Hi guys.
I have been tasked with changing contact record access on our CRM system as part of a big release that will be done over the next few months.
The only method I can come up with that I believe will actually work whilst satisfying the requirement is to perform multiple contact record shares.
I'm trying to find out if there is an alternative approach that would not involve me having so many shares.
Hoping that somebody who knows security in CRM well might answer :-)
Summary:
We effectively have two separate /companies/ that are set up in CRM as separate business units (both sitting directly under the root business unit).
Users in each company cannot see contacts owned by the other company.
Company One has multiple /sub/ child business units sitting underneath it [i.e. Main Branch A, which has a child business unit of Sub Branch A for example].
Company Two has no child business units sitting underneath it.
Company One Users:
Type 1: Most users are regular users that have user-level access to contacts (only see contacts that they own themselves).
Type 2: Each sub business unit has one user that is a branch manager and has parent-child business unit access to contacts (i.e. one of these users that sits in Main Branch A would see contacts owned by users in either Main Branch A or Sub Branch A).
Company Two Users:
All users in this company have parent/child business unit access to contacts - meaning that they can see all contacts owned by that company (they are all owned by a team in this business unit).
Proposed Change:
Currently, all contacts on the system are owned by either the Company Two business unit (a team that sits in this BU) or by an individual user that sits in one of the child business units under the Company One business unit.
We are being asked to change this, as the business now want every contact on the system to be owned at the root business unit level (not owned specifically by anybody in either company).
Users in Company Two will now be allowed to see every single contact on the system (easily achieved by /upping/ their security role to provide them with Org-level access to contact entity).
However, users in Company One are still only to be allowed access to specific contacts.
Currently, when one of these users creates a new contact - they will own it, so by default have access to it.
The Only Way I Can Think Of To Satisfy The Requirement
1. When any user (regardless of which company they are in) creates a new contact -> the owner gets set to a team in the /root/ business unit.
It will also get shared with the user that created it (if the users its in one of the Company One child business units).
This means that the user can still access the contact record, as can all users in the Company Two business unit.
The problem with this approach though, is that managers would no longer be able to see the record (because their parent/child business unit access does not apply to record shares - only ownership).
The only way I can think of to resolve this is to create an /admin/ team for each business unit, add the manager to it & share the record with the admin team also.
I can't use the Hierarchical model instead here - because if there are sub branches - the top level manager will just have read-only access to the record, which is insufficient.
But this looks like it means there s going to be a lot of sharing of records which is not ideal (basically every contact shared with a user will need to be shared with that users branch admin team also).
So, looking for a better solution if there is one.
Thanks for reading.
Any help appreciated.