4x4 Series: Security Suggestions for the New Administrator

I was asked to participate in the CRMUG 4x4 webinar series. These are quick webinars with multiple speakers sharing tips and answering questions. I also wanted to document my tips here for future reference.

There are so many tasks for a new CRM administrator. Security is a key area to focus on. The administrator needs to be familiar with who has access to what and why. So this is an area every administrator should invest time in right away. If you are inheriting a system, reviewing the security at the beginning is a great way to provide immediate value because you may see security issues or concerns that were not previously addressed.

Dangerous Permissions

There are several permissions to watch out for in your security roles:

• Delete - is there ever a reason your users need to delete? If not, remove it (I would vote that it is removed for all entities and most users)
• Bulk Edit - Do you want users to be able to edit multiple records at once? If done incorrectly, this could result in a large number of records having valid data removed and replaced with something else.
• Export to Excel - Depending on the sensitivity of your data you may want to remove the ability to Export to Excel. Keep in mind that the permission is for the whole system not per entity. So if they can export their list of activities they could also export contacts with their SSN's.
• Import - You should determine which users need to create batches of records. If this is combined with Export to Excel this can be very powerful as you can export the data, edit it and import it back into CRM. However, if this is done incorrectly it could again result in the loss of valid data.

Some other permissions to check on include: Bulk Delete, Merge, Run Workflow, etc.

Also keep in mind that Deactivate is not a permission. This can be a good alternative to delete but you should also ensure that users are trained on the proper use that fits within your business process.

Security Role Report

CRM has a Security Role report out of the box. This can be run on all users to see what roles they currently have. By default this role will include all users (enabled and disabled). However, you can run the report on users in a specific view or selected users. This allows you to narrow down your search (at least to enabled users) before reviewing.

This report is not the easiest to read but you can export it to excel and modify, search, move, etc. to make it a bit easier to work with.

Advanced Find

My favorite way to monitor security is using Advanced Find. You can build Advanced Find views to show all users on a specific team or with a specific security role. I find this particularly valuable for monitoring the high access roles such as System Administrator and System Customizer. This allows you to quickly see everyone with that type of access.

Note: When you create a view for all users with a Security Role, you will want to search for where "Name" equals the role name. This allows you to capture all the different versions of the role (since there is a copy per business unit).

Advanced Find of Users on a particular team

Advanced Find of Users with a particular Security Role

Other tips?

There are so many other great security tips. Adam Vero shares a wealth of knowledge on this topic - breaking out security role by functionality (Base role + Export to Excel role for example), understanding cascading relationships, understanding sharing (See Special Privileges in CRM Security Roles, Figuring out Shares in the PrincipalObjectAccess POA table in CRM, Security Roles and Teams in CRM - An Inconvenient Half-Truth). There are even tools that can tell you all the permissions in a given role and vice versa (Check out Security Role Browser,  XRMToolBox).

Tips from Other Panelists

Thanks to Jim Lauer and Jay Murphy for all of these great tips!

• Start with a Basic role for all users then add additional access
• Limit Sharing to maintain good performance
• Keep it simple, make it easy to administer
• Copy system roles, do not edit in case you need to review later
• Add a number or other prefix to your custom roles to keep them at the top of your list
• Justify why access is needed before making changes. "Just because you can, doesn't mean you should"
• Use a temporary team and add a role to test access for a limited time

So what are your tips? What Security issues have you had to deal with? Any surprises?