Owner Teams Record Access - Security Roles odd issue

(0) Share

Report

Posted on by Community Member

Hello,

We have been having troubles creating a working security model for our sales team. We are trying to accomplish locking down read access to all accounts unless you own that account or it is shared with you. We also have created a sales team (not a user or access team its an owning team) and added each sales person to this team. (Do do things like share records with the whole sales team)The issue is when a user gets added to the sales team they begin to see many( about a thousand or so) more records then they should. (The records are owned by users on the team AND other random users not even apart of the team). My understanding of owner teams is that the security roles are additive but only Team+User. Our sales team has no role applied, and the user in question has read access to their accounts only. So they should still only see accounts they own. Removing them from the team gives expected results, but when they are apart of the team, they are able to see records they are not supposed to, but not every record in the system. It just gives them access to a random subset of accounts.

Help would be greatly appreciated!

Thanks!

*This post is locked for comments

I have the same question (0)

All responses (16)

Answers (2)

ThomasN 3,190 on at

Like (0)

Report

Hi SALutions, thank you for reaching out.

Need some clarity here to understand more about the Security that could be impacting this visibility.

What is the Read access level for Accounts entity on the Ownership Team you created?

What happens when you remove them from the team what role do they have?

For the accounts showing owned by users not part of the team, are these possible shared with another user who is part of the team?

Eager to help,

-Tom

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

Hi Tom, Thanks for your response!

The ownership team has no security role applied.

The user in question has user read access to accounts, meaning they can only see accounts that they own.

When not apart of the team, everything is fine.

When added to the team, user can start seeing accounts they do not own, but not all accounts.

Looking at many examples of accounts appearing when user is added to team, there is no other user that the account is shared with besides the current account owner.

I could not find any other pattern between accounts showing up when user gets added to the team.

-Sal

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

I came across this article today: http://blog.crmguru.co.uk/2013/06/25/security-roles-and-teams-in-crm-2011-an-inconvenient-half-truth/

It explains team access, but it is still unclear to me why I am getting my results. I am going to try and add a very basic role (role with no rights) to the team and see if that will make a difference.

Thoughts are still appreciated!

Thanks,

Sal

Was this reply helpful? Yes No
Lucas Blackburn on at

Like (0)

Report

Hi SALutions,

Since you are using owner teams, there are only 3 scenarios I can think of that would cause this:

1. The owner team has a security role that provides more access

2. All the records were shared with the team.

3. The owner team owns those records

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

Hello Lucas,

In regards to your number 1: the team as 0 roles applied to it. How does this differ? Would adding a role with ZERO permissions change anything?

Number 2: Can shared access be seen within the share grid after you press share? When viewing many account records that appear after the user is added to the team, those accounts do not have anyone else listed in the share view other the current owner who is not the team (number 3) , but another user, who may or may not be apart of the team. The only thing I could think of is that the records are being shared with the team and I cannot see that they are via the normal share method. Maybe there is somewhere else I can see what records are shared with whom?

I will test my questions to number 1 now.

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

Number 1 test: After adding a newly created role to the team with no permissions applied, it gives same results.

Was this reply helpful? Yes No
Lucas Blackburn on at

Like (0)

Report

Actually, the owner team can't actually own anything without permissions. However, it can have records shared with it (and its members). If you try to assign that team as the owner of a record, you should get an error.

Do some of the accounts have "Hierarchy" using parent accounts? Maybe the owner team has been shared with parent accounts - cascading parental relationship would allow them access to any child accounts as well.

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

The accounts being shown are not all owned by the team. (There are some that are) Before removing the security role for testing there were many accounts assigned to the team.

There are no hierarchies to these accounts

I am starting to notice a pattern in the audit logs where a user used the event "Add Member" but I am not sure what that is doing. ("This record was associated with the Marketing List record type through the listaccount_association relationship" "Assoicated Record Name: Record Unavailable")

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

Was this reply helpful? Yes No
Lucas Blackburn on at

Like (0)

Report

What you are seeing in that specific example is somebody adding members (accounts) to a marketing list.

I would try creating a completely new owner team and assigning users to that team to see if it makes a difference.

Was this reply helpful? Yes No