Sections in this category

Security Role Permissions

Microsoft CRM allows you to create security roles which give different groups of users access to and specific capabilities on the different entities and even fields on your records. For example, a membership department may want the accounting department to be able to see the membership record but not make changes to it while accounting may not want membership staff to be able to see or make changes to GL Account records. Security Roles allow you to make these kinds of distinctions possible.


Navigate to Settings > Security > Security Roles. *** To see who has a specific security role you can first click Users and navigate to a security role from the individual user record.

Steps to Assign a new security role to a user or to remove an existing role from a user.

***You can only assign roles if you have the permissions in the role you are assigning. You do not need to have the same role, but you must have the permissions to assign them to to others.

1. Navigate to the User Record

2. Click Manage Roles on the toolbar

3. Click the role thats to be added or removed and click ok


For most entities in the system you can give users the following permissions or remove them. In some cases permissions can be for all records, or records owned by the individual user or the business unit---though most users do not get that granular which is you typically see the green dots or a blank red one.

CREATE--Allow users to create new records in this entity.

READ--Allow users to view records in this entity.

WRITE --- Allow users to make updates to records in this entity.

DELETE --- Allow users to delete records in this entity.

APPEND --- Allow users to associate the entity to others.

APPEND TO --- Allow users to make associations from other entities to this one.

ASSIGN --- Allow users to assign records to other users in this entity.

SHARE --- Allow users to share records with other users in this entity.

Some of these permissions can be set to which types of records the permission is good for.

The color/shape on the pie chart indicates the level of permission based on specific records.  *Most Cobalt custom entities are either Organization or None.

None Selected: always denies the privilege to the users assigned to the role for all records.

User: grants the privilege for records that the user owns and records that are shared with the user.

Business Unit: grants the privilege for records with ownership in the user’s business unit.

Parent:Child Business Units: grants the privilege for records with ownership in the user’s business unit and also records with ownership in a child business unit of the user’s business unit.

Organization: grants the privilege for all records in the organization, regardless of the business unit level to which the object or user belongs.


As you see in the image above there are tabs for the different CRM features and entities that are part of Microsoft CRM can be found and edited there. Note that some edits may not be possible for CRM entities.

For anything related to custom features, membership, certification, accounting, education, meetings, etc. You will need to go the Custom Entities tab.


A user must have the system administrator role to make changes to security roles that come with your system. You may be able to create your own roles if you have the permissions to do so, but you can only create and assign roles with permissions you have. You cannot create a role or give a role to someone if you do not those permissions in at least one of your own security roles.


In the case of multiple security roles the user gets the maximum permission available base on the assigned roles. So if you have a person with the Membership security role and that role does not allow users to delete membership records and give that to all membership staff and the Membership manager. However the membership manager also has a Delete Membership security role and in that role the only option selected is the delete privilege under membership, then the manager gets all the permissions from the membership role and the delete permission from the delete role.


Security Roles are part of Microsoft Dynamics CRM so there are a number of excellent resources on-line resources about how to handle specific situations. Since there are so many possible combinations we have a few possible sites to look at, but a Google search will give you even more, and may get you exactly what you need.