Microsoft recently announced new features coming out with their next version of Microsoft Dynamics CRM 2015 (previously code named Vega).  Check out the Dynamics CRM 2015 Release Preview Guide to see what features are coming with 2015. 

Next up for our review are the changes being made to the security model.  Note that the functionality below are simply additions to the security model.  The previous security of business units, access teams, ownership teams, security roles, etc. will remain in place.

Field Level Security Improvements:

First off we’ll briefly discuss some changes being made for Field Level Security (FLS).  FLS will now be available to work off of System Fields.  Previously this only was available for Custom Fields

FLS also has extended for additional attribute types such as address fields (out of the box only) and email address fields (custom or out of the box fields).

Now lets review the the new major change to security that’s coming in CRM 2015, the Hierarchical Security Modeling.

Hierarchical Security Modeling

With CRM 2015, Microsoft introduces a new version of security they label Hierarchical Security Modeling.  With this security modeling, granular record level access can be granted for an organization without having to create and manage business units.

With the introduction of hierarchical security modeling, Microsoft has moved the Security functionality to its own area of CRM.  You can now get to everything security related by going to Settings –> Security (previously this was in the Administration section).

image

You’ll notice a new Hierarchy Security link on this page as well as a Positions link.  If you click on it you’ll notice the following options:

  • Enable Hierarchy Modeling:  Let’s you turn this on or off globally in your organization
  • Select Hierarchy Modeling:  You can set this to either Manager or Position (more on these options below)
  • Hierarchy Depth:  This indicates how many levels up the hierarchy chain does the read permissions get granted to.  More on this below especially regarding performance.
  • Selected Entities:  This is where you’d select entities that you want the hierarchy security modeling to apply to.

image

Manager Hierarchy uses the existing Manager field on the System User record.  However, with this hierarchical model, you’re required to be in the same Business Unit hierarchy for it to apply successfully.  This is why the Position Hierarchy Model was built which we’ll describe below.  A good Use Case for the manager model is if a manager needs to take actions upon records their reports have access (for example the report goes on vacation)

Position Hierarchy on the other hand allows you to go across business units.  CRM Administrators can and add users to any given position to be included in that position.  A good Use Case for the position model is organizations that have a “Sales Team” and “Sales Management” team that span across business units yet these positions should have access to subordinate records.

As stated earlier, Position Hierarchy can be configured where an Administrator can define Positions, define the Parent Positions, and also add users to Positions so that the Position Hierarchy security method is executed to your specific business needs.

image

It is strongly recommended that Hierarchical Security be used with the other security tools (e.g., security roles, teams, business units, etc.).  The Hierarchical Security model does grant additional permissions based on users, managers, and positions:

  • Read Access:  Propagates up the chain to a specific configurable level (as shown above in the Settings screenshot
  • Write, Update, Append, Append To: This is granted just to the direct parent of the user/positions

There are also some performance considerations to keep in mind when enabling hierarchy security:

  • Use with other security methods (e.g., security roles, business units, teams, etc.) for more complex scenarios
  • Target 4 levels of hierarchy (1 manager with 3 reports, and 100-200 potential users underneath)
  • Performance is tied to the # of users (not the depth) in the parent’s chain:
    • 1 manager with 4 reports and 1 level in the chain, is the same as
    • 1 manager with 1 report and 5 levels in the chain

With all the security methods provided out of the box by Dynamics CRM now with 2015, I can see some organizations with very complex security requirements being easily achievable using native security methods.