15. Security
CRM has sophisticated security configuration facilities that use a combination of business units and security roles to determine the information and functionality available to each user within CRM.
The following concepts apply to CRM security:
· Root Organisation - the root business unit for the installation.
· Business Unit - a hierarchical structure reflecting the organisation of the business, perhaps according to business function (sales, marketing, customer service) for a smaller company. Each User belongs to one Business Unit.
· User - a User is assigned to a single Business Unit and has one or more security roles. The least restrictive security setting against all the roles assigned to a User determines the security level.
· Roles - the Role determines the security permissions available against each CRM entity or function. Roles are defined against the root organisation or for a particular business unit and are inherited by the child business units.
· Teams - individual records may be shared with individual users or with teams of users. Although teams have a default business unit, any user can be assigned to a team.
The Enterprise version of CRM offers multi-tenancy where multiple instances of the CRM database can run side by side on the same hardware with users being able to log in to each instance with a single user license. This may be useful for larger companies where different divisions run entirely separate business processes which can be installed as independent databases.
15.1. Business Unit
An organogram of your organisation can be used to determine a hierarchy of business units within the organisation that are broken down so that all staff within each unit are likely to be sharing information with each other. Members of each unit can be assigned different security roles so that the manager role, for example, can see all information owned by a business unit but ordinary members can see only their own data.
Each business unit is part of a hierarchy (the parent business unit can be changed in the actions menu) and inherits the available security roles from it's parent. It may be advisable therefore to maintain security roles against the primary business unit to keep things simple.
Business Units might also refer to external organisations that require access to CRM, such as Resellers, Affiliates or Suppliers. Security can be set up so that these users can only view and update data within their own business unit. They can be made part of a team to be given access to other records only if the record is shared with the appropriate team.
Note: Take care when setting up the business units as the names
cannot be changed after they have been entered.
15.2. Users
All user settings can be configured within the Settings-Business Units option and new users can also be created and altered here. Note that new users must first be created in the Windows Active Directory and deleting or changing the user details within Active Directory does not automatically update the entry in CRM.
Entering the Domain Logon Name for a new user will automatically extract the remaining details from the Active Directory.
The Organisation Information for a User is useful in different areas of the application:
· Manager can be used to create workflow and for reporting analysis.
· Business Unit is the core organising principle behind ownership of data and security.
· Territory is used for assigning leads and monitoring the sales cycle.
· Site is used to determine location for scheduling.
Changing the Business Unit for a User will affect the security settings on all the records owned by the User and needs some care. Multiple records can be reassigned from an entity View with the Assign button prior to making the change or all the owned records can be reassigned with the Reassign Records option on the actions menu of the User form.
Note: The Manager and Business Unit can be changed from the Actions menu. Changing a Business Unit against a User deletes all the Roles the User will have no security rights to access the system until a new set of Roles is specified.
Users can be enabled and disabled and the number of enabled Full Users needs to correspond to the number of licenses purchased for the system. There are three different Access Modes for a user:
· Full provides access to the database according to the least restrictive of the assigned security roles.
· Administrative users have read-only data access to data but can log on to the system and change settings (no license required).
· Read-only users pay a reduced license fee but cannot write to the database.
Note: Read-only and administrative users can be owners of tasks even though they cannot alter data and workflow can be defined to perform email notifications as necessary.
The Email Access Configuration allows you to define how email is synchronised with CRM with regular Outlook users using the Outlook client for integration and other users perhaps using automatic routing via Exchange.
An efficient way to deploy an installation is to setup the root organisation, business unit hierarchy, roles, teams and sites and then use the Deployment Tool that is installed on the CRM Server to deploy the required Active Directory users.
Note: You can test different users without having to logon multiple times by selecting the Internet Options and changing the Security settings for your browser to prompt for user logon. You will be prompted for a username and password each time you access the system.
The current interpretation is that CRM licensing allows all employees of the company to view data from the CRM system as well as affiliates, contractors and agents and their employees. However, an expensive external connector licence is required if data is displayed to external users (customers and so forth). Data can be captured from these individuals, for example, to log a new service request, but existing data already stored in CRM cannot be displayed to them without violating the terms and conditions of the standard license.
15.3. Security Roles
Security settings for each Role are defined each entity or against specific functions. A number of default roles are set up during CRM installation and can be used or copied to help with initial configuration. Take care to create roles at the highest applicable business unit in the hierarchy so that changes are passed down throughout the system.
Note: The System Administrator and System Customiser are special roles for administering and customising the system with read-only access to data by default).
Remember also that Users belong to a single Business Unit and can have multiple Roles with the least restrictive security permission applied where appropriate.
Security settings can be made at the following levels:
· None - no access permitted.
· User - the User can access entity occurrences that he or she owns as well as entities that have been shared explicitly to that user or to a team that the user belongs to.
· Business Unit - the User can access any entity owned by members of their Business Unit.
· Child Business Unit - the User can access any entity owner by their Business Unit or any Business Unit lower down in the hierarchy.
· Organisation - access to everything.
Most entities have user-based ownership and the owning Business Unit is determined by the Owner of the record. Changing the Owner, using the assign button, may in some cases also change the business unit affecting the access rights on that entity occurrence. Changing the business unit for a user will also change the Business Unit of all the entity occurrences owned by that User.
15.4. Teams
Teams are used to allow exceptions to the security levels. Perhaps some contacts need to be shared with Users in a separate Business Units but the current security access level denies access. In this case, the entity occurrence can be shared with individual users or teams who then have the permitted access to that entity.
Note: Teams are assigned to a default Business Unit but this seems to have no relevance to the security level. Any user can be specified as a member of any team.
© redware research ltd 2007 |