web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics CRM (Archived) / Where do access teams ...
Microsoft Dynamics CRM (Archived)

Where do access teams in CRM get cascade permissions from?

(0) ShareShare
ReportReport
Posted on by Community Member

We have Account access team in our CRM system.

This account access team is able to view/edit all opportunities associated with the account. But, the account access team is not able to even view leads associated with the account.

Need to know why is the behavior different for opportunities/leads? Where are the access team cascade permissions defined or derived from?

*This post is locked for comments

I have the same question (0)
  • Community Member Profile Picture
    Community Member on at

    Just to add the account access team is able to view/edit all opportunities for the account regardless of the BU

  • Suggested answer
    Community Member Profile Picture
    Community Member on at

    You need to look at the 1:N relationships from Account to Opp, and Account to Lead. In the cascading behaviours section, look at the cascade for Share and Reparent and set to something appropriate. These will only affect future changes, there is nothing retrospective here.

    If an Account has 3 Opps, and then an Access Team is added to the Account, the Account record is shared with the Team and this cascades down to the Opps according to the "Share" cascade rules (All, Active, User Owned, or none).

    If an Account has an Access team already, and you add a new Opp to the Account, the Access Team share cascades down to the new Opp according to the Reparent cascade rule.

    Share kicks in when the parent record is shared, or the shares are changed. Reparent kicks in when a record is linked (via a lookup) to the parent record.

    This post has a SQL script that you might find useful as a starting point to investigate this, if you have on-prem with access to the SQL server:

    Figuring out shares in the PrincipalObjectAccess POA table in CRM

    You would probably want to filter for entity (object) type codes 1, 3 and 4 (Account, Opp, Lead) and it might be helpful to add some extra joins to get the parent Account for the Leads and Opps so you can see which belongs to which.

  • Community Member Profile Picture
    Community Member on at

    Thanks Adam for the detailed response.

    Can you advise on the below cases

    Case 1: An account with access team exists. If new opportunity is added (and not reparented by changing account) would Share or Reparent permissions kick in for the access team?

    Case 2: Also, you said the changes are not retrospective in nature. So, if there are 3 opportunities are associated with an account and "then" the access team is added, would Share permissions still kick in?

  • Community Member Profile Picture
    Community Member on at

    Sorry...Let me rephrase my question

    What cascade permissions from Account - Opportunity apply to the Account Access team for the following cases : Share/Reparent/Assign

    1. When a opportunity is associated to the account during creation

    2.  When the parent of an opportunity is changed

    3. When access team is added to an account already having opportunities

    4. When an account is assigned to different user, opportunity records get cascaded as per which permission

    5. When a child account's parent account is changed is it also reparenting?

    Thanks!

  • Community Member Profile Picture
    Community Member on at

    1. Filling in the lookup field for the first time, before or after creating the record is changing the parent from "nothing" to "something", so this is a reparent action, exactly the same as (2)

    2. When the parent of the Opp is change by filling in, or changing the lookup to the parent Account, then the cascading behaviour for "Reparent" determines whether or not anything happens. "Cascade All" or "Cascade Active" will add an implicit share to the Opp granting access for the owner of the Account, and for the Access Team of the Account (if there is one already), and for anyone that has an explicit or implicit share on the Account.

    Owner gets full rights (but their privileges might trump this - eg if Alice (the owner of the Account) has Delete:None for Opps, then they can't delete this Opp any more than they can delete their own. Basically they can do anything to this Opp that they could do to it if they owned it, even though they do not.

    Shares from the Account (whether user, team, or Access Team) are copied with the same shared rights down to Opp. Again, privileges might overrule these - if Bob has Delete:User on Account, and this Account record is shared with Bob with Delete rights, this will cascade down to the Opp. But if Bob has delete:none on Opps, he still can't delete it.

    All of this is done by reparent: the only thing that changed is the lookup, not ownership or sharing or anything else.

    3. Access Teams use sharing. The system creates a Team, adds a user to it and shares the record with the Team. Sharing cascade rules determine if this is cascaded down the Opps or not.

    If Cascade:All,  the Access team will have shared rights to the Opp the same as to the Account, which means that users in that Team have those rights too. Cascade:Active will only affect Open Opps. Cascade:User Owned would only share Alice's Opps, not Charlie's (under the same Account).

    4. If you have Assign cascading, then the Opps will also get assigned. If you have reparent Cascading, there is a cleanup here - Alice will no longer have rights to the Opps she does not own. The new owner does not gain any rights.

    5 Account>Account changes, yes this is a reparent, but a reparent of the Account in the Account: Parent Company / Account relationship. So this would give rights to the owner or sharers of the parent account over the child account. This might then cascade down to the Opportunities, depending on the Account:Opp relationship cascading behaviours.

    Phew!

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > 🔒一 Microsoft Dynamics CRM (Archived)

#1
SA-08121319-0 Profile Picture

SA-08121319-0 4

#1
Calum MacFarlane Profile Picture

Calum MacFarlane 4

#3
Alex Fun Wei Jie Profile Picture

Alex Fun Wei Jie 2

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans