Changes to Business Units not picking up security roles RRS feed

  • Question

  • Hi all,

    I had to make a change to our Business Unit structure at work and it's producing strange results. Let me try and explain how it's currently set up and what I've done:

    Top level Business Unit
    Business Unit for Manager of teams
    Team 1 / Team 2 / Team 3

    And I then apply various security roles that gives the Manager's Business Unit permissions over all child Business Units. This lets the manager see all the records in the Business Units under then but the people in Team 1, 2, 3, etc can only see their own teams. I've had this set up in place for a while and it works.

    We also had a few smaller teams that were made up slightly differently:

    Top level Business Unit
    Team A / Team B / Team C

    Again, this has been working like this for a while. I recently had to change the structure of a few of these teams so that there was a single manager over the top of them so I created the new mid-level Business Unit, changes the parent Business Units of all sub-Business Units and reassigned the manager and roles so that the set up is exactly as it was for other areas. However, some of the permissions from one security role are not being applied to people in the manager's Business Unit.

    It's as if the security role is not available in this business unit even though, looking through the security roles, it is - in fact, it's added to the top level Business Unit. I don't know if this makes and difference but this particular role was one that I created from new, if I apply some of the system security roles, these are being picked up.

    I know this is a long and possibly confusing email. If you'd like me to explain anything in a bit more depth, I'd be happy to do that.

    • Edited by Jon_Evans Wednesday, November 19, 2014 11:16 AM Missed something ouit
    Wednesday, November 19, 2014 11:15 AM

All replies

  • If the issue is that security roles are stripped after moving a user to another business unit, this is normal.

    If the issue is that the security role acts differently permission wise after being reassigned in a different business unit, then it may be possible that someone modified that security role at that business unit level.

    It may appear to most people that there is only a single security role called "My Security Role" for example when you created it at the top parent business unit.  And when you log in as an admin and assign that security role, you only see the one security role with that name.  But what actually happens is that security role is replicated for each child business unit, and each copy gets its own GUID in the database.  So someone assigned to one of those child business units with permission to modify security roles can potentially log in and edit the "My Security Role" for that business unit.  The changes made to a security role replicate downward.  Not up or through the whole system.  I have seen this done in the past.  I have even seen where users have created security roles in a child business unit in CRM 4.0 which of course do not export in customizations.

    If this seems like it may be relevant to your issue, I would suggest setting up a test user in that child business unit with the admin role, log in and check to see if the permissions for that specific security role match the permissions for the same security role name in the top parent business unit.

    Jason Peterson

    Wednesday, November 19, 2014 5:38 PM
  • Hi Jason,

    Thanks for your reply. I think I've worked out what's happening here and what you've said confirms this. The security role was created on the top level business unit and it applied an identical security role to all child business units. I've since created another business unit and it's as if the permissions on this role were not applied to this role.

    So I've tried creating a new security role on the top level business unit and assigned some basic permissions to test user access and this has worked. So it appears that new security roles have their permissions cascaded down the business units but existing ones do not.

    Thursday, November 20, 2014 3:05 PM