Welcome back to our discussion on D365 Customer Engagement (CE) Security concepts. Today, we will explore the concept of team-based security and how to utilize this element to optimize an organization’s security. For more CE Security background, check out our last blog, where we covered CE security fundamentals, including organization hierarchy, business units, entities, privileges, access levels and record ownership.
Introduction to Teams
“Teams” within CE is different from the “Teams” application that Microsoft provides for collaboration across organizations but serves a similar function within CE. Going forward, when we refer to Teams, we are referring to the security object within CE, not the Microsoft collaboration application. At its origin, the concept of the Teams security object had a simple purpose: to allow for collaboration across business units. (Remember in our Fundamentals blog we said a user can only be assigned to one business unit.) However, later releases of Dynamics have expanded Teams to be a multi-dimensional concept that serves several purposes. A team can now own its own records to allow for easy collaboration and can even be assigned its own security role(s), providing a simple way to apply a shared security role to a group instead of individuals. The quick process of assigning a security role to a team is shown below. Proceed to Security > Teams > “Team of interest,” and choose to “Manage roles.”
Teams as the Solution to Access Level Limitations
While the basic security model enables users in the same business unit to see and collaborate on each other’s records, this often provides more access than desired, especially in the case of a large business unit. Re-work to the system’s hierarchy design, such as re-configuring business unit setup, is typically undesirable, as it may provide additional complications. Teams can provide a workaround for these difficult use case scenarios. A team combines the concept of record ownership with the concept of role-based security to provide the desired level of privileges to the correct set of records.
Take the following scenario in which the standard CE access levels create limitations:
Scenario: In addition to the records he/she owns, a user regularly needs access to a portion, but not all, of the records within their business unit.
- Use-Case: A large business unit for the entire Southeast region exists for ABC Corporation. However, a sales employee in Georgia should only see contacts created by the Atlanta and Columbus offices.
- If we assign a security role directly to the user with basic access level on the contact entity, the user can then only see contacts he/she creates. The user also needs to be able to collaborate on contacts created by others within the Atlanta and Columbus offices.
- If we assign a security role directly to the user with local (business unit) access level on the contact entity, the user will receive privileges to all Contact records within the entire Southeast region, providing undesirable excessive access.
- Solution: create a team for “Georgia Sales,” combining the concepts of team record ownership and team security roles.
- Record ownership: This team will be the owner of all contact records created in either the Atlanta office or the Columbus office.
- Team security role: Assign a security role to team “Georgia Sales” that includes Basic access level privileges on Contact records.
- Finally, add all sales employees within the Atlanta and Columbus offices as members of “Georgia Sales” team. The members will then inherit privileges to the contact records owned by the team.
Teams as a Way to Streamline Role Provisioning
Team-based security also provides an option for streamlining the work associated with assigning security roles within shifting organizations. Teams can drastically decrease the maintenance and upkeep required in organizations with high turnover, regular personnel location changes, etc. when security role deprovisioning and provisioning is a frequent task. In a case where users within a particular group all require the same set of permissions, an administrator can create a team and assign a security role directly to the team (and thus to all team members), instead of tediously assigning roles to each individual user. Users can then be added and removed from the team as needed. Take the following scenario in which Teams can facilitate the role provisioning process:
Scenario: A large pool of employees was recently promoted, and all users need a new security role providing elevated permissions.
- Use Case: ABC Corporation has a yearly promotion cycle in which 50 distinguished sales managers across the country are promoted to sales directors. A sales director must be able to see organization-wide sales data, yet in the former sales manager role, he/she only had access to sales data within his/her respective business unit.
- Limitations of User Security Roles: With role-based security at the user level, the system requires that each user’s profile be updated, assigning the appropriate sales director security role directly to that individual. Then, repeat this tedious sequence on each user’s profile for a total of 50 times!
- Solution: Create a team called “Sales Directors,” and assign the proper security role once.
- Assign the appropriate sales director security role to team Sales Directors.”
- Bulk-select all 50 users to add as members of the team.
- Remove the users from former teams as needed.
The security model of Microsoft’s Dynamics 365 CE applications is complex and provides many options. It can be difficult to design a plan that leverages the right components and intertwines them correctly to provide a perfect fit for any organization. Fortunately, Team-based security can provide agile workarounds, fine-tune the gaps provided by access levels and reduce role provisioning upkeep.