Understanding Access Levels and Roles in Microsoft CRM - dummies

Understanding Access Levels and Roles in Microsoft CRM

By Joel Scott, Michael DeLisa

The privileges you are assigned regulate the functions you can perform on particular Records or objects. Your access levels determine which Records these privileges apply to. In other words, although your privileges may include the capability to delete Account Records, it is your access level that determines exactly which Records you are able to delete.

Microsoft CRM includes four distinct access levels presented in order of increasing authority.

User (basic)

User Access is the most restrictive of all the access levels. With User Access rights, a User can perform actions on the following:

  • Records he owns
  • Records owned by another User but which have been shared with him
  • Records owned or shared by a Team of which he is a member

Business Unit (local)

Business Unit Access is a step above the basic User level. It includes all the User Access rights, but it also provides access to Records that are owned by or shared with other Users who belong to the same Business Unit. The term local really corresponds to one distinct Business Unit of which the User is a member.

For example, if Moe has local Opportunity read rights, he can review the Records for all prospects interested in signing up for the beta tester program at his company. If Moe had only User Access, he could see only those Records that he had created himself or Records that other Users had decided to share with him.

Parent: Child Business Units (deep)

A User with Parent: Child Access rights has Business Unit Access plus the ability to access objects or Records from any Business Unit that’s subordinate to the unit he is assigned to. If you think of an organizational chart for the divisions of your company, a deep view enables you to see your Business Unit and all those directly below it.

Organizational (global)

Organizational Access rights are the least restrictive of all the categories. With Organizational Access, you can perform actions on any Record within the system, regardless of the Business Unit you belong to and regardless of sharing issues.

Organizational Access rights should be reserved for a small group of system administrators who have the overall responsibility for the integrity of the database. At least two people in your company should have these rights (one for backup purposes), but probably not many more than that.

It should not be a foregone conclusion that the CEO or the director of IT should have complete Organizational Access. With the privilege also comes the responsibility and the possibility of unintentional damage done by the weekend warrior or by those who view themselves as technogeeks. Individuals’ job requirements and their knowledge of the system relate directly to their getting this level of access.

Defining roles

The concept of roles marries privileges and access rights. Microsoft CRM comes with eight predefined roles that are typical of a mid-sized organization. Making use of these predefined roles saves a lot of time that would otherwise be spent setting up specific access rights for each user. These roles are as follows:

  • CEO-business manager
  • VP of sales
  • Sales manager
  • Sales rep
  • CSR manager
  • CSR
  • Marketing professional
  • System administrator

Each of these eight roles has a complete set of predefined privileges and access rights. The prototypical sales manager is given a default set of privileges and access rights. To see the settings for each of the default roles, follow these steps:

1. From the Home Page, select Settings from the panel to the side of the main display.

The Settings display with its seven subcategories appears.

2. Select Business Unit Settings from the Settings window and then select Security Roles.

The Security Roles List View Grid (shown in Figure 1) appears, showing all existing roles.

List view of all existing security roles.
Figure 1: List view of all existing security roles.

3. View the sales manager’s role by clicking on his line in the List View Grid.

The Sales Manager’s Core Records tab, shown in Figure 2, appears with four other tabs along the top. The Details tab, which is the default, has very few details. The Core Records tab contains all the toggle switches to turn access rights on or off and is the central storehouse for role information.

The sales manager's rights regarding Core Records.
Figure 2: The sales manager’s rights regarding Core Records.

4. View the Core Records Tab and then click the rest of the tabs to see all the objects that can be accessed at various levels for the existing sales manager profile.

5. Click Save and Close from the blue Actions Bar to return to the List View Grid.

The easiest way to create a new role is by cloning an existing one. To do this, follow these steps:

1. From the Home Page, select Settings from the panel to the side of the main display.

The Settings display with its seven subcategories appears.

2. Select Business Unit Settings and then select Security Roles.

The Security Roles List View Grid appears.

3. Click the Copy Role button from the blue Actions Bar.

The Copy Role dialog box, shown in Figure 3, appears, asking which original role you want to copy and what new name you want to use.

Copying a new role from an existing one.
Figure 3: Copying a new role from an existing one.

4. Select the role you want to copy from the drop-down list in the Role to Copy field. In the blank New Role Name field, type a new and unique name for the new custom role.

5. Check the Open Role When Copying Is Complete box.

This immediately brings up the window for the new role with all the settings from the original role. If, by some chance, the Core Records window does not appear, select that tab to display all the role settings. Toggle any of the settings to change them for the new role you are creating. You can continue to toggle each setting to go through each of the five possibilities. Make sure to review each of the five tabs: Details, Core Records, Sales, Service, and Business Management.

6. Click Save and Close after you’ve completely tailored the new role.

A User can have more than one assigned role. Someone could have a role as a systems administrator and as a mailroom clerk. When a single User has multiple roles with different privileges and access rights, the role with the less restrictive privileges takes precedence. So, even when your systems administrator is functioning as a mailroom clerk, she will have the maximum levels of access rights.