In my previous blog I wrote about restricting access to Microsoft Dynamics CRM Online using the Non-Interactive User Access Mode. This mode restricts users from connecting to and interacting with Microsoft Dynamics using either the Microsoft Dynamics CRM Web Client or the Microsoft Dynamics CRM for Outlook Client.
In certain integrations, in addition to using a dedicated Non-Interactive Microsoft Dynamics CRM Online User Account, it is best practice to use a dedicated Microsoft Dynamics CRM Security Role with the least number and the minimum level of privileges required to perform the tasks requested by the integration. This may or may not include the ability to create, read, update, append/append to, assign, share, activate/deactivate and/or delete records of specific types.
In this blog I will provide a list of the minimum privileges required by a Non-Interactive Microsoft Dynamics CRM Online User to:
(a) connect to Microsoft Dynamics CRM.
(b) create, read, update and assign Accounts and Contacts.
(c) read Accounts and Contacts.
Note: Additional privileges and higher access levels may be required for completing the initial configuration of an integration between Microsoft Dynamics CRM and another system. However, a fewer number of privileges and lower access levels may then be used after the initial configuration is completed.
The minimum privileges required to successfully test a connection to Microsoft Dynamics CRM Online as a Non-Interactive User are: Organisation: Read and User: Read. In addition User Settings: Read may sometimes be required.
When creating a new Security Role in Microsoft Dynamics CRM the following Plug-In and SDK Message related privileges are selected by default. These should be retained.
Note: If there are any asynchronous Plugins triggered by actions performed on records then the System Job: Create and Read privileges will be required.
If the Created On dates on which records are being created need to be overridden then the Override Created on or Created by for Records during Data Import privilege will be required.
The minimum privileges required for the creation of Accounts and Contacts that may:
(a) need to be related to each other such as an Account being associated with a Primary Contact and a Contact being associated with a Parent Account.
(b) need to be assigned to specified Users or Teams
are…• Account: Create, Read, Write, Append, Append To and Assign; and Contact: Create, Read, Write, Append, Append To and Assign.
• Business Unit: Read and Currency: Read.
• Team: Read and User: Read.
Some other privileges to consider are:• Accounts and Contacts are sometimes associated with an Originating Lead. It may therefore be necessary to ensure that the Security Role provides the required Read and Append To privileges for Leads. Create and Write privileges for Leads may also be required in some cases, depending on the nature of the integration.
For one-way integrations from Microsoft Dynamics CRM to another system only the Read privilege is required, in which case the minimum security required is as follows:• Account: Read; and Contact: Read.
• Business Unit: Read; Currency: Read; Organisation: Read; Team: Read; User: Read; and User Settings: Read.
• Field: Read.
In conclusion, the best practices for minimising the access a Microsoft Dynamics CRM User account used for integration between Microsoft Dynamics CRM and another system include the following:• Use a dedicated Microsoft Dynamics CRM User Account.