Security Roles and Teams in CRM – An Inconvenient Half-Truth

Over the course of the last two years or so reading everything I can about Dynamics CRM, as well as teaching many classes of people how to get the most out of their CRM systems, one thing which comes up again and again is how to best structure Business Units, Users and Security Roles, and sometimes Teams as well to get the exact model you want to match your business requirements for who has access to which records and when.

Users inherit Security Roles from Teams – right?

One concept I have seen repeated many times is that “Users inherit security roles from all the Teams they are in”. And generally this seems to be a reasonable way to describe how it works, but occasionally odd behaviours seem to show up which make this appear to be less than 100% accurate.

I also had a gut feeling for a while that this was not the best way to describe the way this works. I prefer to say that “when a User is in a Team, they can act as if they are the Team, with the rights that the Team has through its Security Roles, but only while considering records in the same Business Unit as that Team”.

More on this later, and the one part of the model that this description does not do justice to.

Overall this means Security Roles use a kind of “impersonation” when Teams are involved and that the rights the User has are not only ‘borrowed’ very temporarily from the Team but they are relative to where the Team is – so access levels / depths such as “Business Unit” or “Parent / Child Business Unit” operate from the Business Unit where the Team is.

So how does this really work?

If you really want to read how security roles work in terms of determining access to a whole bunch of records (to display the results of a view) or a single record, then you need to read the white paper Scalable Security Modelling with Microsoft Dynamics CRM 2011.

42 pages later you will probably know exactly how the queries are built to actually enforce the security model, but that may not have made it much clearer from a practical, day-to-day design point of view. To be fair, the point of that white paper is to explain the underlying architecture and query methods properly so you can figure out the performance impact of different security approaches, rather than demonstrating how this informs your design from an end-result “who can see what” point of view. One thing that is never mentioned is any idea of inheritance or merging of privileges from Teams to Users. Every kind of access request is checked against User and Team permissions separately (exactly what is checked depends on things like whether the User has Global access level privileges to that entity at all, and whether the record is owned by the User or any of their Teams. These can help shortcut the otherwise brute force querying that would be necessary, especially to return all records in a view).

“You can’t handle the TRUTH!”

By now, I bet some of you are ready to shout at the screen – “we know Users don’t actually inherit the roles and keep them for themselves, but it works just as if they did, so it’s just a kind of shorthand and we all understand what we really mean, so don’t be pedantic”.

Tom Cruise in A Few Good Men - I Want the TRUTH!I always argue that I am not pedantic, I just like things to be exactly correct – “I want the TRUTH!”

In this case, it is CRM which is pedantic, and does not always behave as expected if you believe that a User can act as if they have all the Roles that their Teams have, all of the time. If you are betting your security model on it working this way then either you will end up with Users who can’t do their job, or possibly a gaping hole in your security. Neither sounds good to me.

Read more of this post

Using anti-virus software to keep the elephants away

Steve Riley wrote an interesting article recently about why he chooses the trade-off to not run anti-virus (AV) on his own machines, and a follow-up to that after many people asked if this is his general recommendation. His view is very similar to mine, in that if your overall stance is a cautious one and you are taking other suitable precautions against the risk of getting a virus infection (or spyware or some other nasty malware) then you may be just fine running with no AV software. This is how I run my own workstations (both private and business), but in all cases I run as a non-privileged user and will always be aware of the risks anytime I use admin credentials to install something.

As Aaron Margosis points out, running anti-virus software which requires you to be a local administrator to work properly is fairly pointless. You have the rights required to turn off, disable and uninstall your AV, so any malware that gets past your defences can do this too, rendering the AV potentially useless. The same applies of course to running well-written anti-virus which does not require admin rights, but then running as admin anyway.

»Read on to find out why I recommend using anti-virus to keep elephants away»

Older software is less secure, so always use the brand new version

Myth: “Older software is less secure than the newest release, so always upgrade to the brand new version as soon as possible”

The most obvious reason this cannot always be true, is that you will hear the opposite said just as often and with as much conviction!

So where does the truth lie between these two opposing extremes? Quite apart from the cost to your business in terms of buying software and disrupting operations, retraining users and so on, you have no way of knowing that a newer product is necessarily more stable than its predecessor.

Read more of this post

Shareware just means “free software”, right?

Myth: “Shareware is free software – if I can download it without having to pay I can use it at no cost.”

Debunking the myth – one in a series of several.

This is very rarely true in a business context. Ultimately, all software is subject to copyright, and the author can decide what rights they are prepared to give up in allowing you to use their product. These rights are usually described in a license, which may limit how you can use the software, conditions you must fulfil if you use it, and what costs you will have to pay. Smaller, independent publishers are more likely to provide their product for free or a very low price to encourage people to use it. However, many of these do so only for private use, and if you want to use the same product at work, they may want some payment from you. Read more of this post