Sign in
Microsoft.com
 
Microsoft
 
 
 

locked
CRM Record Ownership/Access - Need clarification RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi, I have a general question on CRM 2011 Record Ownership and Privilege.

    I create a custom Team (tied to Business Unit BU1) and assign it Role Privilege with a read(U)+write(U)+append(U)+appendto(U) privilege for account entity AND create(U)+read(U)+write(U)+append(O)+appendto(O) privilege for another custom entity X.

    I added some users from Business Unit BU2 to the above team.

    Scenario 1
    Now I create a account record and assign the above team as record owner. I did not share the account with the team.

    Qs: What actions/permissions will BU2 team members have on the account record?

    Scenario 2
    I added a custom entity record (type X) to the above account and assign the same team as owner of that record also. No sharing with the team.

    Qs: What actions/permissions will BU2 team members have on the account record?

    Scenario 3

    Repeating the same scenario 1 with the exception that I share the account record (read+write+append) with the same team along with setting as a record owner.

    Qs: What actions/permissions will BU2 team members have on the account record?

    Scenario 4

    Repeated the same scenario as #2 (no changes).

    Qs: Any difference in outcomes for permissions due to the explicit sharing in scenario #3?

    Sorry about the lengthy scenario based questions, but just needed a quick answer as we need to implement some security quickly. Please help.

    Thanks,

    Friday, July 26, 2013 4:29 AM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    Q1: Because you made the Team the owner of the record, it is easiest to work out - the user will have read/write/append|to privilege. They might have more privileges than that if the user has a role themself with Organisation level rights (eg to assign or share).

    Q2: As above: create/read/write/append|to on the custom entity, but only the rights they already have on the Account. Rights on a child entity have zero impact on the parent entity.

    Q3: Sharing is irrelevant if the Team is already the owner, the user cannot get any more rights this way. Only difference would be that if you reassigned the Account to a different owner but forgot to change the Share the Team and its members would still have access. For your scenario there seems to be no need to share and in the long term adding more shares will impact performance as the POA table grows.

    Q4: It depends. You need to check the relationship between Account and your custom entity and see if the cascading behaviour for "Share" is set to Cascade. If it is, then the Share on the Account will also be replicated on the custom record. But I would not use sharing if you can avoid it. Notice however that you could get the Assign itself to Cascade if appropriate, so assigning the Account to the Team would also re-assign the custom record (if that fits your business rules).

    Additional approach:
    You don't have to make the Team the owner at all, just make sure they have read/write/whatever privileges at BU level. Then any User in that Team, even from another BU, will be able to do those things (read/etc) to all Accounts in the BU the Team is in  (when I say "in" a BU, I am using shorthand for "owned by another user or Team in that BU"). Likewise the custom records. This is less selective than choosing which records to assign to the Team, but might fit your underlying requirement.

    Read more about how user / team / BU / security roles really work here: Security Roles and Teams in CRM 2011 – An Inconvenient Half-Truth

    Read more about Cascading behaviours (and particularly re-parent rules): Implicit Shares in Microsoft CRM 2011

    Hope this helps.
    Adam Vero, Microsoft Certified Trainer | Microsoft Community Contributor 2011
    Blog: Getting IT Right

    Friday, July 26, 2013 7:09 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Q1: Because you made the Team the owner of the record, it is easiest to work out - the user will have read/write/append|to privilege. They might have more privileges than that if the user has a role themself with Organisation level rights (eg to assign or share).

    Q2: As above: create/read/write/append|to on the custom entity, but only the rights they already have on the Account. Rights on a child entity have zero impact on the parent entity.

    Q3: Sharing is irrelevant if the Team is already the owner, the user cannot get any more rights this way. Only difference would be that if you reassigned the Account to a different owner but forgot to change the Share the Team and its members would still have access. For your scenario there seems to be no need to share and in the long term adding more shares will impact performance as the POA table grows.

    Q4: It depends. You need to check the relationship between Account and your custom entity and see if the cascading behaviour for "Share" is set to Cascade. If it is, then the Share on the Account will also be replicated on the custom record. But I would not use sharing if you can avoid it. Notice however that you could get the Assign itself to Cascade if appropriate, so assigning the Account to the Team would also re-assign the custom record (if that fits your business rules).

    Additional approach:
    You don't have to make the Team the owner at all, just make sure they have read/write/whatever privileges at BU level. Then any User in that Team, even from another BU, will be able to do those things (read/etc) to all Accounts in the BU the Team is in  (when I say "in" a BU, I am using shorthand for "owned by another user or Team in that BU"). Likewise the custom records. This is less selective than choosing which records to assign to the Team, but might fit your underlying requirement.

    Read more about how user / team / BU / security roles really work here: Security Roles and Teams in CRM 2011 – An Inconvenient Half-Truth

    Read more about Cascading behaviours (and particularly re-parent rules): Implicit Shares in Microsoft CRM 2011

    Hope this helps.
    Adam Vero, Microsoft Certified Trainer | Microsoft Community Contributor 2011
    Blog: Getting IT Right

    Friday, July 26, 2013 7:09 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Thanks Adam. This is quite informative. I got the answer I was looking for.

    Appreciate your help.
    Friday, July 26, 2013 9:05 PM