I've written a recent past post around security complexity and the challenges around time it takes to properly implement. Today I wanted to expand on this specifically around security roles themselves because there huge; to anyone just starting there CRM journey it's very complex.
When you look at a fresh organization it already comes with a verity of security roles. These roles are typically for different job titles and it's split by the functionality groups think sales or service etc. This is where people often start modifying to there hearts content without thinking of the impacts of this. First thing we need to understand we have the power of copying out of the box security roles.
The reason I talk about copying roles is that once you've changed the out of the box roles to fit your own they are gone for ever. It's handy to have something to go back and look at over your CRM journey. The second thing to think about is that security roles exist at the business unit level. In the picture above you can see there is a drop down for business units. Your able to select which business unit you want to work on it's security roles for. This means if we are three business units deep from an organizational level this "Account Manager" role will exist in three separate instances of each of those business units. We can make changes independently of the other business unit roles. Ultimately the combination of having security roles separate at each business unit is a high level of customization out of box but it brings complexity. It brings complexity when troubleshooting security issues as well.
Let's actually open a security role and look inside of it.
There is a ton going on; all in the name of flexibility and visibility. Every entity has a wide veriity of settings that are possible. Your' able to control: Create, Read, Write, Delete, Append, Append To, Assign, and Share. Your able to set one of 5 different security permission sets for each of those 7 controls: None Selected, User, Business Unit, Parent: Child Business Units, Organization. Then on top of every entity this exists for we have things like Miscellaneous Privileges which allow for other options within CRM to be completed by the security role.
Take this all in with the idea of if you have multiple security roles assigned to a user they combine allowing for the highest level of access per security roles to be granted. All in all it can be very messy.
Overall I applaud the level of customization we have for security roles and honestly it's been this good since CRM 4.0 but as someone newer to Dynamics CRM 365 it's definitely overwhelming. I'd recommend taking a look at the XRMToolbox as there is a plugin that allows you to view User's security roles as a report made by Jonathan Daugaard.
Here are my big three thoughts around best practices for using Security roles: