Security Model of Dynamics CRM

Business Unit –

•  It is a way to group business activities.
• When an organization is created, a Root Business Unit is created by default. This Root BU cannot be deleted.
• Each Business Unit automatically gets a default team, and the team’s name is the same as the Business Unit’s name.
• Every Business Unit has a parent BU. By default, new BUs have the Root BU as their parent, but you can also create a custom BU and set it as the parent.
• Every User is linked to only one BU.

• Teams provide access to records through assigned security roles.
• Security roles assigned to a team are inherited by all its members.

Types of Teams:

1. Owner Team
2. Security Group Team
3. Access Team

Owner Team → Own records + roles
Security Group Team → Same as Owner, but managed via Azure AD
Access Team → No ownership, only shared access

Security Roles 

• Define the access levels and privileges that control what a user can view and perform in the system. They can be assigned directly to users or inherited through team membership.
• Privileges include: Create, Read, Write, Append, Append To, Share, Assign, and Delete.
• Access Levels determine the scope of those privileges: None, User, Business Unit (BU), Parent–Child BU, and Organization.
• Additionally, security roles include miscellaneous permissions such as Export to Excel, Run Workflow, and Run Flow.

Entity Ownership – When creating an entity, ownership can be set as User/Team or Organization

Column-Level Security (Field Security Profile) – 

• Used to control access to specific fields (columns) in a table (entity).
• Field security must first be enabled in the column’s properties.
• Access Types available: Create, Read, Update, or Not Assigned.
• Field Security Profiles can be assigned to users or teams to manage access.