web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics CRM (Archived) / Updating security role...
Microsoft Dynamics CRM (Archived)

Updating security roles using a solution.

(0) ShareShare
ReportReport
Posted on by James F.

 I'm able to make changes to security roles in the root business unit using a solution, but I haven't been able to find a way to change those in below the root business unit. Is there any way to update security roles in business units other than the root using a solution?

Thanks

James F.

*This post is locked for comments

I have the same question (0)
  • Suggested answer
    Bruno Lucas Profile Picture
    Bruno Lucas 5,421 on at

    Hi James,

    "You can create roles within Microsoft Dynamics CRM and modify or remove these custom roles to fit your business needs. The roles you create for your business unit are inherited by all the business units in the hierarchy."

    msdn.microsoft.com/.../gg334717.aspx

    If you want to control access on the unit level, you need to create a specific role for that unit. you can add the name of the unit to the role so you know that role control access for a specific unit.

    The unit will have teams and the teams and users will have the roles. If the team on a unit does not have that role, the changes on the role won't affect those users. But they will need some role to access data

    Access level global Global. This access level gives a user access to all records within the organization, regardless of the business unit hierarchical level to which the instance or the user belongs. Users who have Global access automatically have Deep, Local, and Basic access, also.

    Because this access level gives access to information throughout the organization, it should be restricted to match the organization's data security plan. This level of access is usually reserved for managers with authority over the organization.

    The application refers to this access level as Organization.

    Access level deep Deep. This access level gives a user access to records in the user's business unit and all business units subordinate to the user's business unit.

    Users who have Deep access automatically have Local and Basic access, also.

    Because this access level gives access to information throughout the business unit and subordinate business units, it should be restricted to match the organization's data security plan. This level of access is usually reserved for managers with authority over the business units.

    The application refers to this access level as Parent: Child Business Units.

    Access level local Local. This access level gives a user access to records in the user's business unit.

    Users who have Local access automatically have Basic access, also.

    Because this access level gives access to information throughout the business unit, it should be restricted to match the organization's data security plan. This level of access is usually reserved for managers with authority over the business unit.

    The application refers to this access level as Business Unit.
  • Verified answer
    Community Member Profile Picture
    Community Member on at

    Short answer - no.

    Longer answer - always create all Security Roles in your dev environment in the root BU (this also removes the need to maintain an exact replica of the BU structure in dev, but of course you should do that in test / QA / UAT.

    Use a naming convention to help identify where this role should be used. This might be enough to ensure it is only assigned to appropriate users or teams (but might not, so read on...)

    Include the Security Role in your Solution, export, import into target organisation. This will create copies all the way down the hierarchy. These inherited roles cannot be modified but can be copied. So in the BU where you really wanted this role, make a copy of the inherited one. Then delete the root role and this will remove all the unwanted ones leaving only your new, standalone copy.

    To update in future, repeat the process, adding a step to reassign users to the new one: Use Advanced Find to query for the users that have the old role first, save this as a personal view, then use to select them all and Manage Roles to grant the new copied role, then delete the old copy of the role. Repeat for Teams as needed.

    So while you can achieve this, it is several steps every time you want to update it in future. If at all possible, work with roles only in the root BU and use a strong naming convention to avoid the issue.

  • Aileen Gusni Profile Picture
    Aileen Gusni 44,524 on at

    Hi James,

    Don't think so.

    Because when you do solution and including security role as component, you can only including one per role, does not matter you have thousand BU with thousand different security role for each BU, it will follow the Organization as one setting, which is Root BU.

    There is no option for you to choose security role then from which BU, because different organization can be different BU but security role is regarded as one role as template.

    Hope this clarifies, thanks.

  • James F. Profile Picture
    James F. on at

    Lets say the security roles in the sub-business unit are inherited from the root business unit. If I update the security roles in the root will the security roles in the sub update?

  • Verified answer
    Hosk Profile Picture
    Hosk on at

    Only security roles included in the root business unit can be added to a solution and imported into your dev environments.

    It's not best practices to change the security roles of child business units and doing this will create a security setup which will be harder to maintain and manage in the long term.

    Adam Vero, who has answered below is a CRM security Guru, I would listen to him.

    my advise would be to achieve the thing but by creating different security roles and assigning those to the users in child business units.  With clear labelling you should be able to achieve this and add them to your root business unit.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > 🔒一 Microsoft Dynamics CRM (Archived)

#1
SA-08121319-0 Profile Picture

SA-08121319-0 4

#1
Calum MacFarlane Profile Picture

Calum MacFarlane 4

#3
Alex Fun Wei Jie Profile Picture

Alex Fun Wei Jie 2

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans