Why are users only assigned to a single business unit?

4
votes

I don't understand why a user can have multiple security roles, but can only be in one business unit?

We have people work in more than one business unit and wear different 'hats' depending on what business unit they are representing. For example a Senior Manager in Marketing may resign, and in the interim a Finance Director from Finance may take up his job until a new person can be found. The FD is assigned the business unit of Finance but he now also works in Marketing.

How can this be accommodated in Dynamics CRM?

3
dynamics-crm-2011dynamics-crm

3 Answers

6
votes

A security role determines what privileges (things they do and entities they can use) a user has.

A business unit determines what records they will have access to with those security roles.

Together these can be used to silo data between various business areas and users.

Business units are arranged in a hierarchy.

Root

  • Marketing

  • Finance

  • Sales

  • Service

If a user who was working in Finance needed to work in Marketing, the classical answer would be to move up them up the hierarchy into the root where they have access to all the children (assuming their security role gives them access to child BUs). However in this case that also gives them access to Sales & Service which maybe undesirable.

Teams are a newer feature which allow you work in multiple business units without having to exist in the root business unit (or have organisation wide permissions). By adding the user from Finance to the Marketing Team they get access to Marketing and Finance, but not Sales & Service.

Although having a user exist in multiple business units would be a handy feature, it isn't. I suspect this is due to evolution of CRM as a product as much as anything else. If I remember correctly BUs have always existed, whilst Teams only arrived in CRM 2011 (or 4?). Teams aren't a workaround or a hack, just a different feature set which you can use for different things.

Teams also avoid problems with Sharing records (how people used to solve these problems) which doesn't scale very well.

Without knowing your project; do you actually need all those business units? Business units should model the security requirements of the organisation - not the actual organisation structure. So taking my example above, is there any reason we would want to segregate data between those 4? It's one company, they work with the same customer base, wouldn't it be better to just share the data? In which case a single business unit will do.

A more common example where segregation is required is if you also had a HR department, you probably wouldn't want to share all your employees details with every other employee, so in that situation, it makes sense to silo them in their own business unit - which would probably sit above all other business units in the hierarchy.

Root

  • HR

  • Marketing

  • Finance

  • Sales

  • Service

You might look at that structure and think it looks nothing like the business (HR doesn't run everyone else!), but that is fine, this structure models the security requirements, not the organisation.

That all said, it sounds like you want to use teams - which are a perfectly decent solution.

You may find this useful: CRM 2011 Team Permissions In Practise.

1
votes

Background

Security Roles modify what users can see within their Business Unit. Typically, I have seen business units be used for larger organization with separate distinct divisions (e.g. BU1 = USA, BU2 = Europe). This helps keep USA users working in USA data and Europe users working in Europe data. Often I have seen business units be used when they don't really need to be and it adds a lot of unneeded complexity.

Your BU Setup

Your scenario makes it sounds like the manager and member of finance should be in the same Business Unit, but have different security roles (finance may have access to Invoices whereas the manager would not). These users would likely both need access to Accounts, which is why they wouldn't need to be in different BUs.

Answer: Working Around Business Units

If you do have Finance and Marketing in separate BUs a good way to get around this is to used teams to share across business units. Find details here: http://blogs.msdn.com/b/crm/archive/2013/06/13/using-teams-to-solve-complex-record-sharing-scenarios.aspx

Teams are a supported solution to the problem. It's not too complex of a process. Let's say we have User1 in BU1 and we want him/her to have access to record in BU2:

  1. Create a team in BU2
  2. Add security role to BU2 that gives access to the records you want User1 to see
  3. Add User1 to the team

Answer to Question in Comment Regarding Root Business Unit

The root business unit does not have to be for admins only. Depending on your business' hierarchy complexity, you may have all of your users in your root BU. Business Units let you designate permission levels for security roles (e.g. contact read permissions may be set for entire BU, BU and Children BUs, and record the the User owns).