Share via


Active Directory

Microsoft CRM uses Windows® Active Directory® to store information about users, business units, teams, and roles. When you install Microsoft CRM, a new organizational unit (OU) object is created that uses the Organization name you have specified.

Users

To add a new user to Microsoft CRM, the user must first exist in Active Directory. Each user has a user object in Active Directory.

Business Units and Teams

When a business unit is created in Microsoft CRM, it shows up as an organizational unit (OU) object in Active Directory within the OU for the root organization of the business unit hierarchy.

When a team is created or modified, it shows up as a security group object within the Microsoft CRM OU object in Active Directory. When a user is added to a team, the user becomes a member of the team in Active Directory.

Roles

Each role that is defined in Microsoft CRM is implemented as up to three Active Directory security groups. The security groups for each role are as follows:

  • MSCRM Role (role_name). This security group is present for all roles and has all users assigned to this role as members. On objects for which the role grants the Local access level for an access right, Microsoft CRM grants read access to this group on every object of that type in the business unit.
  • MSCRM Glbl (role_name). This security group is created only when a role has any objects with Global access levels. The MSCRM Role (role_name) group is a member of this group. On objects for which the role grants the Global access level for an access right, Microsoft CRM grants the access right to members of the MSCRM Glbl (role_name) group on every object of that type in the organization.
  • MSCRM Deep (role_name). This group is created only when a role has any objects with Deep access levels. The MSCRM Role (role_name) group is a member of this group. On objects for which the role grants the Deep access level for an access right, Microsoft CRM grants the access right to the MSCRM Deep (role_name) group on every object of that type in the business unit and all of that unit’s child business units.

For example, assume John is a member of the Vice President of Sales role, a role defined as having Global read, Deep create, and Local write privileges on activities. As a result:

  1. John can read all activities in the organization. That's because John is a member of the MSCRM Role (Vice President of Sales) group, which in turn is a member of the MSCRM Glbl (Vice President of Sales) group. The Glbl group has been granted read access on all activities in John's organization.
  2. John can create activities in his business unit and all subordinate business units. That's because John is a member of the MSCRM Role (Vice President of Sales) group, which in turn is a member of the MSCRM Deep (Vice President of Sales) group. The Deep group has been granted create access on all activities in John's business unit and all of this unit’s child business units.
  3. John can make changes to all activities in his business unit. That's because John is a member of the MSCRM Role (Vice President of Sales) group and this group (the Role group) has been granted write access on all activities in John's home business unit.

© 2005 Microsoft Corporation. All rights reserved.