Why are users only assigned to a single business unit?

Question

I don't understand why a user can have multiple security roles, but can only be in one business unit?

We have people work in more than one business unit and wear different 'hats' depending on what business unit they are representing. For example a Senior Manager in Marketing may resign, and in the interim a Finance Director from Finance may take up his job until a new person can be found. The FD is assigned the business unit of Finance but he now also works in Marketing.

How can this be accommodated in Dynamics CRM?

Answer 1

A security role determines what privileges (things they do and entities they can use) a user has.

A business unit determines what records they will have access to with those security roles.

Together these can be used to silo data between various business areas and users.

Business units are arranged in a hierarchy.

Root

• Marketing

• Finance

• Sales

• Service

If a user who was working in Finance needed to work in Marketing, the classical answer would be to move up them up the hierarchy into the root where they have access to all the children (assuming their security role gives them access to child BUs). However in this case that also gives them access to Sales & Service which maybe undesirable.

Teams are a newer feature which allow you work in multiple business units without having to exist in the root business unit (or have organisation wide permissions). By adding the user from Finance to the Marketing Team they get access to Marketing and Finance, but not Sales & Service.

Although having a user exist in multiple business units would be a handy feature, it isn't. I suspect this is due to evolution of CRM as a product as much as anything else. If I remember correctly BUs have always existed, whilst Teams only arrived in CRM 2011 (or 4?). Teams aren't a workaround or a hack, just a different feature set which you can use for different things.

Teams also avoid problems with Sharing records (how people used to solve these problems) which doesn't scale very well.

Without knowing your project; do you actually need all those business units? Business units should model the security requirements of the organisation - not the actual organisation structure. So taking my example above, is there any reason we would want to segregate data between those 4? It's one company, they work with the same customer base, wouldn't it be better to just share the data? In which case a single business unit will do.

A more common example where segregation is required is if you also had a HR department, you probably wouldn't want to share all your employees details with every other employee, so in that situation, it makes sense to silo them in their own business unit - which would probably sit above all other business units in the hierarchy.

Root

• HR

• Marketing

• Finance

• Sales

• Service

You might look at that structure and think it looks nothing like the business (HR doesn't run everyone else!), but that is fine, this structure models the security requirements, not the organisation.

That all said, it sounds like you want to use teams - which are a perfectly decent solution.

You may find this useful: CRM 2011 Team Permissions In Practise.

Answer 2

Using Teams.

More information here:

http://andrewbschultz.com/2011/06/17/the-architecture-of-team-security-in-crm-2011/

and here:

http://blogs.msdn.com/b/crm/archive/2013/06/13/using-teams-to-solve-complex-record-sharing-scenarios.aspx