Goal Management Security model
Goal Management in Microsoft Dynamics CRM 2011 is an incredibly powerful feature that allows you to set Goals or Targets for Sales/Service personnel and track & drive these targets to actual numbers.
Given that some of the information could be sensitive, Goal Management feature ensures that only specific set of people who need to have access to the relevant information have access to it. Also the Goal rollup feature which aggregates data and credits values/numbers achieved against targets ensures that the right credit is given to the rightful person. Let’s see how these happen in detail.
Goal Owner and Manager Fields
The Goal owner field specifies the person who is responsible for achieving the goal. For Example, a Sales Manager would create a Goal for a Salesperson and set him as the Goal Owner.
The Goal Manager Field is like the record owner field that is present in all other entities. The Goal manager has full permissions on the goal. On a new goal form, the field is pre-populated with person who is creating the goal. For Example, a Sales Manager is the Goal Manager of a Goal that is created by him for a Sales Person who would be the Goal Owner.
As soon as a Goal is created, the Goal record gets shared with the goal owner and he gets Read and AppendTo access rights on that goal. These are the only two access rights granted to him. Whenever this Goal has a parent Goal associated, the Goal Manager of the Parent goal also gets Read access right to this Goal. Normally the Owner of the Parent Goal would be the Manager of the goal under consideration.
Let’s try to understand this with an example. Here is the representation of a Goal tree we intend to create:
Fig 1:
In the Goal tree shown above, Kevin will have full permission on Nancy’s Goal as he is the Goal Manager. Nancy will have Read and AppendTo access rights on the goal and Peter will have just the Read access to it. David will not have access to Nancy’s goal. If Kevin wants Nancy or Peter to be able to edit Nancy’s goal then he will need to explicitly grant those access rights by sharing the record with them.
Impact of Changing Goal Owner, Goal Manager or Parent Goal
Whenever Goal Owner or Goal Manager or Parent of a Goal change, the access rights assigned to various users may get reassigned as required. Let’s see how changing any of these impacts the record sharing model.
Goal Owner Change
Whenever the Goal Owner of a Goal is changed, the Read and AppendTo access rights assigned to the previous goal owner get revoked and same rights are now granted to the new Goal owner. The access rights of the previous owner are not changed if there were any additional access rights given to that user explicitly. In such cases the access rights granted to the user have to be explicitly revoked if required.
Goal Manager Change
Goal manager change is just like any other CRM record reassignment process. The old manager will lose all access to the record and the new manager will gain full access to it. One additional action that happens is that the old manager who had Read access to the child goal now loses that access and the new manager gets those access rights. In the above example (Fig 1) if Manager of Kevin’s Goal changes from Peter to Samuel then Peter will lose the Read access he had on Nancy and David’s goals and Samuel will be granted those access rights. Here again if any additional access rights were assigned to the old goal manager explicitly then those are not revoked automatically and have to be revoked explicitly for the record.
Change of Parent Goal
Whenever a goal is re-parented the Read access granted to the manager of the parent goal is revoked. The manager of the new parent goal will get Read access to the record.
Goal Rollup Security Model
Goal entity has fields in it that indicate the progress made against the goal. Goal rollup is the CRM process that calculates and updates this information. All records that contribute to a Goal’s rolled up values are called Participating Records for the goal. The Participating records for a Goal’s rollup are primarily dependent on the Metric associated and the Rollup Queries added to it. But these have to be determined in some specific user’s context to ensure that records which are even outside of Managers access are not included in rollup even if the metric or rollup queries ignore that aspect. To ensure this, the Microsoft Dynamics CRM rollup engine determines the Participating records in Goal Manager’s Context and uses only those records for calculating the rollup values. Hence the goal rolled up values will not include those records for which the Goal manager does not have access to.
As the goal rollup runs in Managers context, all data that the manager has access to will be used in goal rollup. The goal owner will be able to see this information as the goal is shared with him. In some cases the rolled up data may be an aggregation of even those values on which the Goal Owner does not have access. This can especially happen when the goal rollup is not restricted to the records owned by the goal owner OR if access to the rollup field is restricted for the Goal Owner using Field Level Security. Since Goal owner will be able to see the rolled up values, he will also be able to see the aggregated data of values for which he does not have access. If Goal manager does not want even such aggregated information to be visible to Goal owner then Metric Rollup Fields, Goals and Queries should be setup such that they do not include the restricted information.
Automatic Goal rollups typically happen once a day. Goal Managers can also trigger Goal rollups whenever they want to from within a Goal record by using the Recalculate button available on the Goal form’s Ribbon. Multiple Goal rollup requests submitted using the Recalculate button can load the server. Thus administrators may want to allow only a specific set of people to have the ability to request for Goal rollups at their will. To enable such control on submitting Goal rollup requests, a special access right has been added to CRM called as ‘Perform in sync Rollups on Goals’. Users with a Role having this access right will be able to see the recalculate button on the Goal form’s ribbon while the others will not see it. Here is a screenshot showing the location of the ‘Perform in sync rollups on Goals’ access right.
Fig 2:
Privileges required to Change Goal Manager
Given that goal rollup runs in Goal Managers context, a Goal manager may be concerned that others will create a goal, make him its manager and see the rolled-up values in his context. To address such a concern, assignment of goals has an additional check embedded in it. Assignment of goal not only considers the assigning users access rights on the record but also checks who the other user is, to whom the goal is being assigned.
Let me explain this with an example:
Let’s say Kevin, Peter and Mike are three Sales Managers where Kevin and Peter are in same Business unit and Mike is in another Business Unit. The Out of Box Sales manager role has User level access right on Create and Business Unit (BU) level access right on Assign for Goal entity. Given this, Kevin, Peter and Mike can create goals with only themselves as the Goal Manager.
If Kevin creates a goal with himself as Goal Manager and then tries to assign it to Mike then the record assignment will fail although he is trying to assign his own record. This is because the Goal assignment here not only checks for Kevin’s access on the goal but also checks where in the Organization does Mike stand to whom the goal is being assigned. Since Kevin has BU level assign privilege, he cannot assign the goal to Mike who is outside his BU. He will be able to assign the goal to Peter who is in the same BU.
In cases of other CRM entities, both these assignment actions would have succeeded as the record being assigned is owned by the record owner himself. There may be a need to prevent Kevin from being able to assign goal records even to users in his own BU (In above Example: Kevin should not be able to make Peter as the Goal Manager of a Goal). To do this all that needs to be done is reduce the Assign access right on Goal for his role to User level only.