Share via


Access levels

The access level for a privilege determines for a given object type at which levels within the organization hierarchy a user can act on that object type. Microsoft CRM has the following levels of access, starting with the most access:

Global Global. This access level exposes to the user all objects within the entire organization, regardless of the business unit hierarchical level to which the object or user belongs.

If an object in a user's organization is not private, then it is exposed to the user. Users with Global access automatically have Deep, Local, and Basic access as well.

Because this access level gives access to information throughout the entire organization, it should be restricted to match the organization's data security plan. This level of access is usually reserved for managers with authority over the organization.

Note   The application refers to this access level as Organization.

Deep Deep. This access level exposes to the user objects in the user's business unit and all business units subordinate to the user's business unit.

If an object in the user's business unit or a child business unit is not private, then it is exposed to that user. Users with Deep access automatically have Local and Basic access as well.

Because this access level gives access to information throughout the entire business unit and subordinate business units, it should be restricted to match the organization's data security plan. This level of access is usually reserved for managers with authority over the business units.

Note   The application refers to this access level as Parent: Child Business Units.

For example, if a user has Deep Read Account privileges, this user can read all accounts in his or her business unit, as well as all accounts in any child business unit of that business unit.

Local Local. This access level exposes to the user objects in the user's business unit.

If an object in the business unit is not private, then it is exposed to a user who has Local access. Users with Local access automatically have Basic access as well.

Because this access level gives access to information throughout the entire business unit, it should be restricted to match the organization's data security plan. This level of access is usually reserved for managers with authority over the business unit.

Note   The application refers to this access level as Business Unit.

For example, if a user has Local Read Account privileges, this user can read all public accounts in the local business unit.

Basic Basic. This access level exposes to the user the objects he or she owns, objects that are shared with the user, and objects that are shared with a team of which the user is a member.

This is the typical level of access for sales and service representatives.

Note   The application refers to this access level as User.

For example, if a user is assigned the Basic Read Account privilege, this user can read only the accounts that he or she owns or the accounts that are shared with him or her.

None None Selected. None.

Note   Private objects are not supported through the Microsoft CRM application. However, the Microsoft CRM SDK includes the MakePublic/MakePrivate APIs. For more information, see Private Objects.

Examples

A customer service representative is set up with the Basic Read Account privilege in order to provide read access to accounts that he or she owns and to any accounts another user has shared with this user. This makes it possible for the representative to read the account data that is relevant to a service request, but not to change the data.

A data analyst is set up with the Local Read Account privilege in order to read account data and run account-related reports for all accounts in his or her business unit.

A finance officer for the company is set up with the Deep Read Account privilege in order to read account data and run account-related reports for all accounts in his or her business unit and in any subordinate business units.

More Information About Basic

The Basic access level is different from any other access levels because the user can create a situation where the he or she can no longer access a particular object that he or she owns. Two rights that you cannot revoke from yourself are Share and Read.

For example, let's say you have Basic Delete Account privileges. If you then share an account with yourself and do not grant yourself the delete rights, you will not be able to delete that account until you give yourself this right or remove the share to the account.

© 2005 Microsoft Corporation. All rights reserved.