Finding Balance in your Microsoft Dynamics CRM 2011 Security Model

Visit Website View Our Posts

I have recently had the privilege to co-author a book about Microsoft Dynamics CRM with some of my fellow Microsoft MVP’s called The CRM Field Guide. The book includes the foundational knowledge that CRM power users need to know, along with best practices to get the most out of CRM and avoid common mistakes.  

This 945 page book is your ultimate CRM guide, and both e-book and paper versions can be ordered now from or from Amazon.


The following is an excerpt from my chapter about CRM security:

Any discussion of security should begin not with the “what” of security, but the “why.” When deploying Microsoft Dynamics CRM, it is important to not make assumptions about what security should look like, either based on what security is in legacy systems or out of unwarranted fear. Rather, you should examine each entity of your CRM system and try to find the right balance between user access and system security.

The ideal security strategy is one in which your important system data is secure, but users don't feel it.

When implementing CRM, you have to balance two concerns. First, the concern of data and system security is very important. Your data drives your business--your customers, your orders, the contact information for key business contacts, these are items that you don't want to fall into the hands of a competitor. Second, you have system usability and user adoption. One of the main reasons for implementing Microsoft Dynamics CRM is to increase visibility and sharing of business data between groups, and elimination of data silos in your organization. By giving visibility to contacts and accounts across your organization, teams can effectively collaborate rather than compete, and you ensure that you have one version of the truth when it comes to master contact and account information.

If you go too far in either direction, you risk failure of your CRM implementation. If you are too lax in your security, users can change data that they should not be able to change, polluting the single version of the truth, and creating a perception that the data in the system is not reliable. If you are too stringent in your security and lock everyone down so users can only see a small subset of the records in the system, you diminish the value of Microsoft Dynamics CRM as a collaboration tool, and by design revert to the old data silos, just in a different location.

An advertising company found that their overly stringent security design had serious implications for their CRM success. They had multiple divisions selling advertising, and they were originally concerned that these sales groups would try to steal business from the other departments in the company. So when they rolled out CRM, they took a very restrictive approach, only letting sales representatives see companies that were assigned to them.

After using CRM for five years, they found that their original security design was actually reinforcing behaviors that were contrary to the greater goals of the company. Since sales representatives had no visibility outside of their pool of customers, cross sales opportunities were impossible. The classified advertising sales representative would often run into a sales representative from another department when entering the lobby of a client. Had these sales representatives had visibility to the other departments’ involvement with the client, they could collaborate, create packaged offerings that were better for the client and increase the total amount of revenue to the company.
Another negative impact of this approach was on data quality. Since sales representatives had no visibility to companies or contacts outside of those assigned to them, they would frequently enter new contacts that they met at trade shows, unaware that these people were already contacts in the CRM system assigned to another sales representatives.

In some industries, security strategy is dictated by regulatory concerns. In financial services, for example, regulations prevent sharing of certain types of business information between divisions of large companies. In Europe, comprehensive privacy laws require stringent controls over access to clients’ personal data. Of course you want to ensure that your security strategy meets all relevant regulations. In other areas, you will want to determine a security strategy for your CRM implementation that balances common sense controls with maximum usability.

Post by: Joel Lindstrom, Customer Effective

Show Buttons
Hide Buttons