Security Roles in CRM

Understanding the Security Model


  • Security model has been defined into the Dynamics CRM that protects data integrity, privacy and provides efficient data access and collaboration.
  • Restricts users from unauthorized access and shows what a particular user must see depending on their roles/privileges.
  • Does not let a user access records not owned by them.
  • Also supports data sharing so that records can be viewed by users though they don’t own it themselves.


Three major areas of security model in CRM are as follows:

  1. Role Based Security
  2. Record Based Security
  3. Field level security


Role Based Security


Role based security defines a set of privileges that can be assigned to a user in a form of a role.

A user must be assigned to at least one such role.

Roles can also be assigned to teams in Dynamics CRM 2013.




MS Dynamics CRM has 14 predefined roles which are defined to match security best-practice of providing only what’s necessary to a particular type of user in the organization.

Custom roles can, however, be created.

Each role is associated with a set of privileges.

One or more roles can be assigned to a user or team.

Creating a new role with intent to assigning a privilege is recommended than modifying an existing role. Roles at user level can’t be modified.



A privilege is a permission to perform an action. There are 580+ privileges predefined during setup. Privileges are built-in to the product.

Privileges cannot be added, modified or deleted. However, new roles can be defined to use the predefined set of privileges.

The platform checks for privileges and rejects any operation on which the required privilege is not found.

Privilege is combined with a depth and access level.


Access Level


Access level defines the depth at which a user can access a particular entity type in the organization.

The access levels defined are as follows:

  1. Global (Organization)

This level gives a user access to all records. User with this level automatically have all the levels Deep, Local and User as well.

  1. Deep (Parent: Child Business Unit)

This access level gives a user access to records in user’s business unit and all business units subordinate to the user’s business unit.

  1. Local (Business Unit)

This access level gives access to records in the user’s business unit. Usually assigned to managers with authority over the business unit.

  1. Basic (User)

This access level gives a user access to records he/she owns, objects that are shared with them and objects that are shared with the team which a user is a member of.

  1. None

No access is provided.


Record Based Security


It is the security provided to individual records. It is provided by using access rights.

Access rights are provided after privileges have taken effect. A user may not be able to access a record even if he/she has access granted but does not have Read privileges on that entity the record is in.


Access Rights           

The access rights provided are as follows:

Read, Write, Assign, Append, Append To, Share, Delete.

Create Access – Create Access in this does not apply to an individual record. It applies to a class of Entities. Create is handled as privilege. A user who creates a record has all the privileges to that record unless any other access right forbids it.

Sharing Records

Sharing lets user give other users/teams access to a specific record. Useful for sharing information with roles that have only Basic access level.

Sharing capabilities provided are as follows:

  1. Share

Sharing a record with another user holds providing access rights to another user for the record which is being shared.

GrantAccessRequest is used to share a record with another user/team. When a record is being shared with a user, indicate what access rights you wish to grant to that user.

Records should be shared with users who have privilege for that particular entity type.


  1. Modify Share

Rights granted to a user after sharing a record can be modified as well. ModifyAccessRequest is used to carry out this task.


  1. Remove Share

If you share a record with another user/team, you can stop sharing the same. RevokeAccessRequest is used to carry out this operation.


Sharing and Inheritance

If a parent record is created, the sharing properties with the parent record is assigned to the child record.

Child record also maintains its own sharing properties.


Assigning Records

Assign Records means handing over the ownership of a record to another user. The original user then loses ownership of that record.

The system administrator can decide whether or not, should the assigned record be shared with its previous owner.

If ShareWithPreviousOwner is selected, then the previous owner has all access rights to the assigned record.


Dependencies between Access Rights

Security dependencies exist between access rights because a user needs more than one access right to access a particular record.

Create – CREATE & READ are required.

Share – SHARE & READ is required.

Assign – ASSIGN, WRITE & READ is required.

Append – READ & APPEND is required.

AppendTo – READ & APPENDTO is required.



Field Level Security

In field level security, access to high-impact business fields is restricted.

For 2013 release of CRM, field security can be applied to custom fields only.


The following steps are carried out to restrict access to a field:

  1. Create a field security profile.
  2. Associate users/ teams with profile.
  3. Add specific field permissions such as Create, Update or Read to the profile.

System Administrator field security profile gives access to all secured fields. This profile is system managed and cannot be deleted or modified.


There are basically 3 restrictions that can be added in Field Security Profiles once created. They are:

  1. Allow Read
    Specifies if users should be able to read information from this field.
  2. Allow Create

Specifies if a user can add information to this field after it has been created.

  1. AllowUpdate

Specifies if a user can edit information from this field.


How secured fields behave for Retrieve and RetrieveMultiple

When Retrieve and RetrieveMultiple are used, CRM check user’s access rights for each record and secured fields. If a user doesn’t have access to secured fields, no exception is thrown but null values are retrieved for secured fields.


If the retrieved data has an access field and user is not impersonated to access it, the user is returned null. A null retrieved by the absence of data and a null retrieved due to lack for privilege can’t be distinguished.


Also, if the secured field is in the filter criteria, a null is substituted for the actual value of the filter criteria.

Following is the justification of how secured fields behave in different scenarios:


  1. Filtered Views
    Filtered view will not return data for secured fields if user is not impersonated with proper access rights to the field.
  2. Records are shared

A user can only give access to another user of the access that they themselves have. The user or team members with whom the record was shared now have that type of secured access field only on the shared secured fields on only that particular record, even if the user to whom it was shared does not have field security profiles that give them access.

  1. Create or Update.

If a user does not have required impersonation on the required secured field while calling Create or Update methods, an exception is thrown.


Hope this was helpful! 🙂




Custom Workflow Assembly

What are Custom Workflow Activities?

  • Custom Workflow Activities can be added to an existing workflow to provide additional functionality in Workflows in CRM.
  • Workflow Assemblies are included in steps of a workflow designer where input parameters can be provided to the same to carry out its designated functionality.
  • Required Assemblies are Xrm.Sdk and Microsoft.Xrm.Sdk.Workflow
  • Custom Workflow Activities can be written by deriving CodeActivity class in your workflow assembly.


  • Custom Workflow Activities have Input and Output parameters that take and give out data to the workflows.
  • protected override void Execute(CodeActivityContext context){ //Activity code} needs to be initialized to add functionality to a Workflow Assembly.

Registering a Custom Workflow Assembly.

  • Custom Workflow Activities are registered in Plugin Registration Tool.
  • They are not registered on a particular entity or on any message, like a Plugin.
  • Registered Custom Workflow Assemblies then appear in the workflow step designer.
  • We can specify the Name of the workflow and the WorkflowActivityGroupName in the Plugin Registration Tool as shown below.





Input and Output Parameters of a Workflow Assembly. 

  • Here is an example of how we can declare an input parameter to a custom workflow assembly as follows:


  • A default value can be provided along with declaring the Argument.
  • Same way, we can add Output parameters to the custom workflow assembly as below.



  • Or even declaring the Argument as both, input and output argument which is as follows:


Attributes and Microsoft Dynamics CRM Types.

  • Bool
  • DateTime
  • Decimal
  • Double
  • EntityReference
  • Int
  • Money
  • OptionSetValue
  • String

So, that was a short and quick introduction about Custom Workflow Assembly! Hope this is helpful. 🙂


Dialogs in Dynamics CRM 2013


  • Dialogs are a collection of pages which contains a set of Prompts and Responses.
  • Dialogs are synchronous.
  • Dialogs need to be initialized by the user using the CRM Online system.
  • Requires user input at stages to run to completion. Much like a wizard.

Components of a Dialog



  • It is a basic unit of a dialog. More like a visual container. Usually there are multiple pages in a Dialog that guide the user through a process to get certain tasks done.
  • Each page can have multiple prompts and responses.

Prompt & Responses:


A Prompt asks a question to the end user and captures response.

Response has a data type that is provided in order to specify what input should be fetched by the system. They are:

  • None – No response is required. Used for introductory purposes.
  • Single Line – A single line of text, integer or float values. A textbox is displayed to fetch this.
  • Radio button – Predefined responses shown to select only 1 among them.
  • Picklist – A drop down menu.
  • Multi-Line of text – Multiple lines of text input is supported.
  • Date and Time – Date & Time input used like in CRM forms.
  • Date Only – only date can be selected.
  • Lookup – Specifies an entity record.


The user response for each Prompt and Response step is stored as a step variable, and can be used later in the dialog flow.


Static and dynamic hyperlinks can also be added. For static hyperlinks, you need to specify the full URL. Dynamic hyperlinks, however, can be used in any text field. These hyperlinks refer to an entity record in CRM.


Tips help in specifying information for each prompt and response that helps the user in responding to the prompt. Tips are optional.


Input Arguments and Variables

Two more important components in Dialogs.

