Duplicate Detection Security Model

Security model of duplicate detection is in accordance with the security flow of MSCRM v4 which is very simple and quite intuitive. For performing duplicate detection rule create and publish or running duplicate detection job, user needs some security privileges which are provided through his role. All out-of-box security roles can run duplicate detection job but enabling/disabling duplicate detection and publishing duplicate detection rule is a privilege provided to selected few. As duplicate detection process is a collection of few well defined tasks, taking them one at a time and discussing what privileges are needed to perform that task.

1. Privileges needed to create/update duplicate detection rules: A Duplicate detection rule that is visible to user on UI forms with two entities, duplicate detection rule entity and duplicate detection rule condition entity. These entities share parent-child relationship and hence privileges on duplicate detection rule entity automatically trickle down to duplicate detection rule condition entity. Let’s look into create and update operations on per case basis.

a. Create a duplicate detection rule with duplicate detection rule conditions
Privileges required: Create, Append, AppendTo on DuplicateDetectionRule

b. Update a duplicate detection rule without updating rule conditions
Privileges required: Write on DuplicateDetectionRule

c. Update an unpublished duplicate detection rule with addition/deletion/updation of rule conditions
Privileges required: Write, Create, Delete, Append, AppendTo on DuplicateDetectionRule

d. Update a published duplicate detection rule with addition/deletion/updation of rule conditions
Privileges required: Write, Create, Delete, Append, AppendTo, Publish on DuplicateDetectionRule

e. Delete an unpublished duplicate detection rule with its rule conditions
Privileges required: Delete, AppendTo on DuplicateDetectionRule

f. Delete an published duplicate detection rule with its rule conditions
Privileges required: Delete, AppendTo, Publish on DuplicateDetectionRule

Please notice that while doing these operations on UI, user will need Read privilege also so that he can view the duplicate detection rule on UI. To view these privileges, open a role editor form, say Sales Manager role form as depicted below and navigate to Core Records tab.


2. Privilege needed to publish duplicate detection rule: There is a privilege defined in MSCRM called Publish Duplicate Detection Rules and any person with security role having this privilege can publish or unpublish duplicate detection rules. But as duplicate detection rule publish is an asynchronous type job, Read and AppendTo privileges on System Job entity is also required. Publish Duplicate Detection Rules privilege is available only to System Administrator and System Customizer among the Out-Of-Box security roles. Please note that mere creation of duplicate detection rules is not enough since these rules remain inactive unless and until they are published. Also to keep in mind is that publishing or unpublishing of any duplicate detection rule affects whole organization and hence publish duplicate detection rule privilege should be granted to those roles which are supposed to change organization wide settings. You can find this privilege under Core Records tab in miscellaneous section of Security Roles form.


3. Privileges needed to run system wide duplicate detection jobs: Technically any user can run system wide duplicate detection job provided that he has Read privilege on the duplicate detection rules and Read, AppendTo privileges on System Job entity. But to run system wide duplicate detection wizard from UI, user needs Read privilege on entity also for which he wants to run the job. That means if user don’t have Read privilege on accounts entity then he cannot run system wide duplicate detection from UI as wizard will not show that entity name in entity selection drop down.

4. Who can view the detected duplicates: All users with Read privilege on the base and duplicate records and Read privilege on System Job entity can view the duplicates. Every user will view the duplicates according to his access level on that entity. For example, if Tim has Basic read access on Accounts entity and Jack has Global read access, then for a duplicate detection job ran by Tim for all the account records in the system, Tim will see the duplicate account records that he owns but Jack will see duplicate account records, created by all users in the organization and detected in that run.

5. Administrative tasks: Only system admin can enable or disable organization wide duplicate detection. System Administrator can go to Settings > Data Management > Duplicate Detection Settings and he has the option to enable/disable either org wide duplicate detection or duplicate detection during create/update or duplicate detection during data import or duplicate detection during outlook sync. Let me discuss what these individual check box options mean

a. Enable duplicate detection: This enables duplicate detection rule publish and system wide duplicate detection jobs.

b. When a record is created or updated: This enables run time duplicate detection.

c. When Microsoft Dynamics CRM for Outlook goes from offline to online: This enables duplicate detection in laptop client offline to online synchronization.

d. During data import: This enables the functionality of detecting duplicates during import in Import Data wizard.


This discussion is very useful to system administrators while granting privileges to custom security roles for duplicate detection purposes. Granting or revoking of privileges should be done judiciously so as to prevent users from being blocked from performing their daily activities.