Dynamics
CRM controls access to its resources by using Active Directory for
authentication.
This is accomplished by creating several Active Directory security groups
then
managing the membership of those groups as users are added or removed from the
Dynamics
CRM System.
Security Groups
Here is
a list of the security groups, their function, and notes about their usage:
PrivReportingGroup
This is
the privileged Dynamics CRM user group for reporting functions. This group is
created
during Dynamics CRM server setup and configured during Dynamics CRM
reporting
extensions setup.
The
server where Dynamics CRM Reporting Extensions is installed will automatically
be
made a
member of this group.
PrivUserGroup
This is
the privileged Dynamics CRM user group for special administrative functions
including
the CRMAppPool identity (which is either a domain user account or
NetworkService
account).
Users
who provide administration for a Dynamics CRM Server 2011 system must be added
to this
group. You must also include, or verify, that the following computers are also
a
member
of this group:
* The
server where Microsoft Dynamics CRM Server 2011 is installed.
* If you
are using the E–mail Router, the server where Microsoft Exchange Server is
installed.
The
person who installed Dynamics CRM will automatically be a member of this group.
ReportingGroup
All
Dynamics CRM users are included in this group which is automatically updated as
users
are added and removed from Dynamics CRM. By default, all Dynamics CRM
Reporting
Services Reports grant
Browse permission to this group.
SQLAccessGroup
All
server processes and service accounts that require access to SQL Server;
including
CRMAppPool
identity (domain user or NetworkService). Members of this group have
db_owner
permission on the Dynamics CRM databases.
The
server where Dynamics CRM is installed will also need to be a member of this
group.
It
should be added automatically when the software was installed.
Security Group Naming
Each
security group name will have a globally unique identifier (GUID) appended to
the
name.
This is a unique identifier which identifies the deployment. Each of the security
groups
within a deployment will share the same identifier.
During
the installation of the Microsoft Dynamics CRM software, the person installing
it is
asked to
select an Organizational Unit into which these groups will be created. This can
be
anywhere, though it is a general best practice to create a CRM–specific OU so
that the
security groups are
contained in a single location as shown in the following figure:
No comments:
Post a Comment