Restricting Access for Integrations to Microsoft Dynamics CRM 2011 Using Security Roles
Colin Maitland, 14 July 2013
In my previous blog I wrote about restricting access to Microsoft Dynamics CRM Online using the Non-Interactive User Access Mode. This mode restricts users from connecting to and interacting with Microsoft Dynamics using either the Microsoft Dynamics CRM Web Client or the Microsoft Dynamics CRM for Outlook Client.
.png "Restricting Access for Integrations to Microsoft Dynamics CRM 2011 Using Security Roles (1)")
In certain integrations, in addition to using a dedicated Non-Interactive Microsoft Dynamics CRM Online User Account, it is best practice to use a dedicated Microsoft Dynamics CRM Security Role with the least number and the minimum level of privileges required to perform the tasks requested by the integration. This may or may not include the ability to create, read, update, append/append to, assign, share, activate/deactivate and/or delete records of specific types.
In this blog I will provide a list of the minimum privileges required by a Non-Interactive Microsoft Dynamics CRM Online User to:
(a) connect to Microsoft Dynamics CRM.
(b) create, read, update and assign Accounts and Contacts.
(c) read Accounts and Contacts.
Note: Additional privileges and higher access levels may be required for completing the initial configuration of an integration between Microsoft Dynamics CRM and another system. However, a fewer number of privileges and lower access levels may then be used after the initial configuration is completed.
The minimum privileges required to successfully test a connection to Microsoft Dynamics CRM Online as a Non-Interactive User are: Organisation: Read and User: Read. In addition User Settings: Read may sometimes be required.
.png "Restricting Access for Integrations to Microsoft Dynamics CRM 2011 Using Security Roles (2)")
When creating a new Security Role in Microsoft Dynamics CRM the following Plug-In and SDK Message related privileges are selected by default. These should be retained.
.png "Restricting Access for Integrations to Microsoft Dynamics CRM 2011 Using Security Roles (3)")
Note: If there are any asynchronous Plugins triggered by actions performed on records then the System Job: Create and Read privileges will be required.
.png "Restricting Access for Integrations to Microsoft Dynamics CRM 2011 Using Security Roles (4)")
If the Created On dates on which records are being created need to be overridden then the Override Created on or Created by for Records during Data Import privilege will be required.
.png "Restricting Access for Integrations to Microsoft Dynamics CRM 2011 Using Security Roles (5)")
The minimum privileges required for the creation of Accounts and Contacts that may:
(a) need to be related to each other such as an Account being associated with a Primary Contact and a Contact being associated with a Parent Account.
(b) need to be assigned to specified Users or Teams
are…
• Account: Create, Read, Write, Append, Append To and Assign; and Contact: Create, Read, Write, Append, Append To and Assign. .png "Restricting Access for Integrations to Microsoft Dynamics CRM 2011 Using Security Roles (6)")
.png "Restricting Access for Integrations to Microsoft Dynamics CRM 2011 Using Security Roles (7)")
.png "Restricting Access for Integrations to Microsoft Dynamics CRM 2011 Using Security Roles (8)")
Some other privileges to consider are:
• Accounts and Contacts are sometimes associated with an Originating Lead. It may therefore be necessary to ensure that the Security Role provides the required Read and Append To privileges for Leads. Create and Write privileges for Leads may also be required in some cases, depending on the nature of the integration.• Accounts and Contacts are usually associated with a Price List. It may therefore be necessary to ensure that the Security Role provides the required Read and Append To privileges for Price Lists.
• Accounts and Contacts may be associated with a preferred Service, Facility/Equipment and/or User. It may therefore be necessary to ensure that the Security Role provides the required Read and Append To privileges for Services, Facilities/Equipment and Users.
For one-way integrations from Microsoft Dynamics CRM to another system only the Read privilege is required, in which case the minimum security required is as follows:
• Account: Read; and Contact: Read. .png "Restricting Access for Integrations to Microsoft Dynamics CRM 2011 Using Security Roles (9)")
.png "Restricting Access for Integrations to Microsoft Dynamics CRM 2011 Using Security Roles (10)")
.png "Restricting Access for Integrations to Microsoft Dynamics CRM 2011 Using Security Roles (11)")
In conclusion, the best practices for minimising the access a Microsoft Dynamics CRM User account used for integration between Microsoft Dynamics CRM and another system include the following:
• Use a dedicated Microsoft Dynamics CRM User Account.• In Microsoft Dynamics CRM Online, configure the User Account as a Non-Interactive User Account.
• Assign a Security Role to the User Account that provides the least number and lowest level of privileges required for the integration to perform its necessary tasks. The privileges will differ based on which entities are involved in the integration and whether or not the integration is only required to read records or is required to perform other tasks such as creating, updating and/or assigning of records.
Category List
Filter by Author
Adam Murchison
Alfwyn Jordan
Arthur Mandisodza
Calum Jacobs
Colin Maitland
David Mochrie
Dominic Liu
Gayan Perera
Harshani Perera
Isaac Stephens
Jaime Smith
Jared Johnson
John Barrencechea
John Eccles
Lauren Withers
Paul Nieuwelaar
Roshan Mehta
Roz Millar
Ryan Blaikie
Ryan Ingram
Sarah Coleman
Sean Roque
Shalane Williams