Role-based security in Microsoft Dynamics CRM focuses on grouping a set of privileges together that describe the tasks that are performed for a user in a specific job function. The basic concepts of role-based security include the following:
- Users are assigned one or more roles based on their job function or tasks
- Roles are associated with permissions (privileges and access levels) for the different business objects (entities)
- Users gain access to entities or groups of entities in the system via membership in a role that has been assigned the necessary privileges and access levels to perform the users’ jobs.
Object-based security in Microsoft Dynamics CRM focuses on how users gain access to individual instances of business objects (entities).
Role-based Security
Role-based security in Microsoft Dynamics CRM is based on the interaction of privileges and access levels, which work together through the use of security roles.
Privileges define what actions a user can perform on each entity in Microsoft Dynamics CRM. Privileges are pre-defined in Microsoft Dynamics CRM and cannot be changed; examples of privileges include Create, Read, Write, and Delete.
Access levels indicate which records associated with each entity the user can perform actions upon.The access level associated with a privilege determines (for a given entity type) the levels within the organizational hierarchy (User, team and Business Unit) at which a user belonging to a specific role can act on that type of entity.
Each security role provides a combination of privileges and access levels specific to a Microsoft Dynamics CRM job function.
Object-based Security
Object-based security applies to individual instances of entities and is provided by using access rights. An access right is granted to a user for a particular entity instance.
The relationship between an access right and a privilege is that access rights apply only after privileges have taken effect. For example, if users do not have the privilege to read accounts, they will be unable to read any account, regardless of the access rights another user might grant them to a specific account through sharing.