CRM 2011: Utilizing Role Based Security to hide and show records

One of the interesting features of CRM 2011 is the expansion of the team concept in role based security.
In the past, ownership of a record was on a user or organization basis. However now, a team can now own a record which can affect everything from adding roles to teams instead of users to adding multiple teams to a user.

After testing out various theories using role based security, I have found that for a standard end user, implementing and maintaining roles for each is cumbersome. By removing roles from the user and adding them to the team, maintainability is often easier.

A useful way of implementing teams is allowing access to individual records in an entity. Each team can have certain access, such as read or write, but also you can hide individual records from users who shouldn't have access.

Example:

1.       Create 2 entities.

2.       Create 2 Business units.

a.       These business units represent a client such as Apple and Microsoft.

b.      When creating a business unit, you must declare a parent. The parent in this case will be the master data. An example would be something like software.

3.       Create 2 Teams.

a.       These teams are assigned to their respective Business Unit. This step is optional since creating a Business Unit above also creates a Team with the same name.

4.       Update a standard role in CRM to only show business unit when reading.

a.       This is represented by the yellow half circle.

5.       Remove role from user.

a.       If a role is set to the user, it will override roles implemented in the team.

6.       Add update role to the each team.

a.       This step and the before mentioned are gotchas.

7.       Add three records to the team owned parent entity.

a.       Three records were created, one owned by the master data team. One owned by Apple and one by Microsoft.

b.      Ideally in this step we should only see 2 records. Master and whatever team(s) the user is a part of.

So say your three records consist of Photoshop, Final Cut Studio and Microsoft Office.
You would want Photoshop accessible by both since it runs on both Apple and MS software.
However you wouldn't want to see Final Cut Studio as a MS Employee not MS Office as an Apple Employee.
By following the above example, you can add users to teams associated to each record and they will only see the two specific records.
The reason they both see Photoshop is because its owned by the master BU which both BUs are a child of.

If implemented correctly, this feature can be utilized and all facets of CRM; including xRM, dashboards, reporting, etc.

Also if you have a developer or system admin user and want to see all records, simply add the system administrator role to the user.

If a role is set to a user, it will override any team roles.


Happy Coding!