The hierarchy security model is an extension to the existing Microsoft Dynamics 365 security models that use business units, security roles, sharing, and teams. It can be used in conjunction with all other existing security models. The hierarchy security offers a more granular access to records for an organization and helps to bring the maintenance costs down.
Security models for hierarchies:
1. Manager hierarchy:
The Manager hierarchy security model is based on the management chain or direct reporting structure, where the manager’s and the report’s relationship is established by using the Manager field on the system user entity. With this security model, the managers are able to access the data that their reports have access to. They are able to perform work on behalf of their direct reports or access information that needs approval.
With the Manager hierarchy security model, a manager has access to the records owned by the user or by the team that a user is a member of, and to the records that are directly shared with the user or the team that a user is a member of. In addition to the Manager hierarchy security model, a manager must have at least the user level Read privilege on an entity, to see the reports’ data. For example, if a manager doesn’t have the Read access to the Case entity, the manager won’t be able to see the cases that their reports have access to.
For a non-direct report, a manager has the Read-only access to the report’s data. For a direct report, the manager has the Read, Write, Update, Append, AppendTo access to the report’s data. If a direct report has deeper security access to an entity than their manager, the manager may not able to see all the records that the direct report has access to.
2. Position hierarchy:
An administrator will define various job positions in the organization and arrange them in the Position hierarchy. Then, he can add users to any given position. A user can be tagged only with one position in a given hierarchy; however, a position can be used for multiple users. Users at the higher positions in the hierarchy have access to the data of the users at the lower positions, in the direct ancestor path. The direct higher positions have Read, Write, Update, Append, AppendTo access to the lower positions’ data in the direct ancestor path. The non-direct higher positions, have Read-only access to the lower positions’ data in the direct ancestor path.
With the Position hierarchy security, a user at a higher position has access to the records owned by a lower position user or by the team that a user is a member of, and to the records that are directly shared to the user or the team that a user is a member of.
In addition to the Position hierarchy security model, the users at a higher level must have at least the user level Read privilege on an entity to see the records that the users at the lower positions have access to.
Set up hierarchy security:
1. Go to Settings > Security.
2. Choose Hierarchy security and select Enable Hierarchy Modeling.
3. Choose the specific model by selecting the Manager Hierarchy or Custom Position Hierarchy.
4. Set the Depth to a desired value.
5. To setup Manager hierarchy use the Manager (ParentsystemuserID) lookup field to specify the manager of the user.
6. To setup Position hierarchy:
a. Go to Settings > Security.
b. Choose Positions.
c. For each position, provide the name of the position, the parent of the position, and the description.
d. Add users to this position by using the lookup field called Users in this position.