We are all familiar with the record privileges in Dynamics CRM. User-owned entities have 5 access levels (None, User, Business Unit, Parent: Child Business Units, Organization) while organization-owned entities have only two of those (Go/No Go). Then there are miscellaneous privileges and training documentation states that (highlight is mine):
Each Security Role also includes miscellaneous privileges that relate to application features, such as Print, Merge, Export to Excel and Go Offline. These privileges have only two levels that represent an on or off setting because these privileges do not relate to records, they apply to features globally.
That’s where it gets interesting because some of the miscellaneous privileges can have more than two levels. It opens some additional opportunities to fine-tune security of your CRM implementation. For example, consider Send Email as Another User privilege
The level can be set to Business Unit, Parent: Child Business Unit or Organization (naturally, user always has ability to send as themselves). For example, managers can have ability to send on behalf of users in their Business Unit only while CTO can be allowed to pretend to be just about anybody in the system.
Other interesting privileges include ability to override product pricing on quotes, invoices, etc. For example, you can allow user to override product pricing of their quotes, but not anyone else’s.
The full list of miscellaneous privileges that can have multiple access levels:
|Tab in role editor||Roles with multiple access levels|
|Core||Publish Duplicate Detection Rules|
|Marketing||Configure Internet Marketing module|
|Use internet marketing module|
|Sales||Override Invoice Pricing|
|Override Opportunity Pricing|
|Override Order Pricing|
|Override Quote Pricing|
|Busines Management||Assign manager for a user|
|Send Email as Another User|
|Approve Email Addresses for Users or Queues|
|Assign Territory to User|
|Enable or Disable User|
|Customization||Activate Real-time Processes|