Privileges by entity


Applies To: Dynamics 365 (online), Dynamics 365 (on-premises), Dynamics CRM 2016, Dynamics CRM Online

Microsoft Dynamics 365 and Microsoft Dynamics 365 (online) ship with a set of predefined roles that reflect common user roles with access levels defined to match the security best-practice goal of providing access to the minimum amount of business data required for the job. You can also create custom roles. Each role is associated with a set of privileges that determines the user's access to information within the company. These privileges determine what actions a user with that security role can perform on entities. For more information, see How role-based security can be used to control access to entities in Microsoft Dynamics 365 and How record-based security can be used to control access to records in Microsoft Dynamics 365.

The following table lists the types of privileges that are referred to from the following entity/privilege reference.




Create a record.


View a record.


Make changes to a record.


Delete a record.


Associate a record to another record.

Append To

Associate entity record to this record.


Transfer record ownership to another user.


Give access to a record to another user while keeping your own access.


Assign a different parent to entity record.

These topics list the privileges available for each entity.

The following fetch query will return all privileges in the system, for each role.

<fetch version='1.0' mapping='logical' distinct='false'>
   <entity name='roleprivileges'>
      <attribute name='privilegeid'/>
      <attribute name='privilegedepthmask'/>
      <link-entity name='role' alias='roles' to='roleid' from='roleid' link-type='inner'>
         <attribute name='name'/>
      <link-entity name='privilege' alias='privileges' to='privilegeid' from='privilegeid' link-type='inner'>
         <attribute name='name'/>
         <attribute name='accessright'/>
         <attribute name='canbebasic'/>
         <attribute name='canbedeep'/>
         <attribute name='canbeglobal'/>
         <attribute name='canbelocal'/>

The security model of Microsoft Dynamics 365

Security role UI to privilege mapping

Default privileges for a role

Privileges by message

Microsoft Dynamics 365

© 2016 Microsoft. All rights reserved. Copyright