Security Model of Dynamics CRM
Business Unit –- It is a way to group business activities.
- When an organization is created, a Root Business Unit is created by default. This Root BU cannot be deleted.
- Each Business Unit automatically gets a default team, and the team’s name is the same as the Business Unit’s name.
- Every Business Unit has a parent BU. By default, new BUs have the Root BU as their parent, but you can also create a custom BU and set it as the parent.
- Every User is linked to only one BU.
- Teams provide access to records through assigned security roles.
- Security roles assigned to a team are inherited by all its members.
Types of Teams:
- Owner Team
- Security Group Team
- Access Team
Owner Team → Own records + roles
Security Group Team → Same as Owner, but managed via Azure AD
Access Team → No ownership, only shared access
- Define the access levels and privileges that control what a user can view and perform in the system. They can be assigned directly to users or inherited through team membership.
- Privileges include: Create, Read, Write, Append, Append To, Share, Assign, and Delete.
- Access Levels determine the scope of those privileges: None, User, Business Unit (BU), Parent–Child BU, and Organization.
- Additionally, security roles include miscellaneous permissions such as Export to Excel, Run Workflow, and Run Flow.
Aspect | User/Team Owned | Organization Owned |
---|---|---|
Ownership | Record can be owned by a user or a team | Record is owned by the organization |
Key Fields | owninguser, owningteam | organizationid |
Access Levels | Supports all: None, User, BU, Parent-Child BU, Organization | Supports only: None, Organization |
Security | Granular control with record-level access & sharing | Broad access, visible across organization |
Use Cases | When record-level ownership & sharing is required | When records should be accessible org-wide |
- Used to control access to specific fields (columns) in a table (entity).
- Field security must first be enabled in the column’s properties.
- Access Types available: Create, Read, Update, or Not Assigned.
- Field Security Profiles can be assigned to users or teams to manage access.
- Privileges are assigned directly to the team.
- Once an Access Team is created, it can be added to a form, allowing users to share the record by adding other users to the team.
- This process can also be performed programmatically.
Published on:
Learn moreRelated posts
Ticket sales management with Dynamics CRM in the Sports Industry
Mohona Dutta By Mohona Dutta | Reading time 5 mins So, how do you prospect? Pulling names out of lists on your laptop? Repeatedly calling...
How to create an impactful fan experience in sports with Dynamics CRM?
Mohona Dutta By Mohona Dutta | Reading time 5 mins For a salesperson, every day is game day. Sports organizations are always looking to i...
Updating JavaScript code in Dynamics CRM Made Easy for Developers
Hema Shamala By Hema Shamala | Reading time 5 mins Why do we need JavaScript in D365 CRM? It allows us to implement custom logic by using...
How To Use Advanced Find in Dynamics CRM 365
Nikhil Rajendran By Nikhil Rajendran | Reading time 5 mins One of the most commonly used features in Dynamics 365 is Advanced Find. A d...
I recreated Dynamics CRM with the Power Platform Plan designer
In January 2003 after many months of engineering and development, Microsoft released one of the first business solutions built-in house; Micro...
Why Plugin Depth Matters in Dynamics CRM
Plugin development in Dynamics CRM is one of the most advanced and intricate components, requiring deep expertise in the platform's event pipe...
Debunking: Dynamics CRM Destination – How Text Lookup Works
When we want to push data to Dataverse/Dynamics CRM using SSIS – KingswaySoft, usually there are relationships (lookup) that we need to ...
Understanding Activity Party Types in Dynamics 365 CE
Dynamics 365 Customer Engagement features 11 unique activity party types, identified by specific integer values in the ActivityParty.Participa...