locked
business unit/parent unit security RRS feed

  • Question

  • I created a new business unit for a new group of people that will be working in CRM and will be completely separate from the current users in the system.  We do not want any of the current users to have access to any of the records in the new BU.  When creating the new unit, CRM forced me to use our current BU (that all of the current users have access to) as the parent unit.  When verifying the security for the roles of the current users, there are some that force you to give either no access or Organization Level (mostly read rights).  Is there a way to make sure no users from the original BU can see or change any data for the new BU?  Thanks!

     

    Monday, March 8, 2010 4:03 PM

Answers

  • Hi
    You have to remove the persmisson on the existing BU. i mean if some user has "Global"  permission that should be removed.
    If your new BU is the child of the existing BU. then in that case you have to remove the parent/child permission on that BU as well.
    bascially you have to plan all the security roles for each bussiness unit and then assign them. here is the access level provided in crm.

    Access Levels

    The access level for a privilege determines for a given entity type at which levels within the organization hierarchy a user can act on that type of entity. Microsoft Dynamics CRM has the levels of access shown in the following table, starting with the most access.

    Global Global. This access level exposes to a user all entity instances within the organization, regardless of the business unit hierarchical level to which the instance or the user belongs. Users who have Global access automatically have Deep, Local, and Basic access also.

    Because this access level gives access to information throughout the organization, it should be restricted to match the organization's data security plan. This level of access is usually reserved for managers with authority over the organization.

    Note   The application refers to this access level as Organization.

    Deep Deep. This access level exposes to a user entity instances in the user's business unit and all business units subordinate to the user's business unit.

    Users who have Deep access automatically have Local and Basic access also.

    Because this access level gives access to information throughout the business unit and subordinate business units, it should be restricted to match the organization's data security plan. This level of access is usually reserved for managers with authority over the business units.

    Note   The application refers to this access level as Parent: Child Business Units.

    Local Local. This access level exposes to a user entity instances in the user's business unit.

    Users who have Local access automatically have Basic access also.

    Because this access level gives access to information throughout the business unit, it should be restricted to match the organization's data security plan. This level of access is usually reserved for managers with authority over the business unit.

    Note   The application refers to this access level as Business Unit.

    Basic Basic. This access level exposes to a user entity instances he or she owns, objects that are shared with the user, and objects that are shared with a team of which the user is a member.

    This is the typical level of access for sales and service representatives.

    Note   The application refers to this access level as User.

    None None Selected. None.

    Muhammad Ali Khan
    My MS CRM blog
    • Marked as answer by Jim Glass Jr Monday, March 8, 2010 4:52 PM
    Monday, March 8, 2010 4:10 PM

All replies

  • Tracy,

    On possibility is to create another business unit and make that BU the parent of the two business units. Then when you put users in the BU they will be in separate tree branches and you can better control/limit access.
    Jerry http://www.crminnovation.com
    Monday, March 8, 2010 4:08 PM
  • Hi
    You have to remove the persmisson on the existing BU. i mean if some user has "Global"  permission that should be removed.
    If your new BU is the child of the existing BU. then in that case you have to remove the parent/child permission on that BU as well.
    bascially you have to plan all the security roles for each bussiness unit and then assign them. here is the access level provided in crm.

    Access Levels

    The access level for a privilege determines for a given entity type at which levels within the organization hierarchy a user can act on that type of entity. Microsoft Dynamics CRM has the levels of access shown in the following table, starting with the most access.

    Global Global. This access level exposes to a user all entity instances within the organization, regardless of the business unit hierarchical level to which the instance or the user belongs. Users who have Global access automatically have Deep, Local, and Basic access also.

    Because this access level gives access to information throughout the organization, it should be restricted to match the organization's data security plan. This level of access is usually reserved for managers with authority over the organization.

    Note   The application refers to this access level as Organization.

    Deep Deep. This access level exposes to a user entity instances in the user's business unit and all business units subordinate to the user's business unit.

    Users who have Deep access automatically have Local and Basic access also.

    Because this access level gives access to information throughout the business unit and subordinate business units, it should be restricted to match the organization's data security plan. This level of access is usually reserved for managers with authority over the business units.

    Note   The application refers to this access level as Parent: Child Business Units.

    Local Local. This access level exposes to a user entity instances in the user's business unit.

    Users who have Local access automatically have Basic access also.

    Because this access level gives access to information throughout the business unit, it should be restricted to match the organization's data security plan. This level of access is usually reserved for managers with authority over the business unit.

    Note   The application refers to this access level as Business Unit.

    Basic Basic. This access level exposes to a user entity instances he or she owns, objects that are shared with the user, and objects that are shared with a team of which the user is a member.

    This is the typical level of access for sales and service representatives.

    Note   The application refers to this access level as User.

    None None Selected. None.

    Muhammad Ali Khan
    My MS CRM blog
    • Marked as answer by Jim Glass Jr Monday, March 8, 2010 4:52 PM
    Monday, March 8, 2010 4:10 PM
  • There are two types of ownership in CRM for records: user-owned and organization-owned. User owned are very easy to isolate because you can set permission to anything but Organization and access will be restricted across Business Units. However, for organization-owned records you have two options the role can see all records or they can see none.

    For example, if you have products in your system, which are organization owned, a user can either see them or they can't. There is no way through security to have them see only a subset of product records.

    Leon Tribe

    Want to hear me talk about all things CRM? Check out my blog

    http://leontribe.blogspot.com/

    or hear me tweet @leontribe
    Want to hear me talk about all things CRM? Check out my blog http://leontribe.blogspot.com/ or hear me tweet @leontribe
    • Proposed as answer by Leon TribeMVP Tuesday, March 9, 2010 12:50 PM
    Tuesday, March 9, 2010 12:50 PM