With security becoming more and more important with online data, securing your data within your system is also very important. We all need to keep the bad guys out of the system, but we also need to keep our users from accessing sensitive data as well.
In MSCRM, you can hide fields from forms and remove them from selection filters, but if you have any skills with MSCRM, you can find a way to get the data out if you have read access to an entity. So how do we prevent prying eyes?
MSCRM introduced Field-Level security a few versions back. But it is still not widely used. With field level security, you can grant users read permissions to an entity while securing specific fields with security profiles. The users can access and read the form, but without the correct field permissions, they can't see the data within that field. This security is also carried across Advanced Finds, Views, and Reports.
So how do we create a secure field?
It's quite easy. Just create a field for an entity the usual way but before you save it, make sure you set the Field Security radio button to "Enabled".
Now for the hard part. In order to set permissions for this field, you need to add a Field Security Profile. To do this, go to Settings/Security and click on the Field Security Profiles link.
From the Field Security Profiles area, click on the NEW button to create your profile. Add a name specific to the permissions and then add some Users or Teams who will have those permissions. Below I created a Profile for users that will have full access to secure fields.
I've added the CRM Admin user to this profile.
Once the Users are added, you can now set the field permissions. Click on Field Permissions on the left and double-click your field to open the Security dialog box.
Now you can set your Read, Update, and Create permissions. Below we are giving full access so we change all the fields to YES.
Once you save the above, your field permissions will look like the image below.
Most people setup profiles for those who need to access these fields. Don't forget to disallow access for users who do not need it. By default, if you are not listed in a Field Security profile, you will not be able to see data within that field. However, without being a part of a profile for that field, you may run into an issue with reporting. A report with a secure field listed as a column might throw an error for a user not listed as a member of a secure profile for that field. So create another profile called "Security Field NO Access" and add the members who do not have rights to that field. Then set the Allow permissions to NO.
In my example, I'm setting up one profile for all secure fields. You can have separate profiles for each field with any combination of permissions. Remember, CRM System Admins have full permissions no matter what.
Beringer Associates, a Microsoft Gold Certified Partner, is always here to provide expert knowledge in topics like these. Please contact us with any questions you may have.