rdracer58
asked on
Dynamics CRM 4.0 and Human Resources Data Permissions Scheme
We are investigating the potential for using our current Microsoft Dynamics CRM 4.0 system to track human resources data for our business, including sensitive employee files that only the two HR user accounts should be able to access. What would be the best way to ensure that the HR data can only be read by the two HR user accounts?
Would it be possible to restrict administrator account access to this data as well? We have four user accounts with "System Administrator" privileges at the organizational level and nobody, including administrators, should be able to see said data except the two designated HR users.
Would it be possible to restrict administrator account access to this data as well? We have four user accounts with "System Administrator" privileges at the organizational level and nobody, including administrators, should be able to see said data except the two designated HR users.
ASKER
I am assuming with a custom entity that one with an administrator role, as aforemenioned, could not necessarily see the data, but could easily grant themselves the permissions to see the data?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
As an addendum, if they ARE IT staff, do they have access to OTHER HR files on the network based on those credentials?
Some HR people are protective of the "File Cabinet ONLY" mentality and likely that is a good thing....until they lose the key :)
Some HR people are protective of the "File Cabinet ONLY" mentality and likely that is a good thing....until they lose the key :)
ASKER
Good point--I think the conversation between IT and Management is one that we need to have--especially since IT has similar "access" to other HR related information on the network. Thanks for your help!
You could COPY the System Administrator Role and play with the settings to eliminate the ability to address some of that data, but again, if they can control settings they can create a new account or something similar).
Same with a Administrative Licensed System Admin (they can't see Data, but could create an account that could).
If you want this data in CRM, I would highly suggest a custom entity (as the ability to limit access is easier).