Security roles removed from User - however can still login and Use MSD CRM as before

(0) Share

Report

Posted on by Stuart Galton

I am having an issue, when people leave our organisation, we remove the security roles for that specific club role (email address) to stop them loggin on, however today I tried the following after I noticed some weird behaviour on some club accounts...

1) logged on as a test user with security role permission and all work ok.

2) Removed all security role permission for that user.

3) Re opened browser and logged into O365 portal at the same PC and MSD loaded up and all worked OK.!!

4) cleared browser history, closed down browser.

5) Reload browser and logged in - still working!!

When ever I have changed permission in the past for an action which is not working the permission is immediately auctioned, why are the security roles still allowing my user to log into MSD CRM??

Regards

Stu

*This post is locked for comments

I have the same question (0)

All responses (5)

Answers (2)

Verified answer

Karsten Wirl 4,477 on at

Like (1)

Report

Hello Stuart.

Are there teams assigned to the user?

Perhaps one of the teams has also assigned security roles.

Kind regards

Karsten

Was this reply helpful? Yes No
Community Member on at

Like (1)

Report

Also, check the BU team, see if that team has a SR on it.

Was this reply helpful? Yes No
Stuart Galton on at

Like (0)

Report

Hi

Yes all our club staff are within different Teams, which I cannot remember why exactly, but I know we had to give the team a security role?? are we stating now that this overrides the user security roles.. ;o(

so when we have a leaver to our company, what is the best way to stop them logging ion , to simple de-activate, then re-activate when a new resource is employed??

Was this reply helpful? Yes No
Suggested answer

Community Member on at

Like (0)

Report

The roles on Team act the same way the Roles on Users work, they add together to give the user the highest privilege.

I would deactivate anyone who leaves your organization, you can always reactivate them later. Or create a new User for the new employee.

Was this reply helpful? Yes No
Verified answer

Karsten Wirl 4,477 on at

Like (1)

Report

Hello Stuart.

Thanks a lot for the "verification".

A short description for you with an example...

One of your users is TODD MOSLEY.

The following secroles are assigned to him:

SecRole A

SecRole C

SecRole D

The following teams are assigned to him:

Team A w/o a SecRole

Team B with SecRole A

Team D with SecRole E

Team F w/o a SecRole

In Combination your user TODD MOSLEY has the following secroles assigned:

SecRole A (direct)

SecRole C (direct)

SecRole D (direct)

SecRole E (team)

When you remove all direct assigned secroles, TODD MOSLEY has still access to the system, because the membership of TODD MOSLEY in the teams B and D, which have secroles assigned.

You have to disable an user, so he has no longer access to the system. If you want to go to the save side, remove all teams and secroles and disable the user!

Happy End. ;)

Was this reply helpful? Yes No