Understanding security roles in Microsoft Dynamics 365

What are security roles?

Security roles in Dynamics 365 define what users can see and do within the system. They control access to:

• Entities (like Accounts, Contacts, Opportunities)
• Records (individual data entries)
• Features (such as dashboards, reports, and workflows)

Each security role consists of a combination of privileges (actions such as Read, Write, Delete) and access levels (such as User, Business Unit, or Organisation).

Key components of a security role

1. Privileges: These are the rights to perform actions on records or features (e.g. Create, Read, Write, Delete, Append, Assign, Share).

2. Access levels: These determine the scope at which a user can perform the action:

• None: No access
• User: Access to records the user owns or shares
• Business unit: Access to records in the same business unit
• Parent: child business units: Access across the user’s unit and all child units
• Organisation: Full access across the organisation

For example, a Sales Representative might only need ‘User’-level access to opportunities, allowing them to view and manage only their own deals. In contrast, a Sales Manager may require ‘Business unit’ or ‘Parent: child’ access to oversee opportunities across multiple team members. Defining access levels appropriately ensures users can work effectively, without overexposing sensitive data.

3. Tabs
Security roles are structured into tabs such as Core Records, Sales, Marketing, Service, etc., each grouping relevant entities. These tabs help categorise permissions and simplify the process of managing access across different areas of the system.

Managing security roles in Dynamics 365

Assigning roles 

You can assign one or more security roles to a user or team. When multiple roles are assigned, the user’s effective permissions are the combined set (i.e. the union of all roles).

For instance, someone in a hybrid role—such as a Business Development Manager—might need elements of both sales and marketing roles. Rather than creating a brand-new role, you can assign both existing roles, allowing them access to the right functionality without duplication.

Creating custom roles

While Dynamics 365 provides out-of-the-box roles like System Administrator or Salesperson, custom roles are often necessary to reflect your organisation’s specific responsibilities and structures.

As an example, a charity using Dynamics 365 may require a custom ‘Fundraising Volunteer’ role that restricts access to only event-related data and removes visibility of donor financials. This ensures compliance with data policies and avoids overwhelming users with irrelevant functionality.

Applying the least privilege principle

Always apply the principle of least privilege—grant users only the minimum access required to do their job. This minimises risk and helps maintain a cleaner, more secure environment.

A common mistake is assigning the System Administrator role to users who simply need full access to their own business unit. This can unintentionally expose sensitive organisational data and create audit or compliance concerns.

Security role best practices

• Review roles regularly to ensure they reflect current responsibilities and business processes
• Assign roles via teams where possible to simplify access management
• Test changes in a sandbox before applying them in a live environment
• Document each role to provide clarity on its purpose and assigned users

These best practices help maintain a secure, scalable setup as your organisation grows and evolves.

Linking security roles to governance and compliance

Security roles also play a vital role in governance and compliance. A clear security model helps support frameworks like GDPR, ensuring that only authorised users have access to personal or sensitive data. For example, restricting access to donor or customer contact details to specific roles helps prevent data leaks and demonstrates responsible data handling.

This isn’t just a technical safeguard—it builds trust and strengthens your organisation’s reputation.

How Pragmatiq can support your organisation

At Pragmatiq, we work with businesses to design and implement secure, tailored solutions using Microsoft Dynamics 365. Whether you’re setting up a new system or reviewing an existing setup, we help ensure your users have the right level of access—supporting both security and productivity.

Speak to us to learn how we can help you build a secure, outcomes-focused Dynamics 365 environment by calling 01908 038110 or emailing info@pragmatiq.co.uk.