Managing Users, Teams and Security

This topic accounts for about 20% of the total score on the Dynamics CRM 2011 Customization and Configuration exam. Overall, users, teams, business units and security are significantly different in CRM 2011 compared to 4.0. Some of the issues highlighted here have come up a couple of times recently on customer engagements I’ve been working on, so I thought I’d post them up and make a down-payment on my CRM 2011 certification prep content at the same time. Cheers.

  • Business Units
    • Names can be changed.
    • Can change the name of the root business unit to something other than the name of the organization.
    • Can delete business units in CRM 2011. To delete a business unit, you must remove all users, remove all teams, and then disable the business unit. Then it can be deleted.
  • Users and Teams
    • In CRM 2011, both are full security principles – i.e., records can be assigned to both users and teams.
    • Users must always be assigned to a business unit, and they can only be assigned to a single business unit at a time.
    • Teams must be assigned to a business unit also, but the teams you create can include members (users, that is) from any business unit.
    • Teams, just like users, can be assigned security roles.
    • When users are added as members of a team, they keep all security privileges included in any of the security roles they’ve been assigned, plus they inherit all of the privileges from the team’s security roles. Since security roles are “additive”, this means that adding a user to a team will never give them less privileges and may give them more.
  • Default business unit teams are created by the system when a business unit is created. These teams behave differently in some important respects from regular teams. Default business unit teams:
    • Cannot be deleted.
    • Cannot have their names changed.
    • Cannot have members not in the business unit.
    • Automatically assign membership to every user assigned to the business unit; cannot have their membership changed apart from changing a user’s business unit.


  1. Matthew tan Said,

    July 7, 2011 @ 12:02 am

    Hi Richard,

    Great blog post. I have a quesiton on Team Security. I’ve found that if you assign a user to a team that has a security role, the security isn’t applied correctly to the user if that user has NO Security roles assigned to them at all at an individual level.

    Is this a bug? My intention is to reduce the management overhead of security roles and simply setup teams of users that have the same security profile and simply assign them to teams which have the security role they require rather than assigning the security role directly to the user.

    This, however, does not work for some reason.. is this expected behaviour?



  2. Richard Knudson Said,

    July 12, 2011 @ 7:05 am

    Hi Matt,

    Good question, and good catch. At first I thought if a user did not have a security role directly, but WAS on a team with a security role, they’d still be able to access CRM as if the security role had been assigned to them directly. But…I found out as you did that it doesn’t quite work. I researched this a little and read a good article on it:

    The article gave me an idea, which I tried and seemed to work, although I haven’t tested it enough to claim it’s production-ready. Anyway, try this:

    In addition to the security role your users will get from the team, create one additional security role with user-level access for all privileges, for two entities only:

    - User Entity UI Settings
    - User EntityInstanceData

    I did that and it seemed to fix the problem of not being able to open forms. If this works, it would mean that users could inherit their real security roles from a team, and as long as all users in addition had that one simple security role, with user-level privileges on 2 entities only (they’re on the first tab towards the bottom), that might simplify your security model.

    Test it and let me know what you find out!

    Cheers — Richard

  3. Chandan Said,

    July 19, 2011 @ 5:48 pm

    Hello Richard,

    i am a novice in Dynamics CRM world, yesterday i was trying to copy a secutiry role (salesperson) and rename it as “Demo_salesPerson”, but i was not able to change the Business Unit for that role, where as while i am trying to create a new Security role (example: Demo_2-sales) i am able to do that. could you please help me to understand the limitation?

  4. Dynamics CRM 2011 Security Roles Said,

    July 20, 2011 @ 2:20 pm

    [...] Teams are now a full-fledged security principle — that is, records can be directly assigned to teams. Here’s a short article I wrote on that topic: Managing Users, Teams and Security. [...]

  5. Lars Peter Said,

    November 29, 2011 @ 8:44 am

    Hi Matt/Richard,

    I tested the idea of creating an “Everyone” security role, which is assigned to all users, and granted the following privileges:

    - User Entity UI Settings
    - User EntityInstanceData

    As Richard pointed out, it solves the problem of opening the form, but unfortunately basic tasks such as creating a note or an activity on a contact, still fails. It requires the user to be assigned directly to a security role with at least User-level Create-privilege on Activity/Note entities…

    Annoyingly, as I also saw the light by completely decoupling security roles and users…

    Best regards,
    Lars Peter

  6. Peter Hale Said,

    April 26, 2012 @ 4:37 pm

    Hi Richard

    Brilliant – seems to work so far – was doing my head in. I guess we need to thank Piers as well

    Thanks you
    Pete Hale

Leave a Comment