locked
Parent Business Unit Issue RRS feed

  • Question

  • Hi,

    I've been asked to look at changing the CRM security where I work and simplifying the business units and security roles that are used.

    The business wants to have Business Units set up as follows:-

                                  [CEO]

    [Finance Mgr]  [HR Mgr]  [Contract Mgr]  [R&D Mgr]  

                           [Everyone else]

    So as you can see the CEO should be able to see all activities of everyone beneath him, but they shouldnt be able to see his.  Beneath him there are 4 BU's who shouldn't be able to see each others activities but again can see everyone beneath them. Then finally everyone else in the company sits beneath these four BU's. Now the problem I have is how can I set up the "Everyone else" BU because this BU can only have one Parent.

    Is it even possible to have this kind of setup?

    Thanks in advance

    adam

    Monday, June 18, 2012 3:26 PM

Answers

  • Adam, I've deployed CRM in quite a few large enterprises that start out with complex security requirements and it becomes a big administrative overhead for very little benefit. Unless there are laws or regulations preventing you, I would encourage you to make all activities available to all users. If the CEO wants to have a private activity, then it shouldn't be tracked in CRM.

    Successful customer relationship management is about breaking down departmental silos and empowering your customer-facing staff by providing them with the tools and information they need to serve your customers. They can't do that if important activities from five senior managers are invisible to them.

    But if your CEO is forcing you to meet this requirement, then you'll have to use teams to achieve it. Make the 'Everyone Else' BU a child BU of 'Finance Mgr' and then have the users in the 'Contract Mgr', 'HR Mgr' and 'R&D Mgr' BUs as members of the 'Everyone Else' team.


    Neil Benson, CRM Addict and MVP at Slalom Consulting. Find me on Twitter. Join over 20,000 other CRM professionals on the Microsoft Dynamics CRM group on LinkedIn.

    Friday, June 22, 2012 5:20 AM
    Moderator

All replies

  • Any business unit have only one parent business unit. What you can do is create 4 [Everyone Else] business units below each of the 4 parent business units. Another possibility is to forget about the 3rd level business unit [everyone Else] and create a security role for this purpose that can be assigned to users in each of the parent BU. To do that, preferebly create this new role at the top BU level so that you can use the same role in each of the 4 business units below it.

    I hope this helps.

    Monday, June 18, 2012 5:02 PM
  • Hi Adam,

    another possibility for " Everyone else " is that you can assign the users who come under designated managers like for example the users who come under Finance manager you can make a team and add the users and the role can be assigned to the team one major advantage of going this way is the user can be added different security roles if needed since each team can be assigned its own roles.

    Hope this should help you.


    Sushant Sarkar Microsoft CRM Dynamics Engineer

    Tuesday, June 19, 2012 10:50 AM
  • Adam,

    You can define your security roles as robust as you want. HS 2010, Sushant have provided very valid inputs.

    I would highly recommend giving a read about security roles about design considerations for security roles for users in Business units/teams.

    http://msdn.microsoft.com/en-us/library/gg328427

    Thanks,

    Rahul

    Thursday, June 21, 2012 9:41 PM
  • Adam, I've deployed CRM in quite a few large enterprises that start out with complex security requirements and it becomes a big administrative overhead for very little benefit. Unless there are laws or regulations preventing you, I would encourage you to make all activities available to all users. If the CEO wants to have a private activity, then it shouldn't be tracked in CRM.

    Successful customer relationship management is about breaking down departmental silos and empowering your customer-facing staff by providing them with the tools and information they need to serve your customers. They can't do that if important activities from five senior managers are invisible to them.

    But if your CEO is forcing you to meet this requirement, then you'll have to use teams to achieve it. Make the 'Everyone Else' BU a child BU of 'Finance Mgr' and then have the users in the 'Contract Mgr', 'HR Mgr' and 'R&D Mgr' BUs as members of the 'Everyone Else' team.


    Neil Benson, CRM Addict and MVP at Slalom Consulting. Find me on Twitter. Join over 20,000 other CRM professionals on the Microsoft Dynamics CRM group on LinkedIn.

    Friday, June 22, 2012 5:20 AM
    Moderator
  • Thanks for that Neil. Yes unfortunately the business wants the CEO and 4 main managers to be above everyone else as they deal with sensitive information. I'll give your suggestion a go and see how I get on.
    Friday, June 22, 2012 8:17 AM
  • This would work, as long as you make sure to assign a security role to the "Everyone else" team which allows access to read activities from the whole Business Unit. All users in this team will then be able to read activity records belonging to any user in the BU the team is in, as if they were in that BU themselves.

    I agree with Neil that these sorts of requirements often make life quite tough, and while they can work for some things such as custom entities for sensitive information, they do get really hard work if you apply them to general records such as Contacts. Make sure your roles for these records are as open as possible.

    Personally, my variation would be to make EveryoneElse either a child BU of the CEO one, or of the root (make CEO a child of the root, not be the root itself).

    CEO user can have a security role to see everything across the whole organisation anyway, so the other BUs don't need to be subsidiary to this.

    You will also have to watch out for "reparenting" giving users access to things unexpectedly. If the CEO records a task and this is "regarding" a Contact, the owner of the Contact will be able to read the Task even though they don't own it, and it is not owned by someone in their Business Unit. You will have to review the relationship between every entity which needs to be ultra-secure and all possible parents, and ensure that cascade rules for re-parenting are set to "none" (you may have to switch cascade from "parenting" to "configurable" first).


    Hope this helps. Adam Vero, MCT


    • Edited by Adam Vero Friday, June 22, 2012 10:22 AM
    Friday, June 22, 2012 10:19 AM