Reference -
http://community.dynamics.com/crm/f/117/t/178482
Hello,
I am using CRM OL 2015.
I am trying to achieve below requirement :
1. Only One BU : Root BU
2. There are 3 users. User A (Admin Role), User B(Sales Executive) , User C (Marketing Professional)
3. Teams : Default Root BU Team, Sales Team, Marketing Team
4. Default Root BU Team is having all the users added as members by default.
Now, User B and User C must not see each others' Leads.
So, I have given Basic(User level) access right to Lead entity in both the Security Roles.
Though they are seeing all the records.
I have assigned very basic Security role on the Default Root BU Team.
I know that Basic level means records are accessible by Owner of the Records and all the team members of the Team which Owner is belong to.
How can I restrict this ? I do not want to create different BUs to do this due to cost limitation.
1. User B can see only Sales Leads.
2. User C can see only Marketing Leads
3. User A can see all leads.
Please suggest.
Thank you,
Hi Mittal,
Please create two Security Roles :
1. Admin Role
2. Basic Role
In Basic Role on Lead Entity give Create, Read , Write, Delete and Assign on User level . Append and Append To on BU level.
In Admin Role on Lead Entity give Create, Read , Write, Delete and Assign on BU level . Append and Append To on BU level.
Now give User B & C - Basic Role and
User A - Admin Role. Then check the record accessibility for User B & C.
Hope this Helps !! I would appreciate if you can mark my answer as verified. Thanks
Regards,
Kamran
Thank you for your response on this.
I have tried the way you suggested. But still User B & C can see each other's leads.
As, all the users are added as default members to default Team.
How can we restrict this ?
Please suggest.
Thank you
Thank you for your response.
The reason for not creating different BUs is:
1. There can be users who shares roles of different department and for single user need to purchase multiple licenses.
So, I am looking for this solution of having different teams, where one user can be a member of different departments when needed.
Yes, you are right I have assigned role to the default team, but there I have set minimum (Basic) access right for Lead Record Read permission. And as per my knowledge, Basic right means it gives read permission to the Owner of the record and all the team members of that his Owning team. Hence it is doing that. Do I need to remove all the roles from this Default Team ?
Scott Durow (MVP) responded on 14 Oct 2015 12:51 PM
Yes - you will need to remove the roles from the default team.
There is no licensing implication of having multiple business units - you can have as many BUs as you like for a single user license.
Reply
If two users are members of the same team, and a record is owned by one of those users, the other user does *not* get any rights to that record just because they are in the same team.
If two users are in a team, and the *team* owns the record, then both users will be able to access the record and do whatever actions the team's security roles allow.
If a user is in a team, and the team has a security role, then the user can use the privileges granted to the team, but based on the team, not the user.
In a single BU scenario, you can simplify this and treat this as pure inheritance - the user gets whatever privileges the team had in addition to their own, with one exception. Any privilege set at "user" level in a team role means the user can do things to records owned by the team, not to records the user owns (they might be able to do this via other roles they have).
It sounds like you simply need to apply security roles to the users, remove the roles from the teams and everything should be fine. Also, you don't need a Sales or Marketing team for the security you describe (but you might have other reasons to use these such as reporting, or sharing).
My article on this might help you to understand in more depth:
Security Roles and Teams in CRM - An Inconvenient Half-Truth-
https://blog.crmguru.co.uk/2013/06/25/security-roles-and-teams-in-crm-2011-an-inconvenient-half-truth/
http://community.dynamics.com/crm/f/117/t/178482
Hello,
I am using CRM OL 2015.
I am trying to achieve below requirement :
1. Only One BU : Root BU
2. There are 3 users. User A (Admin Role), User B(Sales Executive) , User C (Marketing Professional)
3. Teams : Default Root BU Team, Sales Team, Marketing Team
4. Default Root BU Team is having all the users added as members by default.
Now, User B and User C must not see each others' Leads.
So, I have given Basic(User level) access right to Lead entity in both the Security Roles.
Though they are seeing all the records.
I have assigned very basic Security role on the Default Root BU Team.
I know that Basic level means records are accessible by Owner of the Records and all the team members of the Team which Owner is belong to.
How can I restrict this ? I do not want to create different BUs to do this due to cost limitation.
1. User B can see only Sales Leads.
2. User C can see only Marketing Leads
3. User A can see all leads.
Please suggest.
Thank you,
Hi Mittal,
Please create two Security Roles :
1. Admin Role
2. Basic Role
In Basic Role on Lead Entity give Create, Read , Write, Delete and Assign on User level . Append and Append To on BU level.
In Admin Role on Lead Entity give Create, Read , Write, Delete and Assign on BU level . Append and Append To on BU level.
Now give User B & C - Basic Role and
User A - Admin Role. Then check the record accessibility for User B & C.
Hope this Helps !! I would appreciate if you can mark my answer as verified. Thanks
Regards,
Kamran
Thank you for your response on this.
I have tried the way you suggested. But still User B & C can see each other's leads.
As, all the users are added as default members to default Team.
How can we restrict this ?
Please suggest.
Thank you
Thank you for your response.
The reason for not creating different BUs is:
1. There can be users who shares roles of different department and for single user need to purchase multiple licenses.
So, I am looking for this solution of having different teams, where one user can be a member of different departments when needed.
Yes, you are right I have assigned role to the default team, but there I have set minimum (Basic) access right for Lead Record Read permission. And as per my knowledge, Basic right means it gives read permission to the Owner of the record and all the team members of that his Owning team. Hence it is doing that. Do I need to remove all the roles from this Default Team ?
Scott Durow (MVP) responded on 14 Oct 2015 12:51 PM
Yes - you will need to remove the roles from the default team.
There is no licensing implication of having multiple business units - you can have as many BUs as you like for a single user license.
Reply
If two users are members of the same team, and a record is owned by one of those users, the other user does *not* get any rights to that record just because they are in the same team.
If two users are in a team, and the *team* owns the record, then both users will be able to access the record and do whatever actions the team's security roles allow.
If a user is in a team, and the team has a security role, then the user can use the privileges granted to the team, but based on the team, not the user.
In a single BU scenario, you can simplify this and treat this as pure inheritance - the user gets whatever privileges the team had in addition to their own, with one exception. Any privilege set at "user" level in a team role means the user can do things to records owned by the team, not to records the user owns (they might be able to do this via other roles they have).
It sounds like you simply need to apply security roles to the users, remove the roles from the teams and everything should be fine. Also, you don't need a Sales or Marketing team for the security you describe (but you might have other reasons to use these such as reporting, or sharing).
My article on this might help you to understand in more depth:
Security Roles and Teams in CRM - An Inconvenient Half-Truth-
https://blog.crmguru.co.uk/2013/06/25/security-roles-and-teams-in-crm-2011-an-inconvenient-half-truth/
No comments:
Post a Comment