Controlling Data Access
To control data access, you must set up an organizational structure that both protects sensitive data and enables collaboration where appropriate. You do this by setting up business units, security roles, and field security profiles.
A business unit basically is a group of users. Large organizations with multiple customer bases often use multiple business units to control data access and define security roles so that users can access records only in their own business unit.
A security role defines how different users, such as salespeople, access different types of records. To control access to data, you can modify existing security roles, create new security roles, or change which security roles are assigned to each user. Each user can have multiple security roles.
Security role privileges are cumulative: having more than one security role gives a user every privilege available in every role.
Each security role consists of record-level privileges and task-based privileges. These privileges determine which records the user can access: None, User, Business Unit, Parent: Child Business Unit, and Organization.
Each type of record is either user-owned or organization-owned. Record-level privileges define which tasks a user with access to the record can do, such as Read, Create, Delete, Write, Assign, Share, Append, and Append To.
Overriding Security Roles
The owner of a record or a person who has the Share privilege on a record can share a record with other users or teams. Sharing can add Read, Write, Delete, Append, Assign, and Share privileges for specific records. More information: Share or Assign Records and Views
Teams are used primarily for sharing records that team members ordinarily couldn't access. More information: Work with Teams
It is not possible to remove access for a particular record. Any change to a security role privilege applies to all records of that record type.
Securing Custom Fields
In Microsoft Dynamics CRM Online, fields on forms can have read, create, and update permissions. Create or change custom field permissions using the Field Security setting on the field customization form and by establishing Field Security Profiles.
Field security profiles are similar to security roles in Microsoft Dynamics CRM Online. Both specify what users or groups of users can see, modify, or create in Microsoft Dynamics CRM Online.
When creating a custom field on a form, you have the option to use field security. Using field security for a field limits access to a field based on a user's field security profile. Not using field security for a field bases any restrictions to the field only on a user's security role.