Sunday, April 08, 2012

Dynamics CRM Security Role with Minimum Permission

When it comes to software solutions, it is always best practice to follow the Principal Least Privilege. This is no different with Dynamics CRM 2011. This post will provide you will basic instructions in creating a security role with the least privileges.

The help page in the Security Role entity under the “Create or edit a security role” topic already provides a pretty good summary of the minimum privileges required:

It's helpful to keep in mind the minimum privileges you need to define for some common tasks. These include:

  • When logging in to Microsoft Dynamics CRM:
    1. To render the home page: prvReadWebResource, prvReadCustomization
    2. To render an entity grid (that is, to view lists of records and other data): Read privilege on the entity, prvReadUserSettings, prvReadQuery
    3. To view single entities in detail: Read privilege on the entity, prvReadSystemForm, prvCreateUserEntityUISettings, prvReadUserEntityUISettings
  • When logging in to Microsoft Dynamics CRM for Outlook:
    1. To render navigation for Microsoft Dynamics CRM and all Microsoft Dynamics CRM buttons: prvReadEntity, prvReadQuery
    2. To render an entity grid: Read privilege on the entity, prvReadCustomization, prvReadWebResource, prvReadUserQuery
    3. To render entities: Read privilege on the entity, prvReadSystemForm, prvCreateUserEntityUISettings, prvReadUserEntityUISettings, prvWriteUserEntityUISettings

So suppose I want a user to have minimum read permission to a Custom Entity and for him to view records that have been assigned to him. I would add the following permission:

Basic Read Permission on your entity (prvRead[entityName])


Access to Viewing the entity grid and entity forms (prvReadQuery, prvReadSystemForm)
As well as the permissions that are added by default (prvReadSdkMessage, prvReadSdkMessageProcessingStepImage, prvReadSdkMessageProcessingStep, prvReadPluginAssembly, prvReadPluginType) These permissions are required for smooth operations of internal operations such as core CRM plugins.

Forms and Views

The UserEntity UI Settings provides access to the functionality to remember the user’s last accessed Form (prvCreateUserEntityUISettings, prvReadUserEntityUISettings)

User UI Settings

Permission to access User Preferences (prvReadUserSettings)


Also keep in mind that when designing security roles, a good understanding of the organization structure and deployed CRM solutions is key to success. As it is possible that there are additional plugins and workflows running in the background that require additional permissions.

No comments: