Creating a new security role in Microsoft Dynamics CRM (Best Practices)

It is helpful to create new security roles in Microsoft Dynamics CRM to control access for users. For example, you want a user to have the ability only to see records that they own, or perhaps you do not want your users to be able to delete any existing CRM records — creating a new security role can provide these restrictions.

To create a new security role in CRM, navigate to the Settings tab >> Administration >> Security Roles. There is a default baked-in set of standard security roles provided by Microsoft. If you open one of these up you will notice that you can not edit these. In order to create a new security role there are two ways to do so:

1. Click the New button at the top of the list.
2. Copy an existing security role, rename, and modify to your liking.

It is a best practice to go the route of Option 2 as it is far easier to whittle away the permissions you do not want the role to have than to build a role from scratch. (Unless you have experienced the thrill of banging your head against the wall whilst creating a new security role from scratch, it may not be outwardly obvious that this can lead to the fool’s task of an Easter-egg hunt for assigning necessary permissions.) An exception where you may want to create a New security role from scratch is if the role will only contain a few “add-on” permissions (take the example above where the majority of your users will not be able to delete records, however you want to create a simple role where the delete privilege is allowed for say Accounts and Contacts).

This leads into the concept offered by Microsoft called “layering”. A user can be assigned multiple security roles giving that user as much access as the highest level of security they are assigned to. If we refer to my examples up top, if a user is assigned to the role that does not permit them to delete any existing CRM records but also to the new role you created that allows them to delete Accounts and Contacts, they will be able to delete Accounts and Contacts despite being assigned both roles.