Restricting Access for Integrations to Microsoft Dynamics CRM 2011 Using Security Roles

In my previous blog I wrote about restricting access to Microsoft Dynamics CRM Online using the Non-Interactive User Access Mode. This mode restricts users from connecting to and interacting with Microsoft Dynamics using either the Microsoft Dynamics CRM Web Client or the Microsoft Dynamics CRM for Outlook Client.

  

In certain integrations, in addition to using a dedicated Non-Interactive Microsoft Dynamics CRM Online User Account, it is best practice to use a dedicated Microsoft Dynamics CRM Security Role with the least number and the minimum level of privileges required to perform the tasks requested by the integration. This may or may not include the ability to create, read, update, append/append to, assign, share, activate/deactivate and/or delete records of specific types. 

In this blog I will provide a list of the minimum privileges required by a Non-Interactive Microsoft Dynamics CRM Online User to: 

(a)    connect to Microsoft Dynamics CRM.

(b)   create, read, update and assign Accounts and Contacts in Microsoft Dynamics CRM.

(c)    read Accounts and Contacts in Microsoft Dynamics CRM. 

Note: Additional privileges and higher access levels may be required for completing the initial configuration of an integration between Microsoft Dynamics CRM and another system. However, a fewer number of privileges and lower access levels may then be used after the initial configuration for running the integration. 

The minimum privileges required to successfully test a connection to Microsoft Dynamics CRM Online as a Non-Interactive User are: Organisation: Read and User: Read. In addition User Settings: Read may sometimes be required. Refer to the following screenshot: 

 

When creating a new Security Role in Microsoft Dynamics CRM the following Plug-In and SDK Message related privileges are selected by default. These should be retained. Refer to the following screenshot:

  

Note: If there are any asynchronous Plugins triggered by actions performed on records then the System Job: Create and Read privileges will be required. Refer to the following screenshot:

  

If the Created On dates on which records are being created need to be overridden then the Override Created on or Created by for Records during Data Import privilege will be required. Refer to following screenshot:

  

The minimum privileges required for the creation of Accounts and Contacts that may: 

(a)    need to be related to each other such as an Account being associated with a Primary Contact and a Contact being associated with a Parent Account. 

(b)   need to be assigned to specified Users or Teams 

are…

• Account: Create, Read, Write, Append, Append To and Assign; and Contact: Create, Read, Write, Append, Append To and Assign. Refer to the following screenshot:

  

• Business Unit: Read and Currency: Read. Refer to the following screenshot:

  

• Team: Read and User: Read. Refer to the following screenshot:

  

Some other privileges to consider are: 

• Accounts and Contacts are sometimes associated with an Originating Lead. It may therefore be necessary to ensure that the Security Role provides the required Read and Append To privileges for Leads. Create and Write privileges for Leads may also be required on some cases, depending on the nature of the integration.

• Accounts and Contacts are usually associated with a Price List. It may therefore be necessary to ensure that the Security Role provides the required Read and Append To privileges for Price Lists.

• Accounts and Contacts may be associated with a preferred Service, Facility/Equipment and/or User. It may therefore be necessary to ensure that the Security Role provides the required Read and Append To privileges for Services, Facilities/Equipment and Users. 

For one-way integrations from Microsoft Dynamics CRM to another system only the Read privilege is required, in which case the minimum security required is as follows: 

• Account: Read; and Contact: Read. 

 

• Business Unit: Read; Currency: Read; Organisation: Read; Team: Read; User: Read; and User Settings: Read. 

 

• Field: Read.

 

In conclusion, the best practices for minimizing the access a Microsoft Dynamics CRM User account used for integration between Microsoft Dynamics CRM and another system include the following: 

• Use a dedicated Microsoft Dynamics CRM User Account. 

• In Microsoft Dynamics CRM Online, configure the User Account as a Non-Interactive User Account. 

• Assign a Security Role to the User Account that provides the least number and lowest level of privileges required for the integration to perform its necessary tasks. The privileges will differ based on which entities are involved in the integration and whether or not the integration is only required to read records or is required to perform other tasks such as the creating, updating and/or assigning of records in Microsoft Dynamics CRM.