Monday, 2 May 2016

Make a user in CRM ‘Joining More than 1 Business Unit’, enabling Users to See outside their Parent-BU Child Cluster Group records

Hi friends, as we know that Dynamics CRM can support the security access very well, it has the ownership feature, that is based on combination of Business Unit hierarchy and Security Role. But there is always limitation, such as, one User cannot be assigned to more than one Business Unit.

And the security role privileges are so strict, right if you have designed Parent-Child user access level, then the user inside cannot see records owned by other BU outside their parent-child cluster, so, the way is either you assign the Organization level or using Sharing, but the idea using sharing is can make the structure little bit unstructured, not easy to track shared/unshared records in single view unless we create a report or do advanced SQL Query.

I write this blog just because I have a case, that I am pretty sure this could be one of your experience in your CRM-ing journey.

So, here is my scenario that lead me into this idea.

The Scenario

Understand the Business Unit Hierarchy

Imagine, I have this hierarchy

image

Which applicable rule is very common requirement in Sales that each BU cannot do intervention each other, but they can see the records within their BU for collaboration. So, using this CRM Security Role, I can easily fulfill this by either provide the Business Unit Level or Parent Business Unit level privilege.

So, in CRM I have these Business Units

CRM Busines Unit Records

User join BU-1.1 cpy

Now, Understand the Users

In CRM, I would have this list of Users

User join BU-1 cpy

Come to The Another More Complex Rule

Now, I have another requirement:

The Product HQ Team is a stand-alone Business Unit, not a Sales-related, it is purely doing RnD and Product Management, but it supports all Regional Sales, so, once it has Record, example Potential Customer known by one of the Product Manager, or a Product related record that supports Sales, the Regional Sales should be able to View it.

So, I get an example, the User from West, Shawn Owen is a salesperson and Michael Lee is from Product HQ.

Once, Michael created a new Account, Shawn, should be able to view it, because the Organization needs him to follow up, it is not Michael job.


image

What’s Happening

Now, we already implemented a Security Roles that each Users are assigned to the Regional Business Unit with access = Parent-Child Level at max to prevent seeing each other record.

We also have a Regional Manager sitting in the Region area, which is correct. And Product HQ is a separated Business Unit without intervention.

All records:

User join BU-2

We know that when Shawn Owen is online and log in (see the top right logged in username), he will only see his own records and his WEST Business Unit teammate records.

User join BU-4

And when Michael Lee login

User join BU-5

Yes, they cannot see each other, which is correct for first rule, but we have another requirement to let the Regional users to see Product HQ newly created Account.

So, expected, once Shawn Owen is online, he will see other 2 records owned by “Product HQ”.

The Workaround

What we can do without tweaking is by let Product HQ user as owner, sharing the records to the Regional BU Teams or individual Users.

So, I share the record to Shawn and West

User join BU-6

Now, Shawn Owen is online and log in, he will be able to see the record that just now I share

User join BU-7

But, it is troublesome and every record must be shared, or you can do programmatically which is easy, this is one of the workaround as well.

Now I only share 1 record, I need to share another 1 record to make all those two records owned by Product HQ to be viewed by Shawn Owen.

This is not what I want to share in this article, so just get a new idea utilizing the concept of User, Team, and Business Unit.

The Final Solution

We know that we cannot grant Organization access to the Sales users nor can assign Shawn Owen in two different Business Units, so here is the solution.

Shawn Owen wants to see the record owned by Product HQ, as we know that all Business Unit in CRM always has a Default Team, and we have a concept that every user will join that default Team, so if we want to make a user to have “virtually” joining two different Business Units, then we need to make him joining the teams, but we cannot make a Users to manually joining the Default Business Unit Team in CRM.

So, come out an idea that we need to create our Custom Team manually.

User join BU-8

I create the Team and assign the Business Unit to the Product HQ, a Business Unit that I want the user to see the BU owned records.

Then, as part of my experiement, one of the users from Sales, I need to make him joining the team.

User join BU-9

Then, it is not enough, I need to assign the Security Role to the team.

User join BU-10..1jpg

With Security Role detail:

User join BU-12

Note:
And this is very important, you need to assign a Security Role to team with Business Unit access as well, eventhough YOU HAVE ASSIGNED THE PRIVILEGE TO THE USER SECURITY ROLE, it is not enough, if you want to play with Team concept of ownership!!

And now in Shawn perspective

User join BU-13

He now is joining two Team

And, now see the result once he login….

The Result

User join BU-11

As we can see once SHAWN OWEN from WEST login, he can see records owned by his Team (WEST) and also by Product HQ (eventhought Shawn is not part of Product HQ Business Unit).

He is virtually joining the Product HQ Business Unit, so long the records are owned by Product HQ Default Team or Product HQ Custom Team and the Team has Business Unit access, User access is not enough!

Hope this helps.
Thanks

7 comments:

  1. The last statement "so long the records are owned by Product HQ Default Team or Product HQ Custom Team" is factually incorrect. Even records owned by users (not team owned) who are part of the Product HQ BU is sufficient for Shawn to view the account record. Basically if Michael owns the record instead of the Product HQ default team or the custom, it still suffices.

    ReplyDelete
    Replies
    1. Hi Abhirup:
      Even records owned by users (not team owned) who are part of the Product HQ BU is sufficient for Shawn to view the account record

      Yes but if Shaun is not part of product HQ BU, no idea how is possible to him to see unless it is Organization level and unless his BU is higher than product HQ then we give parent- child.

      Delete
  2. Finding the time and actual effort to create a superb article like this is great thing. I’ll learn many new stuff right here! Good luck for the next post buddy.

    I will bookmark your site and check again here often. I’m quite sure :)

    Thanks
    ERP Software Dubai

    ReplyDelete
  3. I thought this would solve our problems that we have, but my consultant says it will mean the records are owned by a Team which we cant have due to reporting. So I have 10 countries as separate business units but 2 of the countries have a department (special sales) that need to see or maybe own records but they need to be recorded under 1 or the other BU. and owned by a user. Will this 'final solution' work for us? as the screen shots shows Owned and owner being BU or Team not user?? Many thanks in advance for a quick reply :)

    ReplyDelete

My Name is..