http://blogs.msdn.com/crm/archive/2007/04/05/crm-security-model-internals.aspxIn this post I’ll describe some of the CRM Security Model internals. I’ll describe how roles and privileges are used under the covers, how security is enforced for different operations, and some of the internal structures that make it possible. Overviewen-USCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.msdn.com/crm/archive/2007/04/05/crm-security-model-internals.aspx#2064887Tue, 10 Apr 2007 01:21:53 GMT91d46819-8472-40ad-a661-2c78acb4018c:2064887K. Brian Kelley - Databases, Infrastructure, and Security<p>On the Microsoft Dynamics CRM Team Blog, Jay Grewal has posted information about the CRM Security Model...</p> http://blogs.msdn.com/crm/archive/2007/04/05/crm-security-model-internals.aspx#3071316Mon, 04 Jun 2007 05:12:56 GMT91d46819-8472-40ad-a661-2c78acb4018c:3071316Paul Turner<p>Great article on the internals.</p>http://blogs.msdn.com/crm/archive/2007/04/05/crm-security-model-internals.aspx#8681386Wed, 02 Jul 2008 16:34:50 GMT91d46819-8472-40ad-a661-2c78acb4018c:8681386Bilal Yasseen<p>Hi Jay,</p> <p>What's the best way to generate an Access Matrix Report for MS CRM 4.0?</p> <p>For each entity (custom or system), the report should display:</p> <p>- the Access Rights (Create, Read...) as rows</p> <p>- the Security Roles as columns</p> <p>- the data as the privilage depth (user, business unit...) if the role has access otherwise display &quot;No Access&quot;</p> <p>Kindly note that this is really urgent.</p> <p>Your Help is really appreciated.</p> http://blogs.msdn.com/crm/archive/2007/04/05/crm-security-model-internals.aspx#8689877Fri, 04 Jul 2008 19:13:58 GMT91d46819-8472-40ad-a661-2c78acb4018c:8689877Kumar<p>Good article. We have a situation related to security(in CRM 4.0) where we all users have access to Read + Edit all Accounts but if a certain account is marked as &quot;Secret&quot;, only a defined list of users should be able to Read + Edit it and all other users will not even have read permissions to that record.This list of users is per account level and is dynamic. You can add/remove people from this list. How can this be implemented using CRM security model? </p>http://blogs.msdn.com/crm/archive/2007/04/05/crm-security-model-internals.aspx#8690972Fri, 04 Jul 2008 23:11:28 GMT91d46819-8472-40ad-a661-2c78acb4018c:8690972Frank Lee<p>If needing a more dynamic &quot;Secret&quot; list of users - either setup a busness unit/security role setup that supports it OR use Record Sharing to achieve it.</p> <p>Frank Lee, Microsoft Dynamics CRM MVP</p> <p><a rel="nofollow" target="_new" href="http://microsoft-crm.spaces.live.com">http://microsoft-crm.spaces.live.com</a></p> <p><a rel="nofollow" target="_new" href="http://www.workopia.com/Links.htm">http://www.workopia.com/Links.htm</a></p>http://blogs.msdn.com/crm/archive/2007/04/05/crm-security-model-internals.aspx#8732805Tue, 15 Jul 2008 12:02:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:8732805Niamh<p>Hi Jay,</p> <p>I have a similar situation. I am working with a sales organisation. They want users in different divisions not to be able to see each other's contacts, opportunities, quotes etc. I have acheived this using business unit and role setup. However they want to make a list of certain contacts available to the whole organisation, but want to keep the inofrmation below the contact such as opportunity, quote private to just the individual divisions. If they use sharing to make records available to all, then users can automatically see all information related to that contact (opportunities/quotes). I cannot see any way to acheive this using business units and roles as they only want to share certain contacts. Any advice would be appreciated.</p>http://blogs.msdn.com/crm/archive/2007/04/05/crm-security-model-internals.aspx#9107020Mon, 17 Nov 2008 08:22:43 GMT91d46819-8472-40ad-a661-2c78acb4018c:9107020Shilpa<p>Hi,</p> <p>Couls you please let me know an efficient way of checking whether user has a sharing to particular record theu &quot;Principal object access&quot;. We have over 1 crore records in POA table. Dependind on this we need sahre the record to user thru security principal class..... Currently so hare around 10 opp(along with sharing accounts, conatc and few other custom entities are taking long time).</p> <p>Pls suggest on the same.</p> <p>Thanks in advance.....</p>http://blogs.msdn.com/crm/archive/2007/04/05/crm-security-model-internals.aspx#9315976Tue, 13 Jan 2009 19:57:18 GMT91d46819-8472-40ad-a661-2c78acb4018c:9315976reicoskyr<p>Has anyone seen the message: Users cannot add privileges to or change access levels for roles to which they are assigned. &nbsp;For Help with Changing a role, contact your CRM administrator. &nbsp;</p> <p>The problem is, I am the System Administrator, and still get this message, and I do not belong to the role that I am trying to change. &nbsp;Any ideas</p> http://blogs.msdn.com/crm/archive/2007/04/05/crm-security-model-internals.aspx#9823287Wed, 08 Jul 2009 03:36:10 GMT91d46819-8472-40ad-a661-2c78acb4018c:9823287Anne Stanton<p>Jay - </p> <p>Thanks for writing this up. It is still helpful two years later ;) </p> <p>Anne</p>http://blogs.msdn.com/crm/archive/2007/04/05/crm-security-model-internals.aspx#9891062Thu, 03 Sep 2009 22:42:25 GMT91d46819-8472-40ad-a661-2c78acb4018c:9891062Austin<p>I don't understand why it isn't possible to assign a user to a Security Role within other business units. Sharing has to be set on the account or contact, which means each time a new account or contact is setup someone has to remember to share it. If the user could just take on a role from another Business Unit, then they would have the proper access to existing and new accounts without further work.Microsoft has really limited CRM by implementing their security this way. How SAD. Now i have to jump through hoops to make a unmanageable workaround.</p>