Mapping the Basic User to Security Role Settings - Suggestions

In Dynamics CRM we have three types of User Subscription Licenses (USLs); Professional, Basic, and Essential

  1. Professional users has full rights to 'everything' in CRM
  2. Essential users has rights to custom entities primarily
  3. Basic users sits sort of in-between, in terms of use rights

Note - A fourth USL (Enterprise) is available. Its equivalent to Professional plus Dynamics Marketing, Social Care (specific markets) and Unified Service Desk.

Each of the above licenses has a different price point; if Professional is 4X then Basic is approximately 2X, and Essential is X. Hence its often of interest to the customer to 'get the right mix' between Professional and Basic users, ending up with the optimal average price point.

The Basic user has full access to eg the Account, Contact, Lead, and Case entitites, but have read only/limited use rights to certain entities, eg. Opportunities. Using the Security Role settings in Dynamics CRM you can control what a user can access. Hence mapping the two - the Use Rights of the Basic user to the available Security Role settings - is interesting.

Use Rights for the Basic USL

Appendix A in the "Licensing and Pricing Guide, June 2014" maps CRM Online Use Rights to the Pro, Basic and Essential USL's.

Security Roles

A security role in Dynamics CRM defines how different users, such as salespeople, access different types of records. To control access to data, you can modify existing security roles, create new security roles, or change which security roles are assigned to each user. Each user can have multiple security roles.

To access the security roles click Settings -> Administration -> Security Roles

In the "New Security Role" dialog you can control what a user with that new role can do in CRM using the various tabs and settings (priveleges and scope) in the dialog.

The tabs are

  • Core Records
  • Marketing
  • Sales
  • Service
  • Business Management
  • Service Management
  • Customizations
  • Custom Entities

The access right/priveleges are

  • Create - create a record
  • Read - read a record
  • Write - make changes to a record
  • Delete - delete a record
  • Append - associate a record to another record
  • Append To - associate entity record to this record
  • Share - give access to a record to another user while keeping your own access
  • Reparent - assign a different parent to entity record

The scopes are

  • None Selected = No access is allowed
  • User = This access level gives a user access to records he or she owns, objects that are shared with the user, and objects that are shared with a team of which the user is a member
  • Business Unit = This access level gives a user access to records in the user's business unit
  • Parent: Child Business Unit = This access level gives a user access to records in the user's business unit and all business units subordinate to the user's business unit
  • Organisation = This access level gives a user access to all records within the organization, regardless of the business unit hierarchical level to which the instance or the user belongs

Mapping Use Rights to Security Role settings for the Basic USL

In the table below I've taken the first steps trying to map the Basic USL to CRM Security Role settings. Please note: the below table is a my personal suggestion and by no means authoritive.

The table has six columns:

  1. "Appendix A - Subject" = The left most column ("Use Rights" in the Appendix A above, sorted alphabetically
  2. "Basic"  = Appendix A - Basic User Use Rights (1=Full, 0=None)
  3. "Focus" = What I consider being the deciding context
  4. "USL" = Lists if Basic user has Full or Read access to the entity to the left (the "Focus" Column) according to the simple chart (an interpretation of Figure 5 in the Licensing and Pricing Guide)
  5. "Security Tab" - name of the tab in CRM Security Roles where the setting is to be done
  6. "Security Setting(s) - suggested" = which settings I suggest you look at on the tab


