Miscellaneous Privileges on Security Roles – Part Three

We’ve had Part One and Part Two to help explain the Miscellaneous Privileges for Core Records, Marketing, Sales, Service and Service Management. Part Three will look at the Privacy Related Privileges and Miscellaneous Privileges found on the Business Management tab on a Security Role. Hold on to your hats, this is a long one!!!

Privacy Related Privileges

Document Generation

Users have the ability to create Word or Excel templates either to be used as a personal template, or to be added to the system as a template for all users (based on permissions). Without this privilege, the Excel Templates, and Create Excel Template option is missing from the ribbon on a view, and the Word Templates, Create Word Template option is missing from the ribbon on a record. if the user still has access to the system templates (Settings>Templates>Document Templates), they can still access the New button to create a template. When creating a template, a Download File button is present.

If the Document Generation privilege is not enabled, the user will receive the message below.

Dynamics 365 for mobile

The Dynamics 365 apps for Phones and Tablets are a great way for users to access information while on the go, visiting clients or in between sales meetings. If this privilege is not assigned to a security role and a user tries logging in to one of the apps, this message will be displayed to them and they will not be able to access Dynamics 365 from their device.

Export to Excel

From a View or Advanced Find, there is the option to export the results to Excel. Without this privilege, the Export to Excel will be missing for users with the security role.

Go Offline in Outlook

If a security role does not have this privilege, they will not be able to sync while offline while using Dynamics for Outlook. This option will not be made available to them.

Mail Merge

Without this privilege, the option to perform a Mail Merge from a Marketing List is removed. I have seen other reports that this allows a user to use the Mail Merge option from Outlook.

Print

From the cog at the top right of CRM, when logged in, users can generate a nice printer friendly display of a grid or record. Without the Print privilege, the Print preview option will not be visible to the user.

Sync to Outlook

If the Sync to Outlook privilege has not been set, users will not have access to the Synchronization tab in the Options (accessed from the cog at the top right of CRM when logged in). This will also prevent users from being able to sync Contacts and Activities to Outlook.

Use Dynamics 365 App for Outlook

The release of Dynamics 365 App for Outlook is currently a preview feature which works with Dynamics 365 online version 9.0 or later only. The Microsoft Dynamics 365 App for Outlook is an Office add-in that you can quickly add to your user’s Outlook applications so they can track emails and appointments, create contacts, and review Dynamics 365 information in context of their emails or their appointments. To be eligible for this app, users will need the Use Dynamics 365 App for Outlook privilege and have server-side synchronization set up for incoming emails or for Appointments, Contacts and Tasks. (this is taken from the Getting Started with Microsfot Dynamics 365 App for Outlook settings area in D365).

Miscellaneous Privileges

Act on Behalf of Another User

This is used to complete business logic ‘on behalf’ of another user, or to impersonate them. More information can be found here.

Approve Email Addresses for Users or Queues

To be able to approve or reject email addresses for Users or Queues, the security role for a user must have the Approve Email Addresses for Users or Queues privilege.

Assign manager for a user

From a user record, you can change their Manager to indicate who they report to in the organisation. Without this privilege, the users with the security role should not be able to assign the manager and perform this action. However, during testing, the user with a security role where this privilege was missing was still able to make the change. They had all levels of access to the User record…. so I don’t believe this privilege works as intended. Anyone else noticed this?

Assign position for a user

From a user record, you can change their Position to indicate their role within the organisation. Without this privilege, the insufficient permissions error will occur.

Assign Territory to User

This setting will allow you to change the territory field on a user record. Without it, you will get the following insufficient permissions error.

Bulk Edit

This privilege allows you to select multiple records from a view and then use the Edit button to make changes at the same time. Without the privilege, the button will not be displayed.

Change Hierarchy Security Settings

The Hierarchy Security Settings are accessed from Settings, then Security. If a user has a security role with this privilege, they can configure hierarchy security, including enabling hierarchy modelling and selecting the model. Users can also specify how deep the hierarchy goes, and specify the entities to exclude from a hierarchy.

Dynamics 365 Address Book

This privilege will let users search for Dynamics 365 Contacts when sending an email from Outlook.

Enable or Disable Business Unit

A Business Unit can be enabled or disabled from the More Actions menu. Without this privilege, the Enable and Disable options will not be displayed.

Merge

Records can be merged from Advanced Find, or a view. If the security role does not have the Merge privilege set, they will not be able to merge any record together.

