Manage users and set up security

Understand security roles

Manage security settings

View your user profile

Add and manage users, and set security roles

Assign a security role to a user

Create or edit a team

Enable or disable security for a field

Set up security permissions for a field

Secure sensitive data by enabling encryption

Create a position

Enable or disable hierarchy security

Using field level security in a calculated field

Create or edit a business unit to control access to records

Understand security roles

Give members of your team different levels of access by setting up security roles in Microsoft Dynamics CRM. Each security role provides a set of privileges that define whether users can read, write, create, delete, or share records. You can set whether these privileges apply to a user, a business unit, a business unit hierarchy, or the entire organization. The following links tell you more about the different types of security in CRM and how to assign security roles to users.

TechNet: Security concepts for CRM right_arrow_blue

TechNet: Assign a security role to a user right_arrow_blue

Manage security settings

Microsoft Dynamics CRM 2015 makes it easier for you to set or update CRM security settings. This release introduces a new Security tile to the Settings navigation. This takes you to the new Security screen, where you can conveniently find your security-related admin settings all in one place.

Select the links in this table to learn more about each CRM security setting.

Security setting Related topics
Users Add and manage users, and set security roles
View your user profile
Security Roles Understand security roles
Assign a security role to a user
Assign security roles to form
Field Security Profiles Enable or disable security for a field
Set up security permissions for a field
Positions Create a position
Teams Create or edit a team
Business Units Create or edit a business unit to control access to records
Hierarchy Security Enable or disable hierarchy security
Access Team Templates Create a team template and add to an entity form

View your user profile

Your user profile displays useful information about you to your entire organisation; for example, your contact information, your organization, and your security role. Depending on your security role, you may be able to make changes to your user profile.

green_diamond_arrow

  1. Go to Options.
  • In the web app: In the upper-right corner of the screen, choose the Settings button options_button > Options.
  • In CRM for Outlook: Choose File > CRM > Options.
  1. Scroll down to the very bottom of the Set Personal Options dialog box, and then choose View your user information.

To check your security role, on the nav bar, choose the down arrow next to your name, and then choose Security Roles.

To view other profile information, such as Work Hours, Connections, and Services, on the nav bar, choose the down arrow  next to your name.

Add and manage users, and set security roles

How you manage users depends on which version of Microsoft Dynamics CRM you’re using:

Assign a security role to a user

You can use security roles to group sets of privileges together that describe the tasks that a user can do. Microsoft Dynamics CRM includes a set of predefined security roles, each of which is a set of privileges aggregated to make security management easier. These privileges define the ability to create, read, write, delete, and share records of a specific entity type. Each privilege also defines how broadly the privilege applies: at the user level, business unit level, the entire business unit hierarchy, or across the entire organization.

For information on assigning security roles, see TechNet: Assign a security role to a user.

See Also

TechNet: Overview of security for Microsoft Dynamics CRM

Create or edit a team

You can create two types of teams: Owner or Access. If you want to assign a record to the team, choose the team type “Owner.” If you want to share a record with the team, choose the team type “Access.”

For information about the two team types, see About team templates.

 

Create a team

green_diamond_arrow

  1. Make sure that you have the System Administrator, System Customizer, Sales Manager, Vice President of Sales, Vice President of Marketing, or CEO-Business Manager security role or equivalent permissions.
green_diamond_arrow Check your security role

a.   Follow the steps in View your user profile.

b.   Don’t have the correct permissions? Contact your system administrator.

  1. Go to Settings > Security.

(In Microsoft Dynamics CRM for Outlook, go to Settings > System > Security.)

  1. Click Teams.
  2. On the Actions toolbar, click the New button, complete the required fields, and then click Save.

If you don’t select the business unit to which the team will belong, by default, the root business unit is selected. The root business unit is the first business unit created for an organisation.

Edit a team

green_diamond_arrow

  1. Make sure that you have the System Administrator, System Customiser, Sales Manager, Vice President of Sales, Vice President of Marketing, or CEO-Business Manager security role or equivalent permissions.
green_diamond_arrow Check your security role

a.   Follow the steps in View your user profile.

b.   Don’t have the correct permissions? Contact your system administrator.

 

  1. Go to Settings > Security.

(In Dynamics CRM for Outlook, go to Settings > System > Security.)

  1. Click Teams.
  2. In the Teams dropdown list, select All Teams or another appropriate view.
  3. In the grid, select the team you want to edit.
  4. On the Actions toolbar, click Edit, change the desired fields, and then click Save.

See Also

Create a team template and add to an entity form

About team templates

Print leads, quotes, and other records

Assign security roles to form

Control form and field access by assigning different security roles to different forms you create.

