Sharing objects
Sharing allows users to give other users or teams access to specific customer information on an ad-hoc basis. This is useful for private objects, and for sharing information with users in roles that have only the Basic access level. For example, in an organization that gives salespeople Basic read and write access to accounts, a salesperson might choose to share an opportunity with another salesperson so that they can both track the progress of an important sale.
For security reasons, it is important to develop the practice of sharing only the necessary objects among the smallest set of users possible, and to grant only the minimum access required for users to do their jobs.
Microsoft CRM provides the following sharing capabilities:
- Share. Any user with share privileges on a given object type can share objects of that type with any other user in Microsoft CRM. If the shared object is private, the user needs the Share access right along with the share privilege for that object type. See Appendix A for a complete list of privileges. Sharing cannot cross organization boundaries. See below for the complete list of objects that support sharing.
- Share rights. When you share an object with another user, you are given the opportunity to indicate what access rights (Read, Write, Delete, Append, Assign, and Share) you want to grant to the other user for that object, its sub-objects, and related objects. Access rights on a shared business object can be different for each user with whom the object is shared. However, you cannot give a user any rights that he or she would not automatically have for that type of object on the basis of the role assigned to that user. For example, if a user does not have Read privileges on accounts and you share an account with that user, the user will not be able to see that account.
- Remove share. When you share an object with another user, you retain the right to stop sharing the object at a later date. After you remove the share for an object, the other user loses access rights to the object.
Tip Use the GrantAccess and RevokeAcess methods in the application programming interface (API) for sharing.
The following Microsoft CRM objects support sharing:
- Account
- Contact
- Lead
- Opportunity
- Incident
- Activity
- Note
- Contract
- Quote
- SalesOrder
- Invoice
Sharing objects in multiple contexts
A user might have access to the same object in more than one context. For example, a user might share an object directly with specific access rights, and he or she might also be on a team in which the same object is shared with different access rights. In this case, the access rights this user has on the object is the union of all the rights.
Sharing and inheritance
If an object is created and the parent object has certain sharing properties, the new object will inherit those properties. For example: Joe and Mike are working on a high priority lead. Joe creates a new lead and the first two activities, shares the lead with Mike, and selects cascade sharing. Mike makes a phone call and sends an e-mail regarding the new lead. Joe can see that Mike has contacted the company two times, so he does not make another call.
Sharing is maintained on individual objects. An object inherits the sharing properties from its parent and also maintains its own sharing properties. Therefore, an object can have two sets of sharing properties—one that it has on its own and one that it inherits from its parent.
Removing the share of a parent object removes the sharing properties of objects that it inherited from the parent. That is, all users who previously had visibility into this object no longer have visibility. Note that certain child objects might still be shared to some of these users if they were shared individually.