Create or edit a security role to manage access

This content also applies to the on-premises version.

You can create new security roles to accommodate changes in your business requirements or you can edit the privileges associated with an existing security role.

If you need to back up your security role changes, or export security roles for use in a different implementation of Dynamics 365 for Customer Engagement, you can export them as part of exporting customizations. More information: Export your customizations as a solution

Create a security role

  1. Make sure that you have the System Administrator or System Customizer security role or equivalent permissions.

    Check your security role

    • Follow the steps in View your user profile.

    • Don’t have the correct permissions? Contact your system administrator.

  2. Go to Settings > Security.

  3. Click Security Roles.

  4. On the Actions toolbar, click New.

  5. Set the privileges on each tab.

    To change the access level for a privilege, click the symbol until you see the symbol you want. The possible access levels depend on whether the record type is organization-owned or user-owned.

    Tip

    To cycle through the access levels, you can also click the privilege column heading, or click the record type multiple times.
    There are a set of minimum privileges that are required in order for the new security role to be used - see below Minimum Privileges for common tasks.

  6. When you have finished configuring the security role, on the toolbar, click or tap Save and Close.

Create a security role by Copy Role

  1. Make sure that you have the System Administrator or System Customizer security role or equivalent permissions.

    Check your security role

    • Follow the steps in View your user profile.

    • Don’t have the correct permissions? Contact your system administrator.

  2. Go to Settings > Security.

  3. Click Security Roles.

  4. Click on the Security role you want to copy from.

  5. On the Actions toolbar, click Copy Role.

  6. Enter the New Role Name, and check the box for Open the new security role when copying is complete.

  7. Click the OK button.

  8. When Copying Role is complete, navigate to each tab, ie Core Records, Business Management, Customization, etc.

  9. Set the privileges on each tab.

Tip

To cycle through the access levels, you can also click the privilege column heading, or click the record type multiple times.
There are a set of minimum privileges that are required in order for the new security role to be used - see below Minimum Privileges for common tasks.

Edit a security role

Before you edit an existing security role, make sure that you understand the principles of data access. More information: Controlling Data Access

Note

You can’t edit the System Administrator security role. To create a security role similar to the System Administrator security role, copy the System Administrator security role, and make changes to the new role.

  1. Make sure that you have the System Administrator or System Customizer security role or equivalent permissions.

    Check your security role

    • Follow the steps in View your user profile.

    • Don’t have the correct permissions? Contact your system administrator.

  2. Go to Settings > Security.

  3. Click Security Roles.

  4. In the list of security roles, double-click or tap a name to open the page associated with that security role.

  5. Set the privileges on each tab.

    To change the access level for a privilege, click the symbol until you see the symbol you want. The possible access levels depend on whether the record type is organization-owned or user-owned.

    Tip

    To cycle through the access levels, you can also click the privilege column heading, or click the record type multiple times.
    There are a set of minimum privileges that are required in order for the new security role to be used - see below Minimum Privileges for common tasks.

  6. When you have finished configuring the security role, on the toolbar, click or tap Save and Close.

Minimum privileges for common tasks

It's helpful to keep in mind the minimum privileges that are needed for some common tasks. This means that a user is required to have a security role with these privileges in order to run applications.

We've created a solution you can import that provides a security role with the required minimum privileges.

Start by downloading the solution from the Download Center: Common Data Service minimum privilege security role.

Then, follow the directions to import the solution: Import, update, and export solutions.

When you import the solution, it creates the min prv apps use role which you can copy (see: Create a security role by Copy Role). When Copying Role is complete, navigate to each tab - Core Records, Business Management, Customization, etc - and set the appropriate privileges.

Important

You should try out the solution in a development environment before importing into a production environment.

  • When logging in to Dynamics 365 for Customer Engagement:

    • Assign the min prv apps use security role or a copy of this security role to your user.

    • To render an entity grid (that is, to view lists of records and other data), assign the following privileges on the Core Records tab: Read privilege on the entity, Read Saved View, Create/Read/Write User Entity UI Settings and assign the following privilege on the Business Management tab: Read User

  • When logging in to Dynamics 365 for Outlook:

    • To render navigation for Dynamics 365 for Customer Engagement and all Dynamics 365 for Customer Engagement buttons: assign the min prv apps use security role or a copy of this security role to your user

    • To render an entity grid: assign Read privilege on the entity

    • To render entities: assign Read privilege on the entity

Privacy notices

Licensed Dynamics 365 Online users with specific Security Roles (CEO – Business Manager, Sales Manager, Salesperson, System Administrator, System Customizer, and Vice President of Sales) are automatically authorized to access the service by using Dynamics 365 for phones, as well as other clients.

An administrator has full control (at the user security role or entity level) over the ability to access and the level of authorized access associated with the phone client. Users can then access Dynamics 365 (online) by using Dynamics 365 for phones, and Customer Data will be cached on the device running the specific client.

Based on the specific settings at the user security and entity levels, the types of Customer Data that can be exported from Dynamics 365 (online) and cached on an end user’s device include record data, record metadata, entity data, entity metadata, and business logic.