Appendix A: Subject  Basic  Focus  USL   Security Tab  Security: Setting(s)  - suggested 
Accounts  Accounts     Core  Account 
Activity Management  Activities     Core   Activity 
Add or remove a Customerfor an Account  Customer Relationship  Core  Customer Relationship 
Add or remove a Customer Relationship for a Contact   Customer Relationship     Core  Customer Relationship 
Advanced Find Search   Search 
Associate an Opportunitywith a Contact   Contacts  Full  Core  Opportunity = Append,Contact = Append To 
Associate an Opporturitywith an Account  Accounts  Full  Core  Opportunity = Append,Account = Append To 
Case Management   Cases  Full  Service  Case 
Contacts  Contacts  Full  Core  Contact 
Convert an Activity to a Case   Cases  Full  Service  Case = (Create) 
Create and Update Announcements  Announcements     Core  Announcement 
Create personal views   Views - Personal     Customization   View = (Create) 
Create, Update, Customize Reports   Reports     Core  Report 
Export data to Microsoft ExceI   Data - Export     Business Management  Export to Excel 
Follow Activity Feeds   Follow     Core  Follow 
Lead Capture  Leads  Full  Core  Lead 
Lead scoring, routing and assignment  Leads   
Manage Saved Views   Views - Saved     Core  Saved Views 
Manage user reports,user charts,and user dashboards   Reports, Charts, Dashboards - User  Full  Core  Report,User Chart,User Dashboard 
Microsoft CRM for Outlook   Client UI     Business Management  Sync to Outlook,Go Offline in Outlook 
Microsoft CRM Web application   Client UI 
Microsoft Dynamics CRMfor iPad & Windows 8   Client UI     Business Management  Use CRM for Tablets 
Microsoft Dynamics CRMMobile Express   Client UI 
Notes   Notes  Full  Core  Note 
Perform Mail Merge   Mail Merge     Business Management  Mail Merge,Web Mail Merge,(Core : Mail Merge Template) 
Post Activity Feeds   Post  Full  Core  Post 
Qualify and Convert aLead to a Contact  Contacts  Full  Core  At least WRITE on Lead as well as CREATE & WRITE on Contact 
Qualify and Covert aLead to an Account  Accounts  Full  Core  At least WRITE on Lead as well as CREATE & WRITE on Account 
Read Articles   Articles     Service  Article = (Read) 
Read Custom Application Data   Data - Custom     Customization : User Application Metadata 
Read Dynamics CRMApplication Data   Data - CRM Application  Read    Core:Application File,Customization:System Application Metadata 
Run an automated workflow   Workflows - Automated     Customization  Execute Workflow Job 
Run as an On-demand Process   Processes (Workflows)     Customization  Process,Execute Workflow Job 
Run Reports   Reports     Core  Report 
Search  Search 
Shared Calendar  Calendar - Shared     Service Management  Calendar 
SLAs  SLAs     Service Management  SLA 
Start Dialog   Dialogs     Customization  Execute Workflow Job 
Use a Queue item   Queues     Core  Queue:Write 
Use Relationships between Records   Relationships     Core  Relationship Role 
User Charts   Charts - User     Core  User Chart 
User Dashboards   Dashboard - User     Core  User Dashboard 
User Interface Integration for Microsoft Dynamics CRM  
View Announcements   Announcements     Core  Announcement 
Write Custom Entity Records   Entities - Custom     Customization  Entity = (Write) 
Yammer Collaboration   Yammer    Customization:Configure Yammer 
Administer CRM  CRM 
Article Templates  Articles - Templates     Service  Article Templates = No 
Competitor Tracking  Competitors  Read  Sales  Competitor = Read 
Configure Auditing  Auditing     Core  Delete Audit Partitions = No,View Audit History,View Audit Partitions,View Audit Summary 
Configure Duplicate-Detection Rules  Duplicate-detection rules     Core  Duplicated Detection Rule = No 
Configure SLA Policies  SLA Policies 
Contract Management  Contracts  Read  Service  Contract = (Read) 
Contract Templates  Contracts - Templates     Service  Contract Template = No 
Convert an Activity to an Opporturity  Opportunities  Read  Core  Opportunities = (Read) 
Create and Publish Articles  Articles     Service  Create = No,Publish Articles = No 
Create CRM Forms, Entities, Fields  Forms, entities, fields      Customization  Entity = (NOT Create),Field = (NOT Create) 
Customize Forms and Views  Forms, Views     Customization  System Form = No
Define and ConfigureBusiness Units  Business Units     Business Management  Business Unit = No,Enable or Disable aBusiness Unit,Reparent Business Unit 
Define and ConfigureDialogs  Dialogs     Customization  Activate Real-timeProcesses = No,Activate Business Rules = No 
Define and ConfigureQueues  Queues     Core  Queue/Create = No 
Define and ConfigureWorkflows  Workflows     Customization  Activate Business ProcessFlows = No,Activate Real-timeProcesses = No,Activate Business Rules = No 
Define and ConfigureServices, Resources, and Work Hours  Services, Resources, and Work Hours  Read 
Define and ConfigureTeams  Teams     Business Management  Team = No
Define Relationships Entities  Relationships     Core?  Relationship Role,Opportunity Relationship,Customer Relationship 
Facility/Equipment Management  Facilities, Equipment  Read  Service Management  Facility/Equipment = No 
Goal Management  Goals  Read  Business Management  Goal = No,Goal Metric = No,Perform in sync rollupson goals = No 
Import Data in Bulk  Data - import - Bulk     Core  Data Import = No 
Invoice Management  Invoices  Read  Sales  Invoice = No,Override Invoice Pricing = No,Override Quote OrderInvoice Delete = No 
Marketing Campaigns  Marketing campaigns  Read  Marketing  Campaign = No,Create Quick Campaign = No 
Marketing Lists  Marketing lists  Read  Marketing  Marketing List = No 
Opporturity Tracking  Opportunities  Read  Core  Opportunities = Read 
Order Management  Orders  Read  Sales  Order = No (or Read)  
Price Lists  Price lists  Read  Service? 
Product Tracking  Products  Read  Sales  Product 
Qualify and Convert aLead to an Opporturity  Opportunities  Read  Core  Opportunities = (Read) 
Quick Campaigns  Quick campaigns  Read  Marketing  Create Quick Campaign = No 
Quote Management  Quotes  Read  Sales  Quote = (Read) 
Sales literature  Sales literature     Sales  Sales literature = No 
System Reports, System Charts, System Dashboards  Reports, Charts, Dashboards - System  Read  Customization  System Chart = No 
Territory management  Territories    Sales   Territory = No(Business Management:Assign Territory to User) 

See also