Create or edit a security role

Article
03/15/2016

Applies To: CRM 2015 on-prem, CRM Online

You can create new security roles to accommodate changes in your business requirements or you can edit the privileges associated with an existing security role.

If you need to back up your security role changes, or export security roles for use in a different implementation of Microsoft Dynamics CRM, you can export them as part of exporting customizations. More information: Help & Training: Export your customizations as a solution

Create a security role

Make sure that you have the System Administrator or System Customizer security role or equivalent permissions.

Check your security role
- Follow the steps in View your user profile.
- Don’t have the correct permissions? Contact your system administrator.
Go to Settings > Security.
Choose Security Roles.
On the Actions toolbar, click New.
Set the privileges on each tab.

To change the access level for a privilege, click the symbol until you see the symbol you want. The possible access levels depend on whether the record type is organization-owned or user-owned.

Tip

To cycle through the access levels, you can also click the privilege column heading, or click the record type multiple times.
When you have finished configuring the security role, on the toolbar, click or tap Save and Close.

Edit a security role

Before you edit an existing security role, make sure that you understand the principles of data access. More information: Security roles and privileges

Note

You can’t edit the System Administrator security role. To create a security role similar to the System Administrator security role, copy the System Administrator security role, and make changes to the new role.

Make sure that you have the System Administrator or System Customizer security role or equivalent permissions.

Check your security role
- Follow the steps in View your user profile.
- Don’t have the correct permissions? Contact your system administrator.
Go to Settings > Security.
Choose Security Roles.
In the list of security roles, double-click or tap a name to open the page associated with that security role.
Set the privileges on each tab.

To change the access level for a privilege, click the symbol until you see the symbol you want. The possible access levels depend on whether the record type is organization-owned or user-owned.

Tip

To cycle through the access levels, you can also click the privilege column heading, or click the record type multiple times.
When you have finished configuring the security role, on the toolbar, click or tap Save and Close.

Minimum privileges for common tasks

It's helpful to keep in mind the minimum privileges that are needed for some common tasks. These include:

When logging in to Microsoft Dynamics CRM:
- To render the home page, assign the following privileges on the Customization tab: Read Web Resource, Read Customizations
- To render an entity grid (that is, to view lists of records and other data): Read privilege on the entity, Read User Settings on the Business Management tab, and Read View on the Customization tab
- To view single entities in detail: Read privilege on the entity, Read System Form on the Customization tab, Create and Read User Entity UI Settings on the Core Records tab
When logging in to Dynamics CRM for Outlook:
- To render navigation for Microsoft Dynamics CRM and all Microsoft Dynamics CRM buttons: Read Entity and Read View on the Customizations tab
- To render an entity grid: Read privilege on the entity, Read Customizations and Read Web Resource on the Customization tab, and Read Saved View on the Core Records tab
- To render entities: Read privilege on the entity, Read System Form on the Customization tab, and Create, Read, and Write User Entity UI Settings on the Core Records tab

Privacy notices

Licensed Dynamics CRM Online users with specific Security Roles (CEO – Business Manager, Sales Manager, Salesperson, System Administrator, System Customizer, and Vice President of Sales) are automatically authorized to access the service by using CRM for phones, as well as other clients.

An administrator has full control (at the user security role or entity level) over the ability to access and the level of authorized access associated with the phone client. Users can then access CRM Online by using CRM for phones, and Customer Data will be cached on the device running the specific client.

Based on the specific settings at the user security and entity levels, the types of Customer Data that can be exported from CRM Online and cached on an end user’s device include record data, record metadata, entity data, entity metadata, and business logic.

An administrator has full control (at the user security role or entity level) over the ability to access and the level of authorized access associated with the tablet client. Users can then access CRM Online by using CRM for tablets, and Customer Data will be cached on the device running the specific client.

If you use Microsoft Dynamics CRM for Outlook, when you go offline, a copy of the data you are working on is created and stored on your local computer. The data is transferred from CRM Online to your computer by using a secure connection, and a link is maintained between the local copy and CRM Online. The next time you sign in to CRM Online, the local data will be synchronized with CRM Online.

An administrator determines whether or not an organization’s users are permitted to go offline with Microsoft Dynamics CRM for Outlook by using security roles.

Users and administrators can configure which entities are downloaded via Offline Sync by using the Sync Filters setting in the Options dialog box. Alternatively, users and Administrators can configure which fields are downloaded (and uploaded) by using Advanced Options in the Sync Filters dialog box.

If you use Microsoft Dynamics CRM Online, when you use the Sync to Outlook feature, the CRM data you are syncing is “exported” to Outlook. A link is maintained between the information in Outlook and the information in CRM Online to ensure that the information remains current between the two. Outlook Sync downloads only the relevant CRM record IDs to use when a user attempts to track and set regarding an Outlook item. The company data is not stored on the device.

An administrator determines whether your organization’s users are permitted to sync CRM data to Outlook by using security roles.

If you use Microsoft Dynamics CRM Online, exporting data to a static worksheet creates a local copy of the exported data and stores it on your computer. The data is transferred from CRM Online to your computer by using a secure connection, and no connection is maintained between this local copy and CRM Online.

When you export to a dynamic worksheet or PivotTable, a link is maintained between the Excel worksheet and CRM Online. Every time a dynamic worksheet or PivotTable is refreshed, you’ll be authenticated with CRM Online using your credentials. You’ll be able to see the data that you have permissions to view.

An administrator determines whether or not an organization’s users are permitted to export data to Excel by using security roles.

When Microsoft Dynamics CRM Online users print CRM data, they are effectively “exporting” that data from the security boundary provided by CRM Online to a less secure environment, in this case, to a piece of paper.

An administrator has full control (at the user security role or entity level) over the data that can be extracted. However, after the data has been extracted it is no longer protected by the security boundary provided by CRM Online and is instead controlled directly by the customer.

Create or edit a security role

Create a security role

Check your security role

Edit a security role

Check your security role

Minimum privileges for common tasks

Privacy notices

See Also

Additional resources