CRM Security Role Best Practices

One of the core underlying principles of security roles is that the permissions are additive and least restrictive. Today while helping a client I observed a situation where this seems to be mis-understood. In the User record below you can see that this CRM user has 14 roles applied to their security role.

A user’s rights are the union of all the roles to which he or she has been assigned. The least restrictive role always applies. There is no reason to pile on Roles that are similar to other roles. This is especially the case if one of the Roles is System Administrator. The System Administrator has full priveleges on all records and functions. This includes automatically granting full rights to any new custom entities.

The following are some guidelines for best practices for use of the Microsoft Dynamics CRM security model:

1. Create roles according to the security best practice of least privilege, providing access to the minimum amount of business data required for the task. Assign users the appropriate role for their job.
2. Diligently limit the number of people assigned the System Administrator role. Never remove this role.
3. Never assign the built-in CEO to the CEO role unless the CEO is you. J. It has far reaching privileges (ie. delete any record)
4. Create a new role with those specific privileges and add the user to the new role if a user needs additional access levels or rights. When creating new roles it is best to copy one of the built-in roles and modify it to meet the specific needs for that profile.
5. Use sharing, when appropriate, to give specific users specific rights on individual objects, rather than broader privileges on all objects of a given type.
6. Use teams to create cross-functional groups, so that specific objects can be shared with the team.
7. Train users who have sharing access rights to share the minimum information needed.
8. To manage rights to custom entities create roles that contain the specific privileges required for the custom entity function. Add that role to the users that require those rights.