Input Arguments

  • Input Arguments are used to pass data between parent and child dialogs.
  • Input Arguments are defined for the child dialogs and data is passed onto them. This is linked by adding a Link Child Dialog step in the parent dialog. And then, the required responses can be mapped with the input arguments in the child dialog.
  • Simple arithmetic and string operations can be carried out by using Assign Value.
  • Default value for input arguments must be specified while declaring them.




  • Variables allow us to store intermediate values such as strings or computed values.
  • Intermediate values are responses that are gathered along the run of a dialog.
  • These variables are stored respective Prompt and Response



  • Comments are the notes that appear at the bottom of a dialog that are displayed during the run of the dialog.



A link child dialog cannot be an intermediate step.

Number of nested steps in a child dialog is limited. Depends on the browser in use. Because these nested steps in browser are nested tables.

There are a few workarounds for nested steps limitations in case they happen to gray out:

  • Redesign the dialog to use fewer nested steps.
  • Add a child dialog to reduce the number of steps in parent dialog.
  • Use a different browser.


Actions that can be taken on Dialogs

Dialog Related Activities

These activities were first introduced in MS Dynamics CRM 2013 and are available as steps in MS Dynamics Process Designer.


Query CRM Data

Enables us to define query variables that can be used to query CRM data. These query variables can either have pre-defined values or can be parameterized so that they accept values at runtime.


We can parameterize a query variable by using ModifyQueryVariables tab on the Define Query page, and then use the dynamics section on the query form to associate the prompt and response variables with the query variables.


Query Variable defined using the Query CRM Data is available for all prompts and responses from the point where they have been defined in the dialog definition.

Assign values

Allows simple arithmetic operations like increment, decrement and multiply and string concatenation operations on the input variables.

Can also be used to clear any values that is stored in the variables or input parameters.

Link Child Dialog

A dialog can be specified as a child dialog and then can be invoked from other dialog which will be its parent dialog.

Stop Dialog

Enables to end a dialog at a particular stage. Can also be used in conditions where we need to stop the dialog.


Workflow related activities

Workflow related activities like Create Record, Update Record, Delete Record, AssignRecord, Send e-mail, start child workflow and change status.


Start a dialog using a URL

An activated dialog can be started using the following URL format:




CRMServer_Name is the name of your CRM server.

Org_Name is the organization name

DialogId is the GUID of the dialog you want to run.

EntityLogicalName is the Entity Logical Name of the Primary Entity of the dialog you want to run.

EntityObjectId  is the GUID of the primary entity record.

An example of the same is as follows:




Dialogs enable us to trigger guided process. Input parameters and variables can be manipulated with during the process and also fetches CRM data. Dialogs are user interactive processes which prompts for messages and requests and fetches responses to be used in the processes.

Duplicate Detection in CRM 2013

What is Duplicate Detection feature?

  • In order to maintain integrity in data in our system, it is a good practice to reduce duplicate data. To do so, MS Dynamics CRM provides facility to do so.
  • Duplicate Detection needs to be enabled from Settings > Data Management > Duplicate Detection Settings.
  • Default duplicate detection rules are defined for accounts, contacts and leads but not for other types of records. To enable duplicate detection on other types of records, we need to create new rules.


Enable Duplicate Detection

  • We can enable Duplicate Detection for our organization under Settings > Data Management > Duplicate Detection Settings as shown below.



  • As shown above, Duplicate Detection first needs to be enabled organization wide.
  • Then we can chose on what the duplicate detection should be enabled.
    1. When a record is created or updated.
    2. When the CRM for outlook goes from offline to online and,
  • 3. During data import


Duplicate Detection Rules

  • There are predefined rules already available in Duplicate Detection Rules for account, lead and contact.



  • Likewise we can create new rules of our own with certain criteria to run of other types of records. In order to create new rules, select New.
  • For the new Duplicate Detection Rule, give a suitable name. Set Base Record Type to the entity you want the duplicate detection rule to run on. And provide Matching Record Type to compare the record to for the rule to run.




  • We can optionally chose to compare with having the Case-Sensitivity and to Exclude inactive matching records.
  • In the above example, we want to detect duplicate records with same customer name being created on Employee. So, we’ll set the criteria for our rule to run the duplicate detection.



  • In the example above we have 2 criteria for the duplicate detection rule to run. These criteria are ANDed i.e. both should satisfy to detect duplicate records successfully.
  • First, we are comparing the Name for its exact match and then we are checking the Address for its first 5 characters to be the same.
  • We can also optionally chose to ignore blank values. In this case, we are not doing so.
  • Once done, we can Save and Close the duplicate detection rule.
  • So, our newly created rule appears in the list of Duplicate Detection Rules. It hasn’t been published yet. So it won’t detect duplicated unless we Publish it.
  • publishDDRules


  • To do so, select the rule we just created, and Publish it.
  • Let’s check the duplicate detection rule we just published.
  • example1Now, We have 2 records in employees Andrew and Samuel. We shall try to create another employee named Samuel with same address to force CRM to detect a duplicate on creation of a new Employee record.
  •  On saving this record, CRM will throw a warning that it detected duplicate of the record that we are trying to create.




