Security and customization
Part 2 of "11 things to know about customization"
|
Published: 1/1/2008
Updated: 12/3/2009
|
Not everyone can customize Microsoft Dynamics CRM Online. Unless you have the necessary privileges to perform customization tasks, you will be unable to see the Customization features. By default, only Microsoft Dynamics CRM Online users who have the System Administrator or System Customizer security role can access the Customization features:
- The System Administrator security role gives you privileges to do all the possible customization actions.
- The System Customizer security role is appropriate for someone who has to implement customizations, but does not have to see all the data in the system.
Delegating customizations
Before you take on the responsibility for applying all the customizations in the implementation, consider whether you can delegate some customization tasks. Because the core customization tasks in Microsoft Dynamics CRM Online do not require programming skills, managers or other stakeholders inside an organization can perform these tasks. You may want to consider granting trained individuals within your organization the rights to perform customizations that affect areas where they work.
Managing change
Even though you may delegate some customization responsibilities, there still has to be documentation, coordination, training, and oversight:
- Document the changes applied, including the goal of the customization.
- Be aware of the effect of customizations on all users of the system.
- Train anyone who has to make changes so that they can make changes that achieve the results that you want.
- Develop and enforce change management procedures that make sense for your organization.
Managing security roles
You can create new security roles or modify existing security roles to grant users privileges to customize or to use certain customizations. For information about the privileges you have to have, see Why can't I access some features or areas?
Although security in Microsoft Dynamics CRM Online is role-based, it is also cumulative – users can belong to more than one security role. Users enjoy the least restrictive privileges for all the security roles they belong to. This means that you can create a task-based security role that provides the necessary privileges to perform a task, such as customization. You can then assign that security role to an individual user to grant him or her only those privileges. This can be valuable if you want to temporarily grant someone privileges to perform a certain type of customization.
Scope of customizations
Microsoft Dynamics CRM Online allows for security to vary within different business units of an organization. This means you might grant a manager of one business unit the rights to customize the system and not provide these privileges to another user who has the same security role, if they belong to a different business unit.
However, all customizations done to Microsoft Dynamics CRM Online apply to the whole system. Technically, you cannot create a special customization for a particular business unit. However, you can create new security roles and modify existing ones so that only the users who have the necessary privileges can see customizations that you create. For example, when you create a custom entity, you must provide users access to the custom entity through their security roles. You may decide to only grant access to members of a certain security role. Therefore, it will be invisible to users who are not assigned that security role.
Implementing field-level security
If your goal is to provide certain users special rights to individual fields in an entity, you will not find that capability as a built-in feature. Some partners have created extensions to provide this capability. But Microsoft Dynamics CRM Online does not support field-level security by default. Rights to an entity apply to all the attributes within that entity equally. Some people have devised ways to hide certain fields in the form by using form scripting techniques. However, this is not a complete solution. None of the fields can be hidden in all parts of the application. Even if a field is hidden on a form, users can find hidden fields using Advanced Find, Export to Excel, or merely by printing the form.
If you have to secure some data separately, your best choices are to purchase an extension developed by an independent software vendor (ISV), or to create a custom entity to store the information and grant access to that entity for users who require it.
Related Links
Part 3: Form and view customizations
Why can't I access some features or areas?
Design considerations for business units
