Team membership and access permissions – how are they related?

By | April 14, 2021

When we have a team and a bunch of users added to the team, would you expect every user to have access to whatever another user has access to? Since, after all, they are all team members, so should not they be sharing the data?

Basically, what if we have the following set up:


Is that “Other User” going to be able to see the email assigned to the “Owner” assuming both users are members of the same team?

The answer is not that straightforward, since what happens next depends on the security roles assigned to the users and to the team.

If the team does not have any roles assigned to it, and if “Other User” can’t see that email normally, then, by adding both users to the same team, we are not, really, changing security permissions of the “Other User”. Which means “Other User” still can’t see the email assigned to the “Owner”.

Now let’s look at the access levels in CDS:


If we created a security role and set it up to that it would have “business unit”, “parent…”, or “organization” access level to the activities (and assuming both users are in the same BU), then, by assigning that role directly to the “Other User” we would grant that user access to the email above.

We could do the same by assigning that role to the team instead, since the user would inherit permissions from the team.

But, so far, all we’ve done – we’ve shared all emails in the business unit and/or in the organization with the members of that team (or with the user directly).

What if we only wanted to share “Owner” user emails with the “Other User”? Would it be doable without resorting to the sharing/access teams?

The way owner security is designed is that the system will be looking at who owns the record, and, then, it would be validating user access by looking at that user’s permissions. Such permissions can either be given to the user directly (through a security role), or they can be inherited from a team.

But, in either case, there will be a record owner, and there will be a user trying to access that record, and that’s what the system will be looking at. They are both on the same team? It does not matter.

To illustrate this behavior, let’s create a security role that has “user-level” access to the activities:


This security role has now been assigned to the team below:


And there are a couple of users in that team. I am still a System Admin, so, when looking at the phone calls in the system, I can see a phone call assigned to the System Account:


So what if I stopped being a System Admin? There are no other roles assigned to me(except for the Customer Service app access and a custom “support user” role which will allow me to promote myself to an admin again), so I’d only have access to the activities through the role inherited from the team. Am I going to see that phone call assigned to my team member?

Just as expected, it’s not there:


But we are not done yet. What if that phone call were assigned to the team instead?

That is a different scenario now. As a member of the team, I can still see that record:


Basically, the ownership is sort of extended from the team to the team members (from the access perspective), but it’s not passed from one team member to the other.

That’s just something to keep in mind when setting up the security model – hope this helps!

Leave a Reply

Your email address will not be published. Required fields are marked *