Using Business Units to restrict data access

(0) Share

Report

Posted on by James Memery

Hi all,

I have received what seemed at first to be a straightforward request. I have not worked a lot with Business Units, but have read a number of blogs prior to this post. I still can't decide the best way to proceed...

A company use their CRM to complete a number of business processes. The CRM is fairly heavily customised with a number of custom entities, but for the sake of this post I shall call them ‘Projects’.

The company is going to enter into a partnership with another company, and users from both companies will be using the system to create and complete projects.

There will be regular ‘Company’ projects, and there will be ‘Partnership’ projects.

The request was to prevent users from the partnership from seeing company projects, but to allow users from company to see both company and partnership projects.

Company projects will be created by company users only, but partnership projects may be created by either party.

Initially I thought a simple solution would be to create an additional Business Unit for the Partnership, and a new security role that allowed privs at BU level rather than organisation level, but this wouldn’t work.

There would be a problem if a user who was in the ‘Company’ business unit created a project that was a ‘Partnership’ project. The project would by default be owned by the Company user, and the Partnership user would not be able to see it.

I have considered the use of teams, and having the Company users assign the project to a new 'partnership' team, but a security setup that relies on users assigning records in order for it to work seems like a bad idea.

I have considered workflows to assign records based on certain values, but in reality I have massively simplified the scenario for the purposes of this post, and there are a number of related entities that pull data from project, and any workflow will very quickly become complicated.

Sorry for the long post. Are Business Units the right way forward here in your opinions? Have I overcomplicated this in my mind?! Is there an obvious or easy way to achieve what is required that I have overlooked?

Thanks in advance for any feedback

James

*This post is locked for comments

I have the same question (0)

All responses (5)

Answers (0)

Suggested answer

razdynamics 17,308 User Group Leader on at

Like (0)

Report

RE: Using Business Units to restrict data access

Hi James, Yes the use of Business Units, Teams and Security Roles is fundamental to your approach to control access to records within CRM. However due to your specific scenario and requirements ;

"prevent users from the partnership from seeing company projects, but to allow users from company to see both company and partnership projects" &

"Company projects will be created by company users only, but partnership projects may be created by either party."

Then yes you may have to take the approach of using workflows to assign ownership to the relevant BU/Team. Alternatively you could also Create a Custom Entity for the Company Projects, or an Intersect entity for Projects that would map the values across that could give you more autonomy, But your workflow to Assign records seems to be the better option.

Was this reply helpful? Yes No
Suggested answer

tpeschat 4,930 on at

Like (0)

Report

RE: Using Business Units to restrict data access

Hi,

this can be achieved by different business Units.

"The request was to prevent users from the partnership from seeing company projects, but to allow users from company to see both company and partnership projects.

Company projects will be created by company users only, but partnership projects may be created by either party.".

In this case I would define the "company business unit" as top BU and the partnership BU as a child of the company BU.

Then if the security roles of any entity are configured to BU all users of the top BU, should also see the data of the child BU (partnership), while the users of the partnership BU shouldn't see the company projects.

In case a partnership user needs to see a company project due to some circumstance, this can be achieved by sharing the project.

br Thomas

Was this reply helpful? Yes No
James Memery on at

Like (0)

Report

RE: Using Business Units to restrict data access

Thanks for all of the responses, but in response to Thomas in particular...

The set up you have suggested is what I initially decided to use, but I have since realised that if a 'Company' user was to create a project that was in fact a 'Partnership' project (remember that Company users may need to create either company projects or partnership ones), then the company user would by default be the owner of that project.

As the owner of a record dictates which business unit the record is 'owned' by, this means anyone in the 'partnership' BU would not be able to see any records owned by 'Company' users, and this is not acceptable, because the partnership projects should be seen by both parties, and may be owned by users from either party.

It looks as though re-assigning such records to a Team (in the partnership BU) might be the best option. It just seems overly complex for what seems like a fairly simple requirement.

Was this reply helpful? Yes No
tpeschat 4,930 on at

Like (0)

Report

RE: Using Business Units to restrict data access

Hi,

you are right, in such cases you would need to additionally work with teams.

So in case a company user would setup a partnership project, he'd either have to share it with a "project team" or assign it to that team.

br Thomas

Was this reply helpful? Yes No
stuart 2,080 on at

Like (0)

Report

RE: Using Business Units to restrict data access

Hi

We have similar requirements and we use a combination of BUs and also Teams with explicit access permissions - this way users within one BU can still own records but others, outside of their BU, if in an appropriate Team can still have access to records that fall outside of their usual BU.

Was this reply helpful? Yes No