Field Level Security in Dynamics 365

Security should be one of your topmost priorities when you are making the shift towards a cloud-based solution. The Dynamics 365 CRM sure makes it a priority to take care of all your security concerns with robust security features. Along with strong access control mechanisms, Dynamics 365 provides highly granular levels of security such as role-based security, record-level security, and field-level security.

Here is a brief write-up on how the field-level security in Dynamics 365 works and how best you can leverage it to secure your data.

What Is Field Level Security in Dynamics 365?

The Dynamics 365 field level security deals with the security options for each data field in your application. You can define and use field-level security profiles to control the access to each type of data field and assign the data access privileges and permissions to a user role accordingly. The data fields can be made accessible only to the user or teams who have permission to do so as defined by their field-level security role.

You can enable field-level security for both the default system fields as well as custom fields.  It is presented as a two-option setting under the data field schema. You can either disable or enable field security by choosing any of the two options and then grant the relevant permissions to the field security profiles.

Which Fields Can Have A Security Level in Dynamics 365?

As mentioned earlier, default fields, custom fields on out-of-box entities, and custom fields on custom entities can have a security level enabled. The permission to allow field-level security lies with the system administrator.

There are specific system attributes like IDs, timestamps, and record tracking attributes that cannot be enabled for field-level security.

Field level security, once enabled, applies to all data access requests across the various other applications used organization-wide such as:

• Data access requests coming from external applications like web browser apps, Outlook email app or mobile client application.
• Web API service calls that use the Microsoft Dataverse web services may be used as part of plugins and custom code.
• Views and reports.

Authorizations Needed to Activate Field Level Security in Dynamics 365

To enable field security for any data field, you must have administrative rights and privileges. The steps to enable and activate a field security level are explained below.

Enable Field Security on Field for A Given Entity

• Access the data field schema that you need to enable field security. Select the option Enable under the Field Security Setting.
• Save your customizations and Publish.
• You can also add the new field to your entity form if required. When you do so, you can see a key icon appearing next to the data field indicating that the field is security enabled.
• Grant permissions to the field-level security profiles. To do so, go to Field security Profiles under the Security You can choose from existing security profiles or create your own custom profiles to grant the field-level security permissions.

Steps to Create Security Profiles

• Go to Settings -> Security -> Field Security Profiles and click
• Note: By default, every system will have a system administrator security role with all access permissions granted (read, update, create). You cannot edit or delete this admin security role.
• Give a name and description for the new security role created.
• To grant permissions, go to the Field Permissions tab under the common section and define the permissions for the fields you previously enabled field-level security option.
• By default, all permissions will be set to NO. You will have to modify it to the required permission. Select a field, choose Edit, and set the value to Yes or No under the corresponding access permission.
• After making the permission changes, save all the settings and close.
• Add teams and users to the role by clicking on Teams and Users under the Members Once added, you can see the user/ team entries in the user/team’s tab, respectively. You can use the Look Up Records dialog box to search for and select the users and teams you want to assign this particular security role.

Determining the Security Profile

In general, permissions can be granted as a combination of the following three permissions at the field level.

• Read – Allows the user with the security profile assigned only to have read-only access. The user can only view the field data and cannot make any modifications to it. Users who do not have read access to a particular data field will only get to see series of * strings in place of the actual value like ‘****’.
• Create – Allows the user to add value to the data field when creating a new record.
• Update – Allows users to make modifications and update the data field’s value after it has been created.

How to Configure Field Level Security in Dynamics 365 For A Specific Data Field?

Before proceeding to create security roles and defining field-level security access in Dynamics 365, understand that:

• Every field enabled with field-level security will have all the access permissions set to No by default. You will have to customize it as per your needs.
• System admin roles and the users assigned with this role will have all privileges and permissions on data fields regardless of whether it is security enabled.
• You can add users and teams to multiple field-level security profiles.

Understand the relevance of each data field and assign the security permissions accordingly. For instance, consider the data field, Customer Mobile Phone number. For this data field, entry-level users like salespeople should not be given access to create or update the value. Sales managers can only be given read access, with restrictions on updating or creating new contact information. Only admin-level users like Vice Presidents or Department Managers should be given full data access to create, view, and update the mobile phone number.

Do make sure to follow the best practices when defining your field-level security in Dynamics 365. For instance, when you use derivative fields like total sales, which will hold a calculated value, you need to enable security for both the original field and the calculated field.

And in some cases, when the data is composed of multiple fields, you must appropriately configure each part of the data. For instance, customer address fields can be split into multiple data fields for the city, street, and door number. You can make the finer details like street and door number security enabled with stricter access control leaving the city field to have read-only access. Or you can choose the secure all the relevant fields to ensure proper security implementation.

Conclusion

Defining field-level security in Dynamics 365 requires an adequate level of expertise in security practices as well as a proper understanding of your organizational hierarchy and business processes.

It can be overwhelming as security is a critical part of your Dynamics 365 implementations. You must be cautious so as not to leave any of your sensitive data unprotected. Make fair use of the field-level security provided and seek expert guidance from our qualified consultants. Call us today on any queries you have with field-level security in Dynamics 365.

‍