More information:  TechNet: Security concepts for Microsoft Dynamics CRM

green_diamond_arrow

  1. Make sure you have the System Administrator security role or equivalent permissions in Microsoft Dynamics CRM.
green_diamond_arrow Check your security role

a.   Follow the steps in View your user profile..

b.   Don’t have the correct permissions? Contact your system administrator.

  1. Go to Settings > Customizations. (How do I get there?)
  1. Choose Customize the System.
  2. Enable security roles.

a.  Under Components, expand Entities, and then expand the entity you want.

b.  Choose Forms. In the list, choose a form to edit it if it has a form type of Main.

c.  On the Home tab, in the Form group, choose Enable Security Roles.

  1. Assign security roles.

a.  In the Assign Security Roles dialog box, select the security roles to which this form will be available.

b.  To make this the fallback form, select the Enabled for fallback check box.

At least one form per entity must be a fallback form (the form that is displayed to a user when no other form is available for that user’s security role).

c.  Choose OK.

  1. Preview the main form.

a.  On the Home tab, choose Preview, and then select Create Form, Update Form, or Read-Only Form.

b.  To close the Preview form, on the File menu, choose Close.

  1. When you’re ready to save your data, choose Save and Close.
  2. Publish your customization.
  • To publish just the edited component, choose Save > Publish on the Home tab.
  • To publish all unpublished components at one time, choose Publish All Customizations.

noteNote

Installing a solution or publishing customizations can interfere with normal system operation. We recommend that you schedule a solution import when it’s least disruptive to users.

Enable or disable security for a field

Field-level security lets you set which fields users can see or edit. For example, if want to prevent users from accidentally changing an account name, you can restrict them from editing that field. In Microsoft Dynamics CRM 2013, you could only set field-level security for custom fields, but in Microsoft Dynamics CRM 2015, you can also set field-level security for default fields. For more information about field-level security, see TechNet: Security concepts for Microsoft Dynamics CRM.

To set which users and teams have read or write access to fields, see Set up security permissions for a field.

noteNote

You can’t change the permissions on a field that you don’t have permission to access.

green_diamond_arrow

  1. Go to Settings > Customizations. (How do I get there?)
  2. Choose Customize the System.
  3. Under Components, expand Entities, expand the entity that has the field you want to secure, and then choose Fields.
  4. In the list of fields, double-click the field you want to secure.
  5. In the Field window, on the General tab, to the right of Field Security, specify whether to Enable or Disable security for the field.
  6. Choose Save or Save and Close.
  7. When your customizations are complete, publish them:
  • To publish customizations for only the entity that you are currently editing, in the navigation pane, choose the entity, and then choose Publish.
  • To publish customizations for all unpublished entities at one time, in the navigation pane, choose Entities, and then on the command toolbar, choose Publish All Customizations.

See Also

TechNet: Security concepts for Microsoft Dynamics CRM

Set up security permissions for a field

Set up security permissions for a field

You can restrict access to a field by creating a field security profile. After you create the profile, you assign users and or teams to that profile, and set up specific read, create, or write permissions for the field.

More information: TechNet: Security concepts for Microsoft Dynamics CRM

green_diamond_arrow

  1. Make sure you have the System Administrator security role or equivalent permissions in Microsoft Dynamics CRM.
green_diamond_arrow Check your security role

a.   Follow the steps in View your user profile.

b.   Don’t have the correct permissions? Contact your system administrator.

  1. Go to Settings > Security. (How do I get there?)
  2. Choose Field Security Profiles, and then on the command bar, choose New.
  3. Enter a name and a description (optional) and choose Save.
  4. Under Common, choose Field Permissions.
  5. Select a field, and then choose Edit.
  6. Select the permissions that you want to assign to users or teams, and then choose OK.
  7. To add users or teams:

a.  Under Members, choose Teams or Users.

b.  On the command bar, choose Add.

c.  In the Look Up Records dialog box, select a team or user from the list (or search for a team or user), and then choose Select.

d.  Repeat the preceding steps to add multiple teams or users, and then choose Add.

See Also

Enable or disable security for a field

Secure sensitive data by enabling encryption

To provide an additional layer of security, you can encrypt the data in some fields that contain sensitive data, including user names and passwords. When you enable encryption, even database administrators can’t see the password data.

Microsoft Dynamics CRM users who have the System Administrator security role can enable data encryption or change the encryption key after enabling data encryption. More information: TechNet: Data encryption

green_diamond_arrow Check your security role

a.   Follow the steps in View your user profile.

b.   Don’t have the correct permissions? Contact your system administrator.

