Microsoft Dynamics CRM security model

Microsoft Dynamics CRM gives you a security model that protects data integrity and privacy and also supports efficient data access and collaboration. The Microsoft Dynamics CRM security model supports recommended security best practices. The goals of the model are as follows:

  • Support a licensing model for users.

  • Give users access only to the needed levels of information that are required to do their jobs.

  • Categorize users and teams by role and restrict access based on those roles.

  • Support data sharing so that users can be granted access to objects they do not own for a one-time collaborative effort.

  • Prevent access to objects a user does not own or share.

Role-based security

Role-based security in Microsoft Dynamics CRM is a grouping of a set of privileges that consists of the responsibilities (or tasks that can be performed) of a user or team. Microsoft Dynamics CRM includes a set of predefined security roles, each of which is a set of rights aggregated to make user security management easier. Each application deployment can also have its own roles to meet the needs of different users.

Entity-based security

Entity-based security in Microsoft Dynamics CRM is about user and team rights to entities. This applies to individual instances of entities and is provided by user rights. The relationship between a user right and a privilege is that user rights apply only after privileges have taken effect. For example, if users do not have the privilege to read accounts, they will be unable to read any account, regardless of the user rights another user might grant them to a specific account through sharing.

You combine role-based security and object security to define the overall security rights that users have in your custom Microsoft Dynamics CRM application.

Object field-based security

You can restrict access to or set field-level security for custom fields in the client application.

You combine role-based security, object security, and field-based security for custom fields to define the overall security rights that users have in your custom Microsoft Dynamics CRM application.

Deployment-wide administrative-level security

During installation, Microsoft Dynamics CRM Server Setup creates a special deployment-wide administrator role and attaches it to the user account that is used to run Setup. The Deployment Administrator role is not a security role and does not appear in the Microsoft Dynamics CRM web application as such.

Deployment Administrators have complete and unrestricted access to all organizations in Deployment Manager in the deployment. For example, Deployment Administrators can create new organizations or disable any existing organization in the deployment. On the other hand, members of the System Administrator Role only have permissions where the user and security role are located.


When organizations are created by different Deployment Administrators, the associated user accounts of other Deployment Administrators must be granted db_owner privileges to the databases that they did not create in order have full access to those organizations.

For more information about security roles and privileges, see the Microsoft Dynamics CRM Help. For more information about the Deployment Administrator role, see the Deployment Manager Help.

See Also


Microsoft Dynamics CRM administration best practices
Network ports for Microsoft Dynamics CRM

Send comments about this article to Microsoft.

© 2013 Microsoft Corporation. All rights reserved.