Restricting Field Security Profiles to Child BU's? RRS feed

  • Question

  • Hi,

    I have a scenario where I am struggling to find a way to secure data in the way the business is asking.

    We currently have a single BU and a number of sites (care homes)

    All staff can see all the service user (contact) records across the business and also the associated records for those contacts regardless of which care home a service user is at. This needs to continue.

    We have an associated record, let's call it medication, for the service user which holds some generic data which needs to be available to staff at every care home but it also has medical data e.g. medication that only the staff at the care home the service user is at should be able to see.  This associated record is owned by a member of staff at the care home where the service user is based. 

    I have been looking at moving to a multi BU set up and have set up 2 of the care homes (A & B) as child BU's of the main BU

    • put a test user in each child care home BU
    • assigned a test medication record to the team for a user in home A and home B
    • amended the security role permissions to allow the users to see the core records in the parent BU as well as the medication records in both the child BU's

    I then tried to use field level security to lock down the 'sensitive' fields by:

    • creating a field security profile called clinical data and adding the sensitive fields
    • creating a team called clinical staff
    • creating a security role called 'clinical staff' with the rights for this entity set at business unit
    • Adding the clinical staff security role to the clinical staff team
    • Adding the clinical team to the field clinical data security profile

    As a user in care home A I can see the medication records in both BU A & B but the sensitive fields a hidden by ******** as expected.

    Next I added the user to the clinical staff team.  Now I can see the sensitive data in the test record in both home A & home B.

    I then tried changing the security role permissions to user but got the same result.

    Is it possible to have field level security work only at child BU level or is it a case that if you have the permission that you can see the data regardless of BU?

    I hope the above makes sense but let me know if anything needs clarifying.



    Paul Hines

    Thursday, December 22, 2016 5:34 PM

All replies

  • Field security works in conjunction with security roles.

    In determinining what users should be able to see and do, rights granted via security roles are evaluatedfirst (which includes BUs, team membership and sharing). Then field security (if relevant is applied). All field security can do is make a field visible (or writable) if the user matches a field security profile that gives them access. BUs are not relevant to field security.

    If a user cannot see a record because of security roles, then field security really does not apply and does not grant access. Also, if a user only has read access via security rules, field security cannot increase this to write access.

    Friday, December 23, 2016 1:38 AM
  • Thanks for this Feridun,

    I'm still learning the intricacies of CRM security and your answer above helps greatly.

    Back to the drawing board :)



    Friday, December 23, 2016 9:33 AM
  • Short answer to your question, Field security cannot be applied based on BU, but you can use the default team for the BU. It will be based on Users/teams.

    For more in depth understanding I would suggest this MSDN page,


    Ramanathan Rajendran MCTS - Dynamics CRM

    Friday, December 30, 2016 12:31 AM