The Dynamics 365 for Customer Engagement for tablets and phones, and Project Finder for Project Finder for Dynamics 365 (the "App") enables users to access their Microsoft Dynamics CRM or Dynamics 365 for Customer Engagement instance from their tablet and phone device. In order to provide this service, the App processes and stores information, such as user's credentials and the data the user processes in Microsoft Dynamics CRM or Dynamics 365 for Customer Engagement. The App is provided for use only by end users of Microsoft customers who are authorized users of Microsoft Dynamics CRM or Dynamics 365 for Customer Engagement. The App processes user's information on behalf of the applicable Microsoft customer, and Microsoft may disclose information processed by the App at the direction of the organization that provides users access to Microsoft Dynamics CRM or Dynamics 365 for Customer Engagement. Microsoft does not use information users process via the App for any other purpose.

If users use the App to connect to Microsoft Dynamics CRM (online) or Dynamics 365 for Customer Engagement, by installing the App, users consent to transmission of their organization's assigned ID and assigned end user ID, and device ID to Microsoft for purposes of enabling connections across multiple devices, or improving Microsoft Dynamics CRM (online), Dynamics 365 for Customer Engagement or the App.

Location data. If users request and enable location-based services or features in the App, the App may collect and use precise data about their location. Precise location data can be Global Position System (GPS) data, as well as data identifying nearby cell towers and Wi-Fi hotspots. The App may send location data to Microsoft Dynamics CRM or Dynamics 365 for Customer Engagement. The App may send the location data to Bing Maps and other third party mapping services, such as Google Maps and Apple Maps, a user designated in the user's phone to process the user's location data within the App. Users may disable location-based services or features or disable the App's access to user's location by turning off the location service or turning off the App's access to the location service. Users' use of Bing Maps is governed by the Bing Maps End User Terms of Use available at https://go.microsoft.com/?linkid=9710837 and the Bing Maps Privacy Statement available at https://go.microsoft.com/fwlink/?LinkID=248686. Users' use of third party mapping services, and any information users provide to them, is governed by their service specific end user terms and privacy statements. Users should carefully review these other end user terms and privacy statements.

The App may include links to other Microsoft services and third party services whose privacy and security practices may differ from those of Microsoft Dynamics CRM or Dynamics 365 for Customer Engagement.  IF USERS SUBMIT DATA TO OTHER MICROSOFT SERVICES OR THIRD PARTY SERVICES, SUCH DATA IS GOVERNED BY THEIR RESPECTIVE PRIVACY STATEMENTS. For the avoidance of doubt, data shared outside of Microsoft Dynamics CRM or Dynamics 365 for Customer Engagement is not covered by users' Microsoft Dynamicss CRM or Dynamics 365 for Customer Engagement agreement(s) or the applicable Microsoft Dynamics Trust Center. Microsoft encourages users to review these other privacy statements.

Licensed Dynamics 365 Online users with specific Security Roles (CEO – Business Manager, Sales Manager, Salesperson, System Administrator, System Customizer, and Vice President of Sales) are automatically authorized to access the service by using Dynamics 365 for tablets, as well as other clients.

An administrator has full control (at the user security role or entity level) over the ability to access and the level of authorized access associated with the tablet client. Users can then access Dynamics 365 (online) by using Dynamics 365 for tablets, and Customer Data will be cached on the device running the specific client.

Based on the specific settings at the user security and entity levels, the types of Customer Data that can be exported from Dynamics 365 (online) and cached on an end user’s device include record data, record metadata, entity data, entity metadata, and business logic.

If you use Microsoft Dynamics 365 for Outlook, when you go offline, a copy of the data you are working on is created and stored on your local computer. The data is transferred from Dynamics 365 (online) to your computer by using a secure connection, and a link is maintained between the local copy and Dynamics 365 Online. The next time you sign in to Dynamics 365 (online), the local data will be synchronized with Dynamics 365 (online).

An administrator determines whether or not an organization’s users are permitted to go offline with Microsoft Dynamics 365 for Outlook by using security roles.

Users and administrators can configure which entities are downloaded via Offline Sync by using the Sync Filters setting in the Options dialog box. Alternatively, users and Administrators can configure which fields are downloaded (and uploaded) by using Advanced Options in the Sync Filters dialog box.

If you use Dynamics 365 (online), when you use the Sync to Outlook feature, the Dynamics 365 data you are syncing is “exported” to Outlook. A link is maintained between the information in Outlook and the information in Dynamics 365 (online) to ensure that the information remains current between the two. Outlook Sync downloads only the relevant Dynamics 365 record IDs to use when a user attempts to track and set regarding an Outlook item. The company data is not stored on the device.

An administrator determines whether your organization’s users are permitted to sync Dynamics 365 data to Outlook by using security roles.

If you use Microsoft Dynamics 365 (online), exporting data to a static worksheet creates a local copy of the exported data and stores it on your computer. The data is transferred from Dynamics 365 (online) to your computer by using a secure connection, and no connection is maintained between this local copy and Dynamics 365 (online).

When you export to a dynamic worksheet or PivotTable, a link is maintained between the Excel worksheet and Dynamics 365 (online). Every time a dynamic worksheet or PivotTable is refreshed, you’ll be authenticated with Dynamics 365 (online) using your credentials. You’ll be able to see the data that you have permissions to view.

An administrator determines whether or not an organization’s users are permitted to export data to Excel by using security roles.

When Dynamics 365 (online) users print Dynamics 365 data, they are effectively “exporting” that data from the security boundary provided by Dynamics 365 (online) to a less secure environment, in this case, to a piece of paper.

An administrator has full control (at the user security role or entity level) over the data that can be extracted. However, after the data has been extracted it is no longer protected by the security boundary provided by Dynamics 365 (online) and is instead controlled directly by the customer.

See also

Security concepts for Dynamics 365 for Customer Engagement
Manage security, users and teams
Copy a security role