Microsoft Dynamics CRM 2011 includes excellent charting (or visualization) features. It also introduces dashboards, which can be used to present several charts together, along with a few other things such as data grids, web pages, and Silverlight forms. Dashboards are obviously highly visual, and they are very front-and-center in the user experience. For example, the default settings in an un-customized Dynamics CRM 2011 organization will make the “Microsoft Dynamics CRM Overview” dashboard the first thing a user sees when accessing CRM through the web application:
Now there’s nothing wrong with that, and judging by how many times I was told by CRM 4.0 customers, “we need dashboards!”, the default settings – that all users can view and create charts and dashboards — will likely be fine for most organizations. However…they won’t be for all organizations, and recently I’ve had a few questions along these lines: “how can we configure it so some of our users can see the dashboards we want them to see, but not waste a lot of time creating charts and dashboards of their own”?
Background: System Charts and Dashboards v. Personal Charts and Dashboards
So…who can see Dynamics CRM 2011 charts and dashboards, and who can create them? These kinds of things are determined by the security roles assigned to a user, and in order to configure security roles for charts and dashboards, you need to understand the distinction between System charts and dashboards, and Personal charts and dashboards. The following table (valid for the default security roles) compares these along several different dimensions:
|Security Privileges||System Charts and Dashboards||Personal Charts and Dashboards|
|Who can create them?||Users assigned to System Administrator or System Customizer security roles||All users|
|Who can see them?||All users||Only the user who creates them|
|Which entity controls security privileges?||
Let’s start with System charts and dashboards. As indicated in the table, most users cannot create these. These are considered system customizations, and once created they are by default visible to all users. So…it’s probably a good thing most users cannot create these things! The most obvious examples of these are the default dashboards you see in the Workplace, and charts like the Sales Pipeline chart exposed on those dashboards, as in the figure shown above.
Now on to Personal charts and dashboards. Notice in the previous figure the New button on the ribbon. If you click that you will be creating a Personal dashboard. It can be confusing at first keeping track of whether you’re creating a personal thing (chart or dashboard) or a system thing, so here’s my rule for how to remember the difference: if you click a New button on one of the application ribbons in Dynamics CRM 2011, the thing you’re creating is personal. You have to work harder to create a system thing, and again, since everybody will see it, that’s a good thing. The following two figures show, respectively, the default Dashboards ribbon every user sees when working with dashboards, and the default Chart tab for the opportunity data grid.
On the Dashboards ribbon, any user can click New to create a new personal dashboard.
On the Charts tab for most data grids, any user can click New Chart to create a new personal chart.
From a security standpoint, personal charts and dashboards behave the same way personal views do: while every user can create one, by default the only user who can see one is the one who created it. This can be a little confusing at first. For example, we’re used to thinking that a user with the System Administrator role can “see everything”, but that’s not true: they can only see almost everything. In fact, if you examine the System Administrator security role you will see they only have User-level Read privileges on entities such as Saved View, User Chart and User Dashboard. So unless a user shares a personal chart, nobody else can see it, not even a system administrator.
Locking Down Personal Charts and Dashboards
OK, so now we know there are two different types of charts and dashboards. How do we modify security so our sales reps don’t waste time goofing around creating charts and dashboards?
Well, we know they can’t create system charts or dashboards, so we only have to prevent them from creating the personal (or user) variety. Since I’m picking on salespeople here, I’ll use the Salesperson security role in the example:
- Click Settings, and then click Administration.
- Click Security Roles.
- Select the Salesperson security role and double-click it to open the form.
- On the Core Records tab, remove the Create and Read privileges (the first two columns) for the User Chart and User Dashboard entities:
The following figure shows the tool tip you see when you hover over one of those empty red circles in the security role UI. If you try this, you’ll notice that the only access levels the Create and Read privileges can have for those two entities are None, and User.
So, after customizing the security role, suppose I sign in as a user with the following characteristics:
- Only assigned one security role, the customized Salesperson role.
- Not a member of any teams.
Here’s what I will see when I navigate to Opportunities:
The Charts tab is absent from the ribbon, just as it will be from anywhere else it would usually appear. Similarly, the Save and New buttons will be removed from the Dashboards tab:
Locking Down System Dashboards
Now, suppose you not only don’t want them wasting time creating personal charts or dashboards, but you don’t even want them looking at system dashboards or charts. Security privileges can be used to prevent users from seeing these as well. For this, you need to customize the System Chart and System Form entities on a security role’s Customization tab:
By default, only the System Administrator and System Customizer security roles have Create privileges for these, but all security roles have Read privileges. Continuing our example, suppose you lock down the Salesperson role even more, by removing the Read privilege for System Chart and System Form as shown in the previous figure.
Then if you sign in as a user with only that security role, here’s what you would see if you navigated to dashboards:
If you navigate to the opportunity data grid, you will see that the user experience degrades in a slightly better way – instead of seeing a Not Available sign, you just don’t see the chart pane at all:
Role-Targeted Charts and Dashboards
So that’s how you can prevent a user from seeing any (system) charts or dashboards. But suppose instead of a completely locked down experience, you were going for more of a targeted one: salespeople see the dashboards they need, customer service reps see only the dashboards they need, and so on. How would you do that? This article’s long enough already, so I leave you with that as a question. I’ll write up at least one solution to that problem in a future article, but in the meantime, if you’ve got one, feel free to let me know about it!