locked
Are BU's Security divisions or not? RRS feed

  • Question

  • Hello,

    I am playing with a CRM 2013 install in VM workstation. I have called the organization SecuritySandbox as that is what I am going to hack up this org learning.

    So I wanted first to test the concept of Business Units being data security related and not a business hierarchy. So my pretend org chart had one bu called SecuritySandbox. This was of course the default one. I then created several bu's all on equal level with SecuritySandbox as the only parent of all them.

    So   BU_A,   BU_B    BU_C    etc.

    In my mind I could have a user in each bu with one record in that bu. The users in the child bu's wouldn't be able to see each others records but the user in the default top bu would be able to see them all.

    I then created a users and put them in BU's. However when they go to login they get the error message that a security role has to be assigned. OK I'm lost. I can understand getting a message for insufficient perms but no role at all? I thought that BU's were data security roles and since the user is assigned to a bu they should have a security role.

    So of course if I create a security role and assign it to the user they can log in.

    So I am confused. If I have to assign users a security role then it seems to me bu's are nothing more than organizational containers.

    I know this isn't the case as many different sources say quite clearly they have a security context but I'm not understanding how that plays out in implementation.

    Thanks

    Thursday, December 19, 2013 6:14 AM

Answers

  • A user has to be a member of one or more security roles, as the security roles grant access rights to CRM entities. Access rights have different levels (None, User, BU, Parent-Child, Organisation). For the BU and Parent-Child levels, the records that the user can access are determined by the combination of that user's BU, and the BU to which the owner of the record belongs. So, Business Units are a means to control access to data, but security roles are another (necessary) part of the security model.

    Microsoft CRM MVP - http://mscrmuk.blogspot.com/ http://www.excitation.co.uk

    • Marked as answer by zzpluralza Friday, December 20, 2013 12:53 PM
    Friday, December 20, 2013 12:33 PM
    Moderator

All replies

  • A user has to be a member of one or more security roles, as the security roles grant access rights to CRM entities. Access rights have different levels (None, User, BU, Parent-Child, Organisation). For the BU and Parent-Child levels, the records that the user can access are determined by the combination of that user's BU, and the BU to which the owner of the record belongs. So, Business Units are a means to control access to data, but security roles are another (necessary) part of the security model.

    Microsoft CRM MVP - http://mscrmuk.blogspot.com/ http://www.excitation.co.uk

    • Marked as answer by zzpluralza Friday, December 20, 2013 12:53 PM
    Friday, December 20, 2013 12:33 PM
    Moderator
  • OHHHHH What a noob question that was!!! Of course this makes sense. In the security role you can assign business unit access....BUT....that is generic and translates different depending on which business unit you are in.

    Thank you for your patient answer!

    Friday, December 20, 2013 12:52 PM