NOTE: This content appears to have been plagiarized. Please leave a comment or email tnwiki at Microsoft (with a link to this article) if we are mistaken. The content was pulled from the following source:

• "Book - Microsoft Dynamics CRM 2011 - Customization & Configuration - (MB2-866) Certification Guide - Chap. 3 - Pages 56..."
  Published by Neil Benson (Packt Publishing)
  http://www.packtpub.com/sites/default/files/9781849685801_Chapter_03.pdf

A security role defines a collection of security privileges, and a security privilege provides access to an entity or feature. The security features of Microsoft Dynamics CRM 2011 – comprised of business units, security roles, and privileges – provide users and teams with access to records or features required to perform their jobs without providing them access to restricted records or feature according to your organizations security policy.

Security roles define a collection of entity and task based security privileges that can be assigned to users or teams.

When a new Microsoft Dynamics CRM 2011 organization is deployed, 14 standard security roles are included with it. These security roles provide entity and task based security privileges for typical job roles in a business.

The standard security roles are as follows:

• CEO-Business Manager: Provides organization level access to all records and access to almost all task-based privileges with the exception of customization privileges.
• CSR Manager: Provides organization level access to customer service records and access to a significant number of task-based privileges.
• Customer Service Representative: Provides an organization level access to most customer service records and access to some task-based privileges.
• Delegate: Provides a single task-based privilege called Act on behalf of another user.
• Marketing Manager: Provides business-unit or organization-level access to most records and access to some task-based privileges.
• Marketing Professional: Provides business-unit or organization-level access to most records and access to some task-based privileges.
• Sales Manager: Provides business-unit or organization-level access to most records and access to some task-based privileges including pricing override privileges.
• Salesperson: Provides user or business-unit-level access to most records and access to some task-based privileges.
• Schedule Manager: Provides access to most core records and some task-based privileges including most service management privileges.
• Scheduler: Provides access to most core records and some task-based privilege including some service management privileges.
• System Administrator: Has organization-level access to most records and some access to task-based privileges including customization privileges.
• Vice President of Marketing: Provides business-unit or organization-level access to most records and access to some task-based privileges including pricing override privileges.
• Vice President of Sales: Provides business-unit or organization-level access to most records and access to some task-based privileges including pricing override privileges.

Customizing the standard security roles

The standard security roles provide a robust set of security roles that can be used without modification. However, to meet your organization’s security requirements, you may need to create custom security roles. The best practice is to create a copy of one of the standard security roles and to modify the copy to meet your organizations unique needs.

Security roles and custom entity

By default, none of the security roles – except the System Administrator security role - provide access to any custom entities you create. So, you will have to customize existing security roles or create new security roles and assign them to your users or teams before they can work with your custom entities.

Business units and inherited security roles

Security roles must be assigned to a business unit and can be assigned to a business unit at any level in your organization hierarchy. Security roles assigned to any parent business unit are automatically inherited by all its child business units. When you create a new child business unit, all the security roles are copied from its parent business unit.

 Is it possible – but not recommended – to have different security roles with different security privileges, but with the same name assigned to different business units. Instead, it is recommended that all security roles are assigned to the root parent business unit.

Inherited security roles cannot be modified or deleted. Instead, you can modify or delete the security role in the parent business unit. When you modify or delete the security role, this modification or deletion is cascaded to all inherited security roles.

Security roles and users

After a new user account has been created, it must be assigned at least one security role before the user can log in to Microsoft Dynamics CRM 2011. The user’s security role must belong to the same business unit as the user.

A user can be assigned more than one security role and is granted a combination of all the security privileges conferred by all their security roles. It is important to note that security privileges granted by security roles are additive. This means that if one security role grants no access to a custom entity but another security role grants business-unit-level access to the same custom entity, the user is granted business-unit-level access to the custom entity.

It is common practice to create a small number of job-tailored security roles (often copied from the standard security roles) and an additional number of security roles that grant one or two task-based security privileges, such as Go Offline and Go Mobile, so that you can control exactly which users have to be granted those privileges. The standard Delegate security role is a good example of this practice.

Reassigning users

When a user is reassigned to a different business unit, CRM will remove the user’s existing security roles. So, it is important to assign new security roles to the user after assigning the user to a new business unit, otherwise the user will be unable to log in to CRM.

Security roles and teams

In Microsoft Dynamics CRM 2011, it is possible to assign security roles to a team. Assigning security roles to teams provides a powerful method for creating exceptions to the normal user-based security roles in order to meet your organization’s security requirements.

Assigning a security role to a team grants all the users in that team with the security privileges specified by the security role in the team’s business unit regardless of the user’s business unit.