Microsoft Dynamics 365 for Sales offers powerful and flexible CRM security options to help you manage access to your information. And it’s a good thing, too! Sound CRM security practices are vital to maintaining a high-quality database and keeping your customers, prospects, and team members happy.
In the last installment of Managing CRM, I offered a general introduction to CRM security management. If you are new to CRM security and haven’t read the introductory article, I strongly suggest you do so before reading this one.
In this article, I’ll focus on two options for your CRM security roles: layered (sometimes called hierarchical), and non-layered. To do so, I will be build on many of the terms and concepts I introduced last time.
Both layered and non-layered security roles have their strengths. You will need to choose whether to use one or the other or a combination of both, and that choice will fundamentally affect the way your team works in CRM. But ultimately, the best approach for you depends on how your business is organized.
Layered security roles
Layered security roles are sometimes called hierarchical security roles because they build on one another. Basically, as a user advances through your organization, they get more and more access to your records.
So for example, you might designate the following layers:
Level 1: Training role with extremely limited access
Level 2: Entry-level role with read access to business unit records and full access to user-owned records
Level 3: Management-level role with read access to all records and full access to business unit records
Level 4: Administrator role with full access to all records
This is, of course, incredibly over-simplified. But the theory behind a layered security role system is pretty simple: you create a baseline role shared by everyone, and then add roles to users who move up the heirarchy. Each role opens more doors in your system, granting the user increased access and privileges.
So in the above example, everyone in your organization with access to CRM shares the Level 1 role. Users who have completed their initial CRM training get both the Level 1 role and the Level 2 role. Managers get the Level 1, Level 2, and Level 3 roles. And administrators get the Level 1, Level 2, Level 3, and Level 4 roles.
Thanks to Dynamics 365 access levels, you can even build layered security roles that work across multiple departments:
As long as you create those departments as “business units” in your CRM system and then assign each user to the appropriate business unit, Level 1 is Level 1 whether a user is in sales, marketing, or service.
Non-layered security roles
Non-layered security roles operate independently of one another. Non-layered security roles allow you to match access levels and privileges to specific job descriptions rather than to an overall hierarchy of access.
For example, you could create roles with specific access levels and privileges for salespeople, sales managers, customer service reps, marketing managers, VPs, the C-level, etc.
However, non-layered security roles can still be hierarchical. But since they function independently, they allow you to create a heirarchy that isn’t based on addition.
For example, let’s go back to our layered roles:
Level 1: Training role with extremely limited access
Level 2: Entry-level role with read access to business unit records and full access to user-owned records
Level 3: Management-level role with read access to all records and full access to business unit records
Level 4: Administrator role with full access to all records
Maybe we want to add an executive role to make it look like this:
Level 1: Training role with extremely limited access
Level 2: Entry-level role with read access to business unit records and full access to user-owned records
Level 3: Management-level role with read access to all records and full access to business unit records
Level 4: Executive-level role with read access to all records
Level 5: Administrator role with full access to all records
Notice that our new Level 4 role actually loses some of the privileges granted by Level 3.
This is actually extremely common. The further away from day-to-day rank-and-file operations a user is, the less likely you are to want them to have edit or delete rights to the records their subordinates rely on.
The solution, then, is a non-layered hierarchy. Rather than simply adding more levels to users like in a layered security role system, you will need to build all access levels and privileges into each role, then assign only one security role to each user.
Of course, those numbers are holdovers from my first, layered security role example. It’s much more common to simply name those roles in a non-layered security role system:
Trainee: Extremely limited access
Professional: Read access to business unit records and full access to user-owned records
Manager: Read access to all records and full access to business unit records
Executive: Read access to all records
Administrator: Full access to all records
Choosing between non-layered and layered security roles
So which kind of security role is best for your business?
That depends.
For complex operations with many different divisions and many different user needs, a generally non-layered security role strategy is generally preferable. This approach allows you to tailor your security roles to job descriptions rather than conflating seniority with need or expertise.
For less complex operations with more predictable needs and engaged, knowledgeable management, a layered security role strategy can simplify your CRM security management. This approach is especially useful for small businesses with a lot of transparency between employees.
But for many businesses, the best option is actually a combination of unlayered and layered security roles. Essentially, this means creating layered levels within unlayered roles. So, for example, you might have Salesperson Level 1, Salesperson Level 2, and Sales Manager set up as layers, with slightly different access settings to the Customer Service 1, Customer Service 2, and Customer Service Manager roles layered in another business unit.
In any case, these are the sorts of decisions you should make early on in your implementation.
Need help settling on a security role system?
Learn more about CRM security best practices in our CRM Security archives!
For help setting up, cleaning up, or changing up your Microsoft Dynamics 365 for Sales CRM security role structure, contact us to consult with one of our experienced CRM success coaches!
Was this post helpful? Enjoyable? Do you have feedback or additional questions? Let us know in the comments, or contact us directly. We’re here to help!