Security management is very nice and straightforward in Microsoft Dynamics CRM 2016. In a previous post I wrote about a security report which allows you to see permissions of all users at one place. However I found out one issue which can be little tricky to solve.
Our customer decided to split one department into two departments. The original department (let’s call it Old1) still existed. Customer created two additional departments inside it (let’s call them New1 and New2). So we have created new business units New1 and New2 and we set Old1 and the Parent Business for both of them. We changed Business Units for Users to either New1 or New2. Finally we filled in Manager fields for both the Business Units. We assigned a special security roles to the both managers. This role allows them to see all records created by all persons from the same business unit for one specific entity. Everything looked nice.
But we received an incident that the manager of one of the departments doesn’t see a record of his subsidiary employee. I checked the Business Unit entity. The manager was set as Manager at New1. However, the subsidiary employee was set to New2. I tried to change the Business Unit of the employee to New1 and then to change the manager. But then I saw an error:
The user is not in parent user's business hierarchy.
So the problem was at the Business Unit Manager setting. I fixed it by setting the manager as the New2 Business Unit Manager.
Conclusion: CRM doesn’t check the Business Unit Manager field. You can set there an user from any business unit. However, if you make a mistake you will face similar incident.