Override Created on or Created by for Records during Data Import

When importing records using the data import functionality, the created on and created by fields are populate with the date and time the import occurred and with the users name who completed the import. With this privilege, and import file can be imported with additional column headers including the overriddencreatedby person (adding the users first and last name) and the overriddencreatedon date. If the user does not have this privilege on their security role, they will not see the Created On option in the list of fields to map to. They can pick the Created By field, but it won’t have any impact on the data being imported (it will still show their own name as the Created By).

Perform in sync rollups on goals

Goals in CRM are recalculated automatically every 24 hours. However, this can be done manually from a Goal record, or a view of Goals by clicking the Recalculate button. Without this privilege, the Recalculate button will be missing.

Read License info

Thanks to Rawish Kumar from the Dynamics Community for helping out with information on this one. This privilege is used to to retrieve the number of used and available licenses for a deployment of Microsoft Dynamics CRM. It’s not commonly used but would mainly be used by a developer to read this information. RetrieveLicenseInfo  is used in plugins too. From a users perspective in the user interface there will be no difference in what is seen either with or without this privilege.

Reparent Business unit

Other than the default Business Unit, every other Business Unit must have a Parent. If you have a complex organisation with multiple Business Units you might at some point need to change a Parent on a Business Unit record. From the Business Units section in Security, with a Business Unit selected from the list, the Change Parent Business will be in the More Actions menu. Without this privilege, the option will not be displayed.

Reparent team

A Team record must belong to a Business Unit. The Reparent team privilege will give the user a Change Business Unit button that can be accessed from the Team record. The user can then change the business unit. This can also be done directly from the lookup field. Users without this privilege but who have access to the Business Unit entity can change it in the lookup field but when trying to save it will revert back to the original Business Unit that was in the field.

Reparent user

A User record must belong to a Business Unit. The Reparent user privilege will give the user a Change Business Unit button that can be accessed from the user record. The user can then change the business unit. This can also be done directly from the lookup field. Users without this privilege but who have access to the Business Unit entity can change it in the lookup field but when trying to save it will get the insufficient permissions message below.

Send Email as Another User

This privilege isn’t as straightforward as just by having it you can send emails as other users, the users in question must also allow this to occur. From the cog icon at the top right of Dynamics 365 select Options. On the Email tab, the ‘Allow other Microsoft Dynamics 365 user to send email on your behalf’ must be ticked. The important notice underneath feels a little sinister, but if that isn’t selected, if there are any workflows in the system that contain emails that should go out from the owner of a record and that owner doesn’t have this option selected, the workflow will fail. However, with this option selected, in theory a user could create an email in D365 and change the person on the From field from themselves to another user without your consent.

If you try and send an email From a user who has not allowed it, the following error will occur. If it’s a workflow trying to send an email, this will be something only a system administrator would be aware of and could view in a list of failed processes.

Send Invitation

Prior to any integration with Office 365 and CRM online, a user could be sent an invitation to log in and access the system. This is no longer needed, and users are set up in Office 365. Their access information can be sent to them at the end of the set up. The Invitation Status field still exists and will display Invitation Accepted if the user has logged in for the first time.

Update Business Closures

Business Closures can be set up in Settings, Business Management to indicate when your organisation is closed. If the Update Business Closures privilege is not set, the menu showing the New, print preview, export, delete and More Actions menu will not be displayed to the user.

Web Mail Merge

Assigning this privilege allows a user to see and use the Mail Merge options from the Advanced Find. However, if the Mail Merge option in the Privacy Related Privileges is not enabled, it’s irrelevant if the Web Mail Merge is enabled.

Read others in the series:

Miscellaneous Privileges on Security Roles – Part One
Miscellaneous Privileges on Security Roles – Part Two

Helpful Info

This link from Microsoft provides a mapping of the security role user interface to the privilege names.

Security role UI to privilege mapping

2 thoughts on “Miscellaneous Privileges on Security Roles – Part Three

  1. An ambitious but useful series Megan. This looks like a labour of love! Very useful – some of these permissions still cause me to consult documentation despite working with CRM for over a decade. Thanks for taking the time to write it all down. The next challenge is keeping it up to date with the myriad changes from Microsoft 🙂

    1. Thanks Greg. It gives me a headache thinking of keeping up with it all! But I probably should keep that in mind and update the Miscellaneous Privileges articles as and when new things come out, or stuff changes. Good to know, but you are right, a challenge to keep up with! Thanks for posting a comment!

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Articles