Dynamics 365 is a robust platform with a proven track record spanning more than 10 years. The most attractive attributes of the product are all the features you get straight out of the box. Most of these features are complex and time consuming to implement if they were to be written from scratch on a bespoke application. The security model is at the top of the list of great features.

The security model in Dynamics 365 is comprehensive and capable of addressing a wide range of security requirements. From coarse grain access to instances using Office 365 security groups, to simple CRUD privileges, to field-level security, the authorization model has evolved over the years to cater for more granularity.

It is paramount to have a solid grasp of the fundamental security building blocks offered by the product. This will help you make educated decisions when modeling security. At the core of the Dynamics 365 security controls are security roles. The security roles provide per entity granular privileges based on record ownership. Privileges can also be set at different levels, as described here:

• None: No access
• User: Only the owner has the privilege (user or team)
• Business Unit: The user has the privilege to all records (of that entity) owned by users or teams at the same business unit
• Parent: Child Business Unit: Users have the privilege to all records (of that entity) owned by users or teams at their business unit and all child business units
• Organization: The user has the privilege to all records (of that entity)

In addition to security roles, Dynamics 365 offers team sharing, ad-hoc sharing, field-level security, and Access Teams. We will cover most of these in this chapter.

Each security modeling technique has implications on flexibility and performance. For more details on scalability, read the white paper Scalable Security Modeling with Microsoft Dynamics CRM 2015 at https://technet.microsoft.com/en-us/library/dn683914(v=crm.7).aspx.