Make a user in CRM ‘Joining More than 1 Business Unit’, enabling Users to See outside their Parent-BU Child Cluster Group records
Hi friends, as we know that Dynamics CRM can support the security access very well, it has the ownership feature, that is based on combination of Business Unit hierarchy and Security Role. But there is always limitation, such as, one User cannot be assigned to more than one Business Unit.
And the security role privileges are so strict, right if you have designed Parent-Child user access level, then the user inside cannot see records owned by other BU outside their parent-child cluster, so, the way is either you assign the Organization level or using Sharing, but the idea using sharing is can make the structure little bit unstructured, not easy to track shared/unshared records in single view unless we create a report or do advanced SQL Query.
I write this blog just because I have a case, that I am pretty sure this could be one of your experience in your CRM-ing journey.
So, here is my scenario that lead me into this idea.
Which applicable rule is very common requirement in Sales that each BU cannot do intervention each other, but they can see the records within their BU for collaboration. So, using this CRM Security Role, I can easily fulfill this by either provide the Business Unit Level or Parent Business Unit level privilege.
So, in CRM I have these Business Units
The Product HQ Team is a stand-alone Business Unit, not a Sales-related, it is purely doing RnD and Product Management, but it supports all Regional Sales, so, once it has Record, example Potential Customer known by one of the Product Manager, or a Product related record that supports Sales, the Regional Sales should be able to View it.
So, I get an example, the User from West, Shawn Owen is a salesperson and Michael Lee is from Product HQ.
Once, Michael created a new Account, Shawn, should be able to view it, because the Organization needs him to follow up, it is not Michaeljob.
We also have a Regional Manager sitting in the Region area, which is correct. And Product HQ is a separated Business Unit without intervention.
All records:
We know that when Shawn Owen is online and log in (see the top right logged in username), he will only see his own records and his WESTBusiness Unit teammate records.
And when Michael Lee login
Yes, they cannot see each other, which is correct for first rule, but we have another requirement to let the Regional users to see Product HQ newly created Account.
So, expected, once Shawn Owen is online, he will see other 2 records owned by “Product HQ”.
So, I share the record to Shawn and West
Now, Shawn Owen is online and log in, he will be able to see the record that just now I share
But, it is troublesome and every record must be shared, or you can do programmatically which is easy, this is one of the workaround as well.
Now I only share 1 record, I need to share another 1 record to make all those two records owned by Product HQ to be viewed by Shawn Owen.
This is not what I want to share in this article, so just get a new idea utilizing the concept of User, Team, and Business Unit.
Shawn Owen wants to see the record owned by Product HQ, as we know that all Business Unit in CRM always has a Default Team, and we have a concept that every user will join that default Team, so if we want to make a user to have “virtually” joining two different Business Units, then we need to make him joining the teams, but we cannot make a Users to manually joining the Default Business Unit Team in CRM.
So, come out an idea that we need to create our Custom Team manually.
I create the Team and assign the Business Unit to the Product HQ, a Business Unit that I want the user to see the BU owned records.
Then, as part of my experiement, one of the users from Sales, I need to make him joining the team.
Then, it is not enough, I need to assign the Security Role to the team.
With Security Role detail:
Note:
And this is very important, you need to assign a Security Role to team with Business Unit access as well, eventhough YOU HAVE ASSIGNED THE PRIVILEGE TO THE USER SECURITY ROLE, it is not enough, if you want to play with Team concept of ownership!!
And now in Shawn perspective
He now is joining two Team
And, now see the result once he login….
As we can see once SHAWN OWEN from WEST login, he can see records owned by his Team (WEST) and also by Product HQ(eventhought Shawn is not part of Product HQ Business Unit).
He is virtually joining the Product HQ Business Unit, so long the records are owned by Product HQ Default Team or Product HQ Custom Team and the Team has Business Unit access, User access is not enough!