Once you enable data encryption, you can’t turn it off.exclamation Important

See Also

TechNet: Data encryption

Create a position

Reduce the complexity of managing security roles by creating a position hierarchy. Then define jobs or positions in your company and assign them to different places in your position hierarchy. Higher level positions in the hierarchy have Read, Write, Update, Append, and AppendTo access to their direct reports’ records. They also have Read-only access to the records of non-direct reports in their hierarchy. Learn more about hierarchies and positions on TechNet.

TechNet: Manager hierarchy and position hierarchy security models right_arrow_blue

Enable or disable hierarchy security

Reduce the time you spend maintaining security roles for users by using hierarchy security. With hierarchy security, you can give upper-level users, such as managers or vice presidents, certain levels of access to their direct reports’ records and lesser levels of access to their non-direct reports’ records. Find out more about hierarchy security and how to set it up on TechNet.

TechNet: Hierarchy security right_arrow_blue

 

Using field level security in a calculated field

To create a calculated field you must have the Write privilege on the Field Security Profile entity. If the calculated field uses secured fields in a calculation, you should consider securing the calculated field to prevent users from attempting to access data they don’t have permissions for. If you create a calculated field that uses secured fields in a calculation, the calculated field editor gives you a warning and suggests that you secure the field. More information:

exclamationImportant

For Microsoft Dynamics CRM Online organisations, this feature is only available if you’ve installed the CRM Online 2015 Update.

For on-premises CRM organisations, this feature is only available if you’ve updated to CRM 2015.
Interested in getting this feature?  Find your CRM administrator or support person.

 

See Also

TechNet: Securing fields

TechNet: Creating calculated fields

Create or edit a business unit to control access to records

A business unit is a logical grouping of related business activities. Use business units together with security roles to control data access so people see just the information they need to do their jobs.

Keep the following in mind when creating business units:

  • The organisation (also known as the root business unit) is the top level of a Microsoft Dynamics CRM business unit hierarchy. CRM automatically creates the organisation when you install or provision CRM. You can’t change or delete the organisation name.
  • Each business unit can have just one parent business unit.
  • Each business unit can have multiple child business units.
  • You must assign every user to one (and only one) business unit.
  • You can assign a team to just one business unit, but a team can consist of users from one or many business units. Consider using a team if you have a situation where users from different business units need to work together on a shared set of records.
Create a new business unit

green_diamond_arrow

  1. Make sure you have the System Administrator or System Customizer role.
green_diamond_arrow Check your security role

a.   Follow the steps in View your user profile.

b.   Don’t have the correct permissions? Contact your system administrator.

  1. Go to Settings > Security. (How do I get there?)
  2. Choose Business Units.
  3. On the Actions bar, choose New.
  4. In the Business Unit dialog box, type a name for the new business unit. CRM automatically fills in the Parent Business field with the name of the root business unit.

business_unit

If you want to change the parent business unit, choose the Lookup button lookup_button, choose Look Up More Records, and then do one of the following:

  • Select an existing business unit from the list, and then choose Add.
  • To create a new parent business unit:

i.  Choose New, and then add the information for the new parent business unit in the Business Unit dialog box.

ii.  When you’re done adding information, choose Save and Close in the Business Unit dialog box.

iii.  In the Look Up Record dialog box, choose Add.

  1. In the Business Unit dialog box, fill in any of the other optional fields, such as the division, contact information, website, bill to address, or ship to address.
  2. Choose Save or Save and Close.

Change the settings for a business unit

green_diamond_arrow

  1. Make sure you have the System Administrator or System Customizer role.
green_diamond_arrow Check your security role

a.   Follow the steps in View your user profile.

b.   Don’t have the correct permissions? Contact your system administrator.

  1. Go to Settings > Security. (How do I get there?)
  2. Choose Business Units.
  3. Choose a business unit name to open the Business Unit dialog box.
  4. In the Business Unit dialog box, do one or more of the following:
  • Modify the data in one or more fields.

noteNote

You can’t change the name of a business unit or delete a business unit after it has been created. You can disable a business unit or change the parent, however. When you disable a business unit, all users and teams associated with the business unit are also disabled.

  • Choose Actions on the Actions bar, and then select a command. For example, to change the parent business unit, choose Actions, and then choose Change Parent Business.

noteNote

When you change the parent business unit, CRM removes security roles for users and teams associated with the business unit. You must reassign them.

  • Under Organization, choose a record type to see a list of related records. For example, choose Users to view a list of users in the selected business unit or to add users to the business unit.

6.  When you’re done making changes, choose Save or Save and Close.

See Also

TechNet: Security concepts in Microsoft Dynamics CRM

TechNet: Manage users

TechNet: Manage teams

Enable or disable security for a field

Print leads, quotes, and other records