Why can a user only be assigned to one Business Unit? RRS feed

  • Question

  • I don't understand why a user can have multiple security roles, but can only be in one business unit?

    We have people work in more than one business unit and wear different 'hats' depending on what business unit they are representing. For example a Senior Manager in Marketing may resign, and in the interim a Finance Director from Finance may take up his job until a new person can be found. The FD is assigned the business unit of Finance but he now also works in Marketing.

    How can this be accommodated in Dynamics CRM?

    Wednesday, January 29, 2014 9:39 PM

All replies

  • Hi

    The business unit is the cornerstone of the CRM security model and all users and teams reside in one business unit and only one. This enables the siloing of data and erection of 'Chinese walls' between groups of users or teams within the organisation. It also allows the privileges on the security role to work - i.e. 'business unit owned' relates to records owned by users & teams in the same business unit as the user in question.

    However, where you have users who wear 'multiple hats' as per your scenario, then they may join multiple teams. Teams provide a vehicle to collaborate across business units and transcend the Chinese walls.

    In your example, you could create a team called 'senior marketing manager' residing in the 'Marketing' business unit and assign the same security roles to that team as the user who just resigned. You could then add your finance director to this team and he would then have access to the same records and abilities the senior marketing manager had.

    Check out the help file in crm for more detailed information on the security model.


    MCTS. GAP Consulting Ltd. Microsoft Community Contributor Award 2011 & 2013

    Wednesday, January 29, 2014 10:06 PM
  • Hi Rob,

    Thank you for the reply and explanation. I am currently evaluating Dynamics CRM by reading documentation so I don't think I can get access to the help files. However I have read a few books and so far understood that a root Business Unit is created on setup which will be the organisation's name e.g. Acme Inc.  And am I right in thinking that this is the Parent Business Unit of all BUs in the application?

    Therefore is every user a member of the root BU as well as their own department BU?  I don't understand how a user could be in the Marketing BU but not in the Acme Inc BU for example.

    So can I ask what is the purpose of the root BU?

    • Edited by cubed Wednesday, January 29, 2014 11:40 PM
    Wednesday, January 29, 2014 11:13 PM
  • Hi,

    The help is now online. Try this https://www.microsoft.com/en-us/dynamics/crm-customer-center/search.aspx?q=security

    Yes, every deployment begins with a single 'root' business unit and all additional business units must link to a parent business unit. Business units are hierarchical so you can go as wide and as deep as you like. When you add new users, by default they are assigned to the root BU, then it is up to you as the administrator to change their BU if you have built out your business unit hierarchy. Note, whenever you change a user's BU, any security roles you have given them will be removed so you must re-add them after you move them to another BU.

    I hope that makes a little more sense.


    MCTS. GAP Consulting Ltd. Microsoft Community Contributor Award 2011 & 2013

    Thursday, January 30, 2014 8:20 AM