Data security in Microsoft Dynamics 365 should not be underestimated, as it provides businesses flexibility and control over their data security protocols. An especially important priority for most businesses is protecting their sales and customer data – understanding the sales numbers and customer relationships that contribute to business revenue is critical for developing productive business strategies. But if that sensitive data falls in the wrong hands, it can spell catastrophe.
Dynamics 365’s CRM application, Dynamics 365 for Sales, allows you to provide the right information and reporting to the right people, while at the same time safeguarding against potential breaches. But first understanding what levels of data security are needed for your organization (and the reporting your team needs access to with their varying security credentials), is essential to architecting the appropriate security controls and data access in your Dynamics 365 for Sales application.
Role-Based Security: Different Reporting Views for Different Roles in Dynamics 365 for Sales
In the below scenarios, which is the correct behavior, and which is the incorrect behavior?
Two Dynamics 365 users log-in to the exact same Sales organization and run the same ‘All Opportunities’ report at the same time, but the users get wildly different results in their respective reports.
In another Dynamics 365 for Sales organization, two users log-in at the same time and both see identical ‘All Opportunities’ reports.
It’s an impossible question to answer because the ‘correct’ behavior depends on the business’s needs and reflects how Dynamics 365 was implemented to support those needs. For instance, a business may require data to be restricted by user, limiting a Sales user’s view to only the opportunities in his or her assigned territory (as in the first scenario). Whereas for other businesses, all Sales users are allowed to see all opportunities, regardless of the owner/territory (but perhaps they may not be able to edit the ones they don’t own).
The nature of customer relationship management in general is often that some users should see some data, while not being allowed to see other data.
Reporting Security: The Framework for Data Visibility
Consider this scenario:
A company’s sales department contains salespeople, regional managers, and a handful of executive vice presidents of sales, per division.
When logging into the company’s Dynamics 365 for Sales organization, salespeople are able to see only their opportunities. Regional managers have visibility into their own opportunities, plus the opportunities owned by multiple salespeople in their region. The executive vice president sees all opportunities within their division.
Since an opportunity might cross divisions or regions, those opportunities are “shared” with multiple people who wouldn’t otherwise see it.
Some organizations allow most records to be visible to all users EXCEPT the highly confidential deals that have additional restrictions on them to limit their visibility.
This type of record-by-record entitlement matrix would make data highly fragmented when it comes to determining who should see which record when preparing a report. But Dynamics 365 for Sales handles this with ease through a security model that ensures all data retrieved is filtered through the permissions of the user who retrieves it.
Securing Data for Reporting: Understanding How Data Sources Are Protected
Securing data for reporting in Dynamics 365 can be done in a couple different ways:
Many data sources are protected by binary ‘read’ security – either you can see the all the data within the reporting area, or you can’t. For example, a person with permissions to view transaction log data would be able to see all the data in those logs. This basic security is simple to implement.
- Some data sources have natural segmentation between data and reporting groups. For example, users working in the Payables department can see inbound inventory data, but cannot see the company’s payroll data. Or another example, users in the Eastern Division can see their warehouses’ inventory transactions, but not the Western Division’s warehouses’ transactions. This type of gross segmentation is common and is relatively easy to manage in the reporting functions.
Questions to Ask About Your Company’s Security and Reporting Needs
Understanding what security controls your business needs is crucial to understanding how to configure the right access and permission for your Dynamics 365 for Sales users. Here are some questions to help you figure out your requirements:
Do we need any record-level security partitioning? I.e. do we want some users to see more, or fewer, records (such as opportunities) than others?
Some companies take the approach that all sales users should be able to ‘view’ any quote/order/opportunity etc. Others take a more restrictive approach and segment sales users’ visibility based on factors like business units, teams, ownership, status, or sharing. If your company does not implement any intra-organization security, then things are simple; otherwise, it’s important to understand the type of security needed.
If record level security/partitioning is implemented, will the audience of the report be able to see all the records that are being reported on?
Even if an organization implements a complex security model (i.e. some users can see some records, while other users can’t), if the audience of the report is a manager and can already see all records, then the security model inside Dynamics 365 is not a factor in the design of the report model.
Is the data in the report either summarized sufficiently or in a state where partitioning the data is no longer needed?
Sometimes report data may be important to keep private at the individual row level, but the data in the report is sufficiently aggregated to the point where the details of individual rows are sufficiently obscured or are no longer relevant.
Can the data be secured by filtering according to a large partition outside of Dynamics 365 for Sales (e.g. a business unit, country, multi-state region)?
Sometimes businesses will need group/filters that ensure only users within those groups can see specific slices of data. This adds some level of additional management of rights/group membership, but it could address the security challenges faced by organizations that need to separate data by large partitions of the organization.
There are a variety of data security/partitioning strategies that a business can implement within Dynamics 365, but knowing what you need is an important first step in safely moving forward. For questions on which Dynamics 365 security controls are best for protecting your business data, please contact Hitachi Solutions today.