CRM 2011 Team Permissions In Practise

I’ve often heard that Users inherit the permission roles of the Teams they are a member of and this is true. As the MSDN states:

A user’s set of privileges is a union of privileges from the user’s roles and privileges from all teams’ roles in which the user is a member.

However I feel this is misleading, this statement and the use of the word inherit – to me anyway – make it sound like the User has all the permissions of the Team. In practise what they actually have is the ability to impersonate the Teams they are a member of, which is subtly different. As a User they can’t do what the Team can do, but they can say they are the Team.

I’ll explain this with an example which makes it a lot clearer and is the reason I came to this conclusion. Consider a setup like this;

  • We have one Business Unit – Gold
  • We have one Team – Alpha – in the Gold Business Unit
  • We have one User – James – in the Gold Business Unit and who is a member of the Alpha Team (and his default Business Unit Team, that Team has no permissions however)

  • Alpha has two security roles
    • Core – this allows basic access to login to CRM
    • Alpha Team Security Role – this gives ‘Create’ of Activities with a Privilege Level of User

  • James has one security role
    • Core – this allows basic access to login to CRM

So, when I first did this I expected that would allow my user James to create Activities (task, phone call etc) with himself as the user. However this isn’t the case, upon attempting this I received an ‘Access Is Denied’ error. This demonstrates that the user does not have the same permissions as the Team.

The context of the Security Role is very important here, it’s been granted to the Team (not to the User), this effectively says: ‘Alpha Team can create Activities where they are the owner’.

If I change the ownership of the Task to the Alpha Team, the record will save successfully, because James is a member of Alpha this effectively says: ‘James can say he is the Alpha Team’.

As a side if we increase the Privilege Level to Business Unit, then James can create the record with himself as the owner because he is in the same Business Unit as Alpha Team.

I hope this makes sense, because its certainly not how I expected it to work, but it does make sense once understood, just another thing to consider when designing your permissions model.


4 thoughts on “CRM 2011 Team Permissions In Practise

  1. I agree the term “inherit” is a bit misleading, because that to me sounds like a permanent copy of the rights or something. I’m not sure I would think of this as impersonation either though, strictly speaking, since the “created by” would be recorded correctly as James in your example.

    However, you are right to say that the role must be taken in context, and relative to the security principal which has the role. This is an important factor in understanding why a user can read records that are owned by a Team they are a member of (ownership implies the Team must have a role allowing at least “Read” privileges otherwise you could not assign records to them), but not necessarily read all records belonging to other Users who are also members of the same team, unless the Team role allows at least BU-level rights.

    Note: if James is in BU Gold and has only a core role which gives no rights to Cases and is a member of team Beta in BU Silver which has a role allowing BU level rights to “Create” Cases, then James can create a Case where the owner is any User or Team in the Silver BU. This BU access is relative to the ‘location’ of the Team.
    He cannot create a Case where he is the owner since that Case would belong to him and therefore ‘belong’ to BU Gold, which the Beta team has no rights to create. If we increase the rights for the Beta team to organisation level create for Cases, then he can create a Case owned by anyone.

  2. Pingback: CRM 2011 Team vs User Permissions In Practise | plastikpony

  3. It is wrongly explained.
    The user inherits all the permissions from the team
    The permissions relate to the owner of the record and that is why it is important to know who is the owner of the record.
    It does not help me as a user to inherit permissions that are not permit me to work on the records I need.
    It is like me being able to act as the HR team but actually I need access to a file owned by a person in HR, not a file owned by the team in HR.
    Until that file is not owned by the team I can not access it even if I am part of the team.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s