locked
Confused on Security roles between business units RRS feed

  • Question

  • I'm having difficulty understanding why I cannot change the security roles to be different between business units.

    I have two business units of which one is the parent.  I'm trying to set some of the Core Records attributes to be different for the child.  Example, I want the child to see accounts from the parent but not be able to write to them.  I can go to security roles and change the "circles" the way I want, but it won't let me save it becahse inherited roles cannot be updated.

    I'm just starting this 2nd business unit, so if there's another way I should set it up, I'm all ears.

    Thursday, February 21, 2013 4:59 PM

Answers

  • As you've the existing roles that came down the the child BU when it was created can't be modified within the context of the child BU - this is by design. 

    You can however use the "Copy Role" feature from the actions menu to create a copy of the existing, locked role and change it as you see fit and apply it within that child BU.

    A good blog post on security roles


    Jason Lattimer
    My Blog -  Follow me on Twitter -  LinkedIn


    Thursday, February 21, 2013 5:58 PM
    Moderator

All replies

  • As you've the existing roles that came down the the child BU when it was created can't be modified within the context of the child BU - this is by design. 

    You can however use the "Copy Role" feature from the actions menu to create a copy of the existing, locked role and change it as you see fit and apply it within that child BU.

    A good blog post on security roles


    Jason Lattimer
    My Blog -  Follow me on Twitter -  LinkedIn


    Thursday, February 21, 2013 5:58 PM
    Moderator
  • Jason,

    I think I understand.  I take a security role called Salesman, copy the role and call it Salesman2 and then apply whatever secutity role I want within Salesman2?

    That seems easy enough if I'm getting it right.

    Thursday, February 21, 2013 6:46 PM
  • Exactly. Only potential caveat is this role would only be available to this child BU and any future child BUs. If you think you might do more with Business Units, it might be better to define a new role at the parent so it gets inherited to its children. 

    Jason Lattimer
    My Blog -  Follow me on Twitter -  LinkedIn

    Thursday, February 21, 2013 6:49 PM
    Moderator
  • Jason,

    I copied the security role in BU#2 with no problem.  First though, I changed one user from BU#1 to BU#2.  I then changed the security roles on the new copied and renamed role and tested it with that user, but it didn't take the new role.  I selected the account and gave this user full read but only could write to the new BU.  When they opened a account in BU#1 they were still able to edit (write) to the account.  It appears that they have all of the same security roles as they did in BU#1 which ignores my changes to the role.  Any ideas?  I've published, saved, rebooted (except server) and anything else I could think of.

    Thanks,

    Jeff

    Friday, February 22, 2013 6:51 PM
  • Do they have any other roles assigned to them? Security in CRM is cumulative so they have the greatest of all permissions assigned to any role they have.

    Then just to verify the steps:

    • Administration -> Security Roles
    • Select Child BU from drop down
    • Select Role
    • Copy Role
    • Edit Role so it can read all Accounts (full green circle)
    • Edit Role so it write only to same BU (half yellow circle)
    • Administration -> Users
    • Select User (verify in child BU)
    • Add Copied Role
    • Remove any other roles
    • Log out and back in with that user

    The user should be able to see all accounts but only write to those that are in the child BU (owned by a user or team in the BU).


    Jason Lattimer
    My Blog -  Follow me on Twitter -  LinkedIn

    Friday, February 22, 2013 7:37 PM
    Moderator