All dynamics 365 developer and customers are familiar with Security Roles. Dynamics 365 use security roles to define how users access underlying records. Security roles work with business units and can be assigned directly to a user or a team.
Security role privileges are cumulative!
A Dynamics user will have the least restrictive permissions based on all the security roles assigned to him or teams he belongs to.
Now, last month Microsoft has introduced a “Privilege Inheritance” under security roles. I found it while I was preparing for my exam and was quite surprised. First, let’s go through the official definition of privileges.
- User privileges: User is granted these privileges directly when a security role is assigned to the user. User can create and has access to records created/owned by the user when Basic access level for Create and Read were given.
- Team privileges: User is granted these privileges as a member of the team. For team members who do not have user privileges of their own, they can only create records with the team as the owner and they have access to records owned by the Team when Basic access level for Create and Read were given.
Now, if you open up any security role, you will see a drop down option to select one of the following privileges inheritance and I will explain how it will impact if it’s selected for security roles assigned to a user or team.
Default – Team Privileges Only
- Assigned to User: If a security role with ‘Default – Team Privileges Only’ is assigned to a user, then it’s the same old default behaviour for the user.
User can create a record as an owner and access records based on record level privileges. Remember, User needs to have User (Basic) level privileges for this. - Assigned to Team: If a security role with ‘Default – Team Privileges Only’ is assigned to a team, then it’s the same old default behaviour for the team members.
Team members can only create a record with Team as Owner and access records owned by the team.
Direct User (Basic) access level and Team Privileges
- Assigned to User: If a security role with ‘Direct User (Basic) access level and Team Privileges‘ is assigned to a user, well it makes no sense as it will behave same as ‘Default – Team Privileges Only’ inheritance.
- Assigned to Team: If a security role with ‘Direct User (Basic) access level and Team Privileges ‘ is assigned to a team, now this is where things get interesting.
With this new feature, team members will be able to create a record that they own and Team as Owner and access records owned by them or their teams.
In short, the only difference this new feature provides is that:
When a security role with ‘Direct User (Basic) access level and Team Privileges’ is assigned to a team, the team member can create records they own and can access all records they or their team owns.
A Use Case:
By using this feature, you can allow users to create and own records even if they don’t have direct access. One of the use cases would be if you are designing a system where user’s roles and responsibility changes a lot or system will be used by the temporary or contract staff.
Unlike the last time, with this new Privilege Inheritance may allow the following benefits:
- Now user will be able to create records they own with just User level access and they can be part of any Business Unit.
- As users will the owner of the record, it would be easy to monitor records at a glance.
- Of course, it will reduce the burden of managing multiple security roles back and forth from System administrators shoulders and so on.
But remember, security roles are part of the Security Model provided by the Dynamics 365 to control data access, set up an organisational structure to protect sensitive data while allowing collaboration at the same time.
Dynamics security model includes Business Units, security role, field security profiles, teams (owner, access team and access team templates) etc.
User can gain access to records from owner teams, access teams and team templates and record sharing.
If user are able to access records beyond their security roles then that mean they are getting/overriding access through secondary methods like from teams they are part of and due to sharing of particular records.
I hope I was able to explain this new feature and you will use this feature your new projects.
Till next time, folks. 😉
