To control data access, you must set up an organizational structure that both protects sensitive data and enables collaboration where appropriate. You do this by setting up business units A way of representing a division or department in an organization. Business units are arranged in a hierarchy, and all users in the same division or department are assigned to one business unit. and security roles Defined sets of privileges.The security role assigned to a user determines which tasks the user can perform and which parts of the user interface the user can view. All users must be assigned at least one security role in order to access the system..
Business Units
A business unit basically is a group of users. Large organizations with multiple customer bases often use multiple business units to control data access and define security roles so that users can access records only in their own business unit. This also lets the system administrator delegate tasks such as user management for a specific business unit. Smaller organizations or organizations with one customer base may need just one business unit.
A security role defines how different types of records can be accessed by one category of users, such as all salespeople. To control access to data, you can modify existing security roles, create new security roles, or change which security roles are assigned to each user. Each user can have multiple security roles.
Security role privileges A user's rights to perform specific actions on specific record types or to perform tasks. Privileges are assigned by system administrators to security roles. Users are then assigned security roles. Examples of privileges include Update Account and Publish Customizations. are cumulative: when a user has more than one security role, the user will have any privilege allowed in any of the assigned security roles.
Each security role consists of record-level privileges Privileges that are specific to one record type, such as Read, Create, and Write. and task-based privileges Privileges that apply to tasks that are not specific to one record type, such as Export to Excel and Go Offline.. The access level for each privilege determines which records can be accessed: None None An access level that denies the user privileges at any level. , User User An access level that lets the user work with record types they own, record types that are shared with the user, and record types that are shared with the team of which the user is a member. For example, if a user is assigned the User access level on the Read privilege for Account records, the only accounts that can be read are those that are owned by or shared to the user. , Business Unit Business Unit An access level that lets the user work with record types in the user's business unit. Users who have Business Unit access automatically have User access as well. For example, if a user has Business Unit access level on the Read privilege for Account records, the user can read all accounts in the local business unit. , Parent-Child Business Unit Parent-Child Business Units An access level that lets the user work with record types in the user's business unit, and all business units subordinate to the user's business unit. Users with Parent: Child Business Units access automatically have Business Unit and User access as well. , and Organization Organization An access level that lets the user work with all record types within the entire organization, regardless of the business unit hierarchical level to which the entity or user belongs. Users who have Organization access automatically have Parent: Child Business Units, Business Unit, and User access as well. .
Each type of record is either user-owned Records that are used by individuals or sub-groups, such as accounts, activities, and leads. Access to this type of record can be set at one of five levels: None , User , Business Unit , Parent-Child Business Units , or Organization . or organization-owned Records that everyone in the organization needs to access, such as products or sales literature items. Access to this type of record can be set at one of two levels: None , or Organization .. Record-level privileges define what tasks a user with access to the record can do, such as Read A privilege required to read a record. Which records can be read depends on the access level of the permission defined in your security role., Create A privilege required to create a new record. Which records can be created depends on the access level of the permission defined in your security role., Delete A privilege required to permanently remove a record. Which records can be deleted depends on the access level of the permission defined in your security role., Write A privilege required to make changes to a record. Which records can be changed depends on the access level of the permission defined in your security role., Assign A privilege required to give ownership of a record to another user. Which records can be assigned depends on the access level of the permission defined in your security role., Share A privilege required to give access to a record to another user while keeping your own access. Which records can be shared depends on the access level of the permission defined in your security role., Append A privilege required to associate a record with the current record. For example, if a user has Append rights on an opportunity, the user can add a note to an opportunity. Which records can be appended depends on the access level of the permission defined in your security role., and Append To A privilege required to associate the current record with another record. For example, a note can be attached to an opportunity if the user has Append To rights on the note. Which records can be appended to depends on the access level of the permission defined in your security role..
For example, you might create a Sales Assistant security role with Read A privilege required to read a record. Which records can be read depends on the access level of the permission defined in your security role. and Write A privilege required to make changes to a record. Which records can be changed depends on the access level of the permission defined in your security role. privileges for leads at the Business Unit Business Unit An access level that lets the user work with record types in the user's business unit. Users who have Business Unit access automatically have User access as well. For example, if a user has Business Unit access level on the Read privilege for Account records, the user can read all accounts in the local business unit. access level, and Create A privilege required to create a new record. Which records can be created depends on the access level of the permission defined in your security role. privilege for leads at the User User An access level that lets the user work with record types they own, record types that are shared with the user, and record types that are shared with the team of which the user is a member. For example, if a user is assigned the User access level on the Read privilege for Account records, the only accounts that can be read are those that are owned by or shared to the user. access level. Users with the new Sales Assistant security role then would be able to add their own new leads and read and update leads owned by anyone in the business unit.
The owner of a record or a person who has the Share A privilege required to give access to a record to another user while keeping your own access. Which records can be shared depends on the access level of the permission defined in your security role. privilege on a record can share a record with other users or teams Groups of users who share and collaborate on business records.A team can consist of members who all report to one business unit or members who report to different business units.. Sharing can add Read A privilege required to read a record. Which records can be read depends on the access level of the permission defined in your security role., Write A privilege required to make changes to a record. Which records can be changed depends on the access level of the permission defined in your security role., Delete A privilege required to permanently remove a record. Which records can be deleted depends on the access level of the permission defined in your security role., Append A privilege required to associate a record with the current record. For example, if a user has Append rights on an opportunity, the user can add a note to an opportunity. Which records can be appended depends on the access level of the permission defined in your security role., Assign A privilege required to give ownership of a record to another user. Which records can be assigned depends on the access level of the permission defined in your security role., and Share A privilege required to give access to a record to another user while keeping your own access. Which records can be shared depends on the access level of the permission defined in your security role. privileges for specific records. More information: Share or Assign Records and Views
Teams are used primarily for sharing records that team members ordinarily couldn't access. For example, if your service and sales functions are in different business units but you want members of a cross-functional key account team to be able to view all sales and service records, by creating a Microsoft Dynamics CRM Online team, all team members can be set up to view those records. More information: Work with Teams
It is not possible to remove access for a particular record or field in a record:
You cannot increase security on one record. Any change to a security role privilege applies to all records of that record type.
Users either can access or not access an entire record. It is not possible to set up field-level security.
Top of page
An access level that denies the user privileges at any level. 
An access level that lets the user work with record types they own, record types that are shared with the user, and record types that are shared with the team of which the user is a member. For example, if a user is assigned the User access level on the Read privilege for Account records, the only accounts that can be read are those that are owned by or shared to the user. 
An access level that lets the user work with record types in the user's business unit. Users who have Business Unit access automatically have User access as well. For example, if a user has Business Unit access level on the Read privilege for Account records, the user can read all accounts in the local business unit. 
An access level that lets the user work with record types in the user's business unit, and all business units subordinate to the user's business unit. Users with Parent: Child Business Units access automatically have Business Unit and User access as well. 
An access level that lets the user work with all record types within the entire organization, regardless of the business unit hierarchical level to which the entity or user belongs. Users who have Organization access automatically have Parent: Child Business Units, Business Unit, and User access as well. 