[Applies to: Microsoft Dynamics CRM 4.0]
To control data access, you must set up an organizational structure that both protects sensitive data and enables collaboration where appropriate. You do this by setting up business units and security roles.
A business unit basically is a group of users. Large organizations with multiple customer bases often use multiple business units to control data access and define security roles so that users can access records only in their own business unit. This also lets the system administrator delegate tasks such as user management for a specific business unit. Smaller organizations or organizations with one customer base may need just one business unit.
A security role defines how different types of records can be accessed by one category of users, such as all salespeople. To control access to data, you can modify existing security roles, create new security roles, or change which security roles are assigned to each user. Each user can have multiple security roles.
Security role privileges are cumulative: when a user has more than one security role, the user will have any privilege allowed in any of the assigned security roles.
Each security role consists of record-level privileges and task-based privileges. The access level for each privilege determines which records can be accessed: None, User, Business Unit, Parent-Child Business Unit, and Organization.
Each type of record is either user-owned or organization-owned. Record-level privileges define what tasks a user with access to the record can do, such as Read, Create, Delete, Write, Assign, Share, Append, and Append To.
For example, you might create a Sales Assistant security role with Read and Write privileges for leads at the Business Unit access level, and Create privilege for leads at the User access level. Users with the new Sales Assistant security role then would be able to add their own new leads and read and update leads owned by anyone in the business unit.
The owner of a record or a person who has the Share privilege on a record can share a record with other users or teams. Sharing can add Read, Write, Delete, Append, Assign, and Share privileges for specific records. More information: Share or Assign Records and Views
Teams are used primarily for sharing records that team members ordinarily couldn't access. For example, if your service and sales functions are in different business units but you want members of a cross-functional key account team to be able to view all sales and service records, by creating a Microsoft Dynamics CRM Online team, all team members can be set up to view those records. More information: Work with Teams
It is not possible to remove access for a particular record or field in a record: