) to your computer by using a secure connection, and a link is maintained between the local copy and Dynamics 365 Online. The next time you sign in to Dynamics 365 (online), the local data will be synchronized with Dynamics 365 (online).

An administrator determines whether or not an organization’s users are permitted to go offline with Microsoft Dynamics 365 for Outlook by using security roles.

Users and administrators can configure which entities are downloaded via Offline Sync by using the Sync Filters setting in the Options dialog box. Alternatively, users and Administrators can configure which fields are downloaded (and uploaded) by using Advanced Options in the Sync Filters dialog box.

If you use Microsoft Dynamics 365 (online), when you use the Sync to Outlook feature, the Dynamics 365 data you are syncing is “exported” to Outlook. A link is maintained between the information in Outlook and the information in Dynamics 365 (online) to ensure that the information remains current between the two. Outlook Sync downloads only the relevant Dynamics 365 record IDs to use when a user attempts to track and set regarding an Outlook item. The company data is not stored on the device.

An administrator determines whether your organization’s users are permitted to sync Dynamics 365 data to Outlook by using security roles.

If you use Microsoft Dynamics 365 (online), exporting data to a static worksheet creates a local copy of the exported data and stores it on your computer. The data is transferred from Dynamics 365 (online) to your computer by using a secure connection, and no connection is maintained between this local copy and Dynamics 365 (online).

When you export to a dynamic worksheet or PivotTable, a link is maintained between the Excel worksheet and Dynamics 365 (online). Every time a dynamic worksheet or PivotTable is refreshed, you’ll be authenticated with Dynamics 365 (online) using your credentials. You’ll be able to see the data that you have permissions to view.

An administrator determines whether or not an organization’s users are permitted to export data to Excel by using security roles.

When Microsoft Dynamics 365 (online) users print Dynamics 365 data, they are effectively “exporting” that data from the security boundary provided by Dynamics 365 (online) to a less secure environment, in this case, to a piece of paper.

An administrator has full control (at the user security role or entity level) over the data that can be extracted. However, after the data has been extracted it is no longer protected by the security boundary provided by Dynamics 365 (online) and is instead controlled directly by the customer.

See Also

Security concepts for Microsoft Dynamics 365
Security roles and privileges
Manage security, users, and teams
Copy a security role

© 2016 Microsoft. All rights reserved. Copyright