And the security role privileges are so strict, right if you have designed Parent-Child user access level, then the user inside cannot see records owned by other BU outside their parent-child cluster, so, the way is either you assign the Organization level or using Sharing, but the idea using sharing is can make the structure little bit unstructured, not easy to track shared/unshared records in single view unless we create a report or do advanced SQL Query.
I write this blog just because I have a case, that I am pretty sure this could be one of your experience in your CRM-ing journey.
So, here is my scenario that lead me into this idea.
The Scenario
Understand the Business Unit Hierarchy
Imagine, I have this hierarchy
Which applicable rule is very common requirement in Sales that each BU cannot do intervention each other, but they can see the records within their BU for collaboration. So, using this CRM Security Role, I can easily fulfill this by either provide the Business Unit Level or Parent Business Unit level privilege.
So, in CRM I have these Business Units
CRM Busines Unit Records
Now, Understand the Users
In CRM, I would have this list of Users
Come to The Another More Complex Rule
Now, I have another requirement:The Product HQ Team is a stand-alone Business Unit, not a Sales-related, it is purely doing RnD and Product Management, but it supports all Regional Sales, so, once it has Record, example Potential Customer known by one of the Product Manager, or a Product related record that supports Sales, the Regional Sales should be able to View it.
So, I get an example, the User from West, Shawn Owen is a salesperson and Michael Lee is from Product HQ.
Once, Michael created a new Account, Shawn, should be able to view it, because the Organization needs him to follow up, it is not Michaeljob.
What’s Happening
Now, we already implemented a Security Roles that each Users are assigned to the Regional Business Unit with access = Parent-Child Level at max to prevent seeing each other record.We also have a Regional Manager sitting in the Region area, which is correct. And Product HQ is a separated Business Unit without intervention.
All records:
We know that when Shawn Owen is online and log in (see the top right logged in username), he will only see his own records and his WESTBusiness Unit teammate records.
And when Michael Lee login
Yes, they cannot see each other, which is correct for first rule, but we have another requirement to let the Regional users to see Product HQ newly created Account.
So, expected, once Shawn Owen is online, he will see other 2 records owned by “Product HQ”.
The Workaround
What we can do without tweaking is by let Product HQ user as owner, sharing the records to the Regional BU Teams or individual Users.So, I share the record to Shawn and West
Now, Shawn Owen is online and log in, he will be able to see the record that just now I share
But, it is troublesome and every record must be shared, or you can do programmatically which is easy, this is one of the workaround as well.
Now I only share 1 record, I need to share another 1 record to make all those two records owned by Product HQ to be viewed by Shawn Owen.
This is not what I want to share in this article, so just get a new idea utilizing the concept of User, Team, and Business Unit.
The Final Solution
We know that we cannot grant Organization access to the Sales users nor can assign Shawn Owen in two different Business Units, so here is the solution.Shawn Owen wants to see the record owned by Product HQ, as we know that all Business Unit in CRM always has a Default Team, and we have a concept that every user will join that default Team, so if we want to make a user to have “virtually” joining two different Business Units, then we need to make him joining the teams, but we cannot make a Users to manually joining the Default Business Unit Team in CRM.
So, come out an idea that we need to create our Custom Team manually.
I create the Team and assign the Business Unit to the Product HQ, a Business Unit that I want the user to see the BU owned records.
Then, as part of my experiement, one of the users from Sales, I need to make him joining the team.
Then, it is not enough, I need to assign the Security Role to the team.
With Security Role detail:
Note:
And this is very important, you need to assign a Security Role to team with Business Unit access as well, eventhough YOU HAVE ASSIGNED THE PRIVILEGE TO THE USER SECURITY ROLE, it is not enough, if you want to play with Team concept of ownership!!
And now in Shawn perspective
He now is joining two Team
And, now see the result once he login….
The Result
As we can see once SHAWN OWEN from WEST login, he can see records owned by his Team (WEST) and also by Product HQ(eventhought Shawn is not part of Product HQ Business Unit).
He is virtually joining the Product HQ Business Unit, so long the records are owned by Product HQ Default Team or Product HQ Custom Team and the Team has Business Unit access, User access is not enough!
