Set up security roles

  • 8 minutes

When setting up security in Dynamics 365 Sales, you need to assign a security role to each user based on the access that you want the user to have. Depending on the function that you want users to have, you need to assign them the correct permissions through security roles.

Security roles in Dynamics 365 Sales are a matrix of security privileges (row-level) and access levels (task-based) for different tables. Different tabs are available based on functionality within this security matrix. People can have more than one security role. These roles are cumulative, so all permissions will be based on all roles that are assigned to the user.

In addition to the role-based security that is managed as described in the ensuing sections, you can create role-based forms. With the forms, you can create a different user experience based on a person’s role. Therefore, if you have a custom form for associates in your Australia division, you might want a slightly different form for associates in your Europe division. You need a designated fallback form for each table so that any user with any type of access has a form available. If a user has access to more than a single form for a table, they'll see a form selector that allows them to move from one form to another. Role-based forms don't control the user’s access to the data but rather tailor their experience to the role.

The Sales tab contains the most applicable rows for the Sales app. The Business Management and Business Process Flows tabs are also important for sales. Those tabs include permissions that enable functionality that is most used by people who use the Sales application.

Screenshot of the Sales Manager security role.

Each security role has privileges and access levels that are associated with it. Security roles are included with privileges that are preset for everything that you need to use for the Sales application. The Sales app includes roles such as Sales Manager and Salesperson. These roles give default permissions for that person based on their assigned role.

The Salesperson security role gives a salesperson all permissions that a salesperson needs to enter all daily information, such as adding or editing leads, opportunities, and invoices.

Typically, the default privileges for the Sales Manager and Salesperson roles don't need to be changed unless you have a unique sales organization. The Salesperson role only allows that user to create and delete certain rows, like invoices and orders. By contrast, the user with the Sales Manager role can create or delete these rows for anyone in their business unit. For example, a sales manager can write an order for another salesperson or delete one of their orders, but the salesperson can't delete or write an order for another salesperson. This example is only one of many ways in which the included privileges are set up.

If circumstances occur where you want to add or delete privileges that aren't in one of the included roles, you can create custom roles and change the privileges for that table. For example, if you want to allow salespeople to assign accounts to anyone within the organization and not just for themselves, you can customize the role to match this need.

Screenshot of the Salesperson security role.

Privileges

Privileges are the securities that define what action a user can take in the system, such as:

  • Create
  • Read
  • Write
  • Delete
  • Append
  • Append to
  • Assign
  • Share

As shown in the previous screenshots, the circles define what privileges that users have for that table. An empty circle means that no privileges are assigned. For example, if the user shouldn't have access to create an invoice, the circle next to Invoice and under the Create column would be empty.

Access levels

Access levels show the level at which a user can interact with rows within a given table. The portion of the circle that is filled illustrates the levels. The levels are None, User, Business Unit, Parent-Child Business Unit, and Organization. Click the circle to change the level. Each click will change the fill or color. Click the circle until it shows the level that you want.

Note

Many permissions under the Miscellaneous Privileges section only have an organizational or nothing option. The other levels don't apply to these privileges.

  • User (basic) - This level gives access to rows that the user owns or to anything that is shared with the user or team to which the user belongs. Use this setting if you want the user to access their own rows only. You wouldn't want to let salespeople delete other salespeople’s accounts or leads.

  • Business Unit (local) - This level allows access to the data of other users in a business unit. A business unit must be set up within Dynamics 365 and can be a hierarchy of a department. Sales managers would want to view all their subordinates’ rows.

  • Parent: Child Business Units (deep) - This level gives access to all business units that the user belongs to and to any business units that are subordinate to their business unit.

  • Organizational (global) - A user with this level has access to all rows in the organization. If you have a salesperson who is able to add products from any level of the organization, you want to give them access to all organizational products, not only the ones that are available for their business unit.

You can also create customized security roles by copying one of the included security roles and changing the necessary privileges and access levels. Create the customization based on particular job needs. If you have custom tables in your system, by default, only system administrators and system customizers have access. Therefore, you'll need a security role with the correct privileges and access levels for your users so that they can work with these tables.