Field Level Security in Microsoft Dynamics CRM

Please read our updated blog here.

Field Level Security in Microsoft Dynamics CRM allows you to expand your security model beyond entities to include specific fields. However, you cannot secure fields as part of your typical security role setup. It’s a completely separate process.

In Dynamics CRM 2011 and CRM 2013, you are only able to secure custom fields while Dynamics CRM 2015 added the ability to also use field level security for default system fields. Setting up field security is a two-part process:

1. Enable your field for Field Security
2. Set up a Field Security Profile to define the privileges granted to your user(s) and/or team(s)

Security Profiles can be configured to grant a combination of the following 3 permissions at the field level:

• Read (read-only access to field data)
• Create (users or teams can add data to this field when creating a record)
• Update (users or teams can update the field’s data after it has been created)

Let’s walk through enabling field level security and creating a new field security profile. The business requirement for our example will be an organization that doesn’t want certain users to be able to Create or Update the Account Number field.

How to Enable Field Level Security for a Field:

1. Create a new field for your entity OR open an existing field.
2. Select Enabled next to Field Security.

3. Publish your customizations.
4. Add your new field to your entity form if needed (note the Key icon to designate the field is secured).

Next, you’ll need to create a new field security profile to define your field’s security settings.

How to Create a Field Security Profile:

1. Make sure you have the System Administrator security role or equivalent permissions.
2. Go to Settings > Security
3. Choose Field Security Profiles.

Note: You can also add Field Security Profiles to a solution if you need to export and import them later (as shown below).

Your system will already include a default System Administrator Field Security Profile which automatically grants Read, Update and Create permission to all fields enabled for field security. You cannot delete or modify this security profile.

4. Click on New to create a new Field Security Profile.
5. Enter a name and a description (optional) and choose Save.
6. Under Common, choose Field Permissions.

        Note: Every Field Security Profile will list ALL fields for which field security is enabled and every new   field will default to No for all privileges.

7. Select a field, and then choose Edit.

8. Select the permissions that you want to assign to users or teams, and then choose OK. In our case, we want the group of users to be able to Read the Account Number, but not Update or Create it.

9. To add users or teams:
   1. Under Members, choose Teams or Users.
   2. On the command bar, choose Add.
   
   3. In the Look Up Records dialog box, select the user(s) or team(s) which should have the security settings applied for the field and then choose Select.
   
   4. Repeat the preceding steps if you’d like to add multiple teams or users, and then choose Add.

Field Security Considerations:

• Every field enabled for field level security is added to all field level security profiles with Read, Create and Update all set to No by default
• System Administrators have all privileges on all field level security fields
• Users and Teams can be added to multiple field level security profiles

Once you have set your field security, users who do not have Read permission for the field will see the field itself, but will only see “*****” instead of the data. If you have any questions about field level security in Dynamics CRM, don’t hesitate to reach out to Encore’s CRM team.