In Dynamics 365 CRM, the Organization (Org) is the top-level structure, while Business Units (BUs) are used to segment users and data. BUs can be organized into Parent Business Units (PBUs) and Child Business Units to reflect a company’s hierarchy.
Teams enable collaboration across BUs, and Security Roles define user permissions within their assigned BU. Field Security Profiles are used to enforce stricter control over specific fields, ensuring a comprehensive data security framework.
Table: Dynamics CRM Hierarchy and Roles
| Term | Description | Hierarchy | Purpose | Security Roles and Permissions |
|---|---|---|---|---|
| Organization (Org) | The top-level entity representing the entire CRM environment. Only one organization per CRM instance. | Top-most level | Represents the entire CRM system, housing all data, users, and business units. | Security roles can be applied across the entire organization; access depends on the user’s BU. |
| Business Unit (BU) | A logical grouping within the organization. Every user is associated with a business unit. | Can have multiple child BUs or PBUs | Used to segment data, users, and processes across departments or teams. | Security roles are assigned at the BU level, controlling access for users within the BU. |
| Parent Business Unit (PBU) | A higher-level business unit that manages child business units underneath it. | Above the child BUs | Organizes multiple child BUs into a hierarchy for better data segmentation and control. | Users in a PBU can manage child BUs but may not access records from those child BUs. |
| Child Business Unit (Child BU) | A business unit created under a Parent Business Unit. | Below a Parent Business Unit | Organizes specific teams or departments under a larger PBU, segmenting data and users further. | Inherits security structure from PBU but allows granular control within the child BU. |
| Team | A group of users who can work together within or across business units. | Can span multiple BUs | Allows collaboration across BUs and shared ownership of records. | Teams can be assigned security roles, allowing access to records owned by other BUs or users. |
| Security Roles | Define permissions for users or teams, such as access to records and create/edit/delete rights. | Assigned at the BU or team level | Control user actions on CRM data, segmented by entity, form, or field level. | Inherited from BUs but can be customized for specific users or teams. |
| Field Security Profile | Used to secure specific fields across the organization or business units. | Applied to fields across BUs or org-wide | Allows admins to hide or restrict access to certain fields, even for users with general entity access. | Field security complements security roles for more granular data access control. |
| User | A licensed individual who can access Dynamics CRM, assigned to a specific BU. | Must belong to a single BU at a time | Users manage records and perform tasks according to their assigned BU’s structure. | Access controlled via security roles and field security within their BU. |
Notes by Akira28:
- Role-Based Security: Assign only necessary privileges to users via roles.
- Business Unit Segmentation: Use BUs to control data access across teams.
- Field Security Profiles: Restrict access to sensitive fields for specific users.
- Teams and Access Rights: Assign roles to teams for easier access management.
- Auditing and Monitoring: Enable auditing to track changes and monitor security actions.