  • So here, it has detected a duplicate records that matched the rule we created for name and address of the Employee. If we want the duplicate record to be created nonetheless, we can click on Save to do so.
  • Cancelling it will avoid the duplicate record being created and we can go back to our record to change it before it is saved.


Hope it helps you! 🙂


Another post on Duplicate Detection jobs is coming up soon. Will update you once done. Keep checking this area. Thanks!


Access Teams in CRM 2013

What are Access Teams?

  • Access Teams are light-weight teams aimed at high volume sharing scenarios.
  • These are designed to address the concerns of the overhead of calculating security roles when needed.
  • Access Teams can be automatically created and managed.
  • Access teams can’t be granted security roles and they can’t own records.
  • They only access records through sharing.
  • Sharing privileges are defined by an access team template. They don’t change dynamically for existing records if the template changes.
  • Access Teams can’t be used as resources in Service Scheduling.

Access Teams, however, can be created manually through Teams interface in Settings > Administration.


Creating an Access team

  • An Access Team first needs to be enabled from an Entity level. To do so, navigate to Customizations > (Entity). We can consider an example of a custom entity, say Customer.

Enable Access Team on Entity

The checkbox on Access Teams needs to be checked to be able to enable Access Teams for Customer entity.

  •  Then, we navigate to Settings > Administration > Access Team Templates. And select New template.

Enable Access Team on Entity

Give a meaningful Name to the template that will be identified. Select the entity from the Entity dropdown that we enabled Access Teams for at the Entity level.

We can provide desired access rights as mentioned above from Delete, Append, Append To, Assign, Share, Read and Write.

  •  Now you Access Team template has been created. Next, we shall add a sub-grid to the Customer form that will access this template. And Set Properties as follows for the Sub-Grid on the form.

As shown below, set the following properties for the Data Source of the sub-grid,

Records to All Record Types

  • Entity to Users
  • Default View to Associated Record Team Members


  • Team Template to Customer List Access (This is the Access Team Template you just created)

Access Team Template Set Properties

The sub-grid now is set to add users to the Access Team that will use the access rights we set in the Access Team Template.

Access Team Subgrid


  • Once the record is created, you can add Users to the sub-grid that will have access to that particular record and which will have access rights as defined in the template.

As in the above form, the 2 users have access to the record with name Ashwin V. with the access rights Append, Append To, Read and Write.



How Access Teams work?

  • Whenever Access Teams are enabled for an entity, the team’s lifecycle is managed automatically.
  • So when the first member is added to the Access Team grid, an access team is created and the first member is granted the access rights as specified.
  • Then as members are added and removed, access to those members are added and removed respectively.
  • When the final member of the access team is removed, the team gets deleted. This marks the end of the Access Team lifecycle.
  • Deactivating the record, however, won’t affect the access team. Only adding and removing members from the access team will cause deletion of automatically generated access team.


Viewing the Access Teams

  • In normal operation, access teams are created automatically. Hence, they are system generated and are deliberately hidden from users.
  • In order to view these access teams, use ‘Advanced Find’ option to query for Teams of type Access and Is System Managed as Yes, No.
  • This will show both access teams, automatically created and system generated as shown in the figure below.

Viewing Access Teams

Access Teams Guid

The automatically generated access teams are named as their GUID.

Migrating to Access Teams

Teams that have been migrated from older version will be migrated as owner teams. It’s possible to convert them to access teams under the following conditions:

  1. The owner team doesn’t have any security roles, and
  2. The owner team isn’t the owner of any records.

Convert To Access Teams

The CONVERT TO ACCESS TEAM button will convert the owner team into an access team once the above said criteria is matched.


Programmatic control of access teams

  • Remember, an access team is actually created when we add the first member to the access team. So we need an existing team to add a team member to it.
  • A new SDK message is introduced to handle this scenario. AddUserToRecordTeamRequest.
  • Using the said SDK message, we need to specify the record and team template that the user should be added to. This will resolve the request to the access team that is relevant and, if necessary, create the team before adding the user as a member.
  • When working with system generated access teams, this message should be considered for adding users as team members.

So, that’s it! Hope you find this useful. 🙂