Related sites:

Newsletter: Perspectives on Power Platform

Company: Niiranen Advisory Oy

Activity Feeds and user rights: who can see what?

Activity Feeds are a channel that’s much like Twitter: creating posts that are visible for other users who are following you. On the surface they share many of the same concepts (mentions, following, replies/comments), but there are some notable differences that may come as a surprise to a user who’s accustomed to the open communication taking place on the external social networks. This is especially apparent in a CRM organization that has a hierarchical structure of business units and is limiting the visibility of core records such as accounts across the BU’s.

Let’s assume that we have a CRM deployment with multiple BU’s that form a hierarchy of a single parent (the top level BU) and multiple child business units. In our example the child level is represented by two country specific BU’s: Finland and France. There’s a user called Jukka in Finland and another user by the name of Teppo in France (OK, not exactly a typical French name, but we’re actually dealing with a Finnish expat here in this case). They are both using CRM to manage accounts and opportunities in their own business units but do not have visibility to any other BU’s data. Nevertheless, we’d like to leverage the Dynamics CRM Activity Feeds as a channel for sharing insights and connecting across BU borders, to make the most of the human capital and knowledge available within our global organization.

If Teppo from France is looking for new users to follow, he will need to fire up Advanced Find and perform a search of the user records available in the CRM organization (this is the first thing you need to provide clear instructions on, as it’s not quite as intuitive as on Twitter). Unless the default security roles have been adjusted in terms of the User entity, he will be able to see a list of users from all business units. Also the follow buttons on the ribbon of the results view will be active, so Teppo selects a few users from outside his own business unit, as he’s eager to learn about what information they might be sharing on the common CRM platform. However, if he’s paying close attention to the dialog that CRM presents to him he’ll actually notice that he wasn’t able to follow Jukka from Finland.

“You might have tried to follow some recently deleted records. Newly following: 0” Hmm, what does that mean exactly? It means that the user wasn’t able to follow any users, even though he was not greeted with the familiar big, red X. The reason for this error message was most likely that the user didn’t have sufficient rights to append the Follow records to the selected User records. Assuming that we want to enable such cross-BU following of users, what we need to do is to modify one of the user’s security roles to grant a global right to the Append To function on the User entity.

After we’ve granted the new rights, Teppo from France is able to follow Jukka from Finland. When Jukka posts a message on his personal wall, Teppo is able to see the post and jump in on the conversation. Social Business in action!

OK, now how about if Jukka from Finland is writing a post on the wall of an account owned by a user from the Finland business unit? If Teppo is following Jukka’s posts, he will probably see this update from him as well? No, actually he won’t see anything on his wall. If we look at the same post from Jukka’s own Activity Feed wall we can spot the difference to the previous post:

Here we see the importance of the regarding object of an Activity Feed post. Teppo will not see any of these posts written by a user he is following, because they are set as regarding an account record he himself is not following. These are not just independent posts on the Personal Wall of the user, rather they are updates that are posted on the wall of a specific account (Nokia). In our case, since Teppo does not have visibility to the accounts from another business unit, he has no way to access the conversation going on there or to go and follow the account record.

But wait, wasn’t there also another way to associate an Activity Feed post with a CRM record? Ah, yes, you are correct. We can perform a mention of another record in the body text of the post. By typing in the @ character we’ll be presented with a list of available records that are Activity Feed enabled and to which we have sufficient rights. So, Jukka proceeds with writing a post on his Personal Wall where he adds mentions to several accounts by using the @[accountname] syntax. None of the companies are visible to users from France, but because Teppo is following Jukka, he will in fact still see these posts on his own wall.

Can Teppo then access the account record referenced in the discussion by simply clicking the link in the feed post? The answer: no, he cannot. He doesn’t have any rights to view the record itself, but there is nothing stopping him from seeing Activity Feed posts that are referencing the record through mentions.

Teppo could, however, request Jukka to share the account with him, if his rights permit performing this action across Business Unit borders. Once Jukka gives the read rights to the account record in question and Teppo opens the account form, what will he see there? The answer is: everything. Be it posts that are merely mentioning the account or ones that have set the account as the regarding object, all the discussion will be stored here.

Can Teppo then start to follow this account from another Business Unit if we didn’t give him the editing rights to the record? Yes, if he’s got the global Append To rights for the account entity. It works the same way as with following the users across BU’s, Teppo only needs the rights to append a follow record to the account record which has now become visible to him.


Hopefully this example clarifies how the Microsoft Dynamics CRM security roles, privileges and business unit structure impact the visibility of Activity Feed posts and the users’ abilities to follow records.


  1. Hello, first of all great post. Now I have a question here, I’m importing a Dynamics 2011 solution to 2013 and later 2015 and I have a role that cannot post feeds unless I grant privilege Act on Behalf of Another User (among other privileges I have to set of course) Is this an expected behavior if so Why does it require such as privilege.

    Thank you

    • It is quite common that new major versions of Dynamics CRM introduce additions to the security roles that are either A) only applied to the standard roles during version upgrade or B) not visible in the actual security role UI. Therefore as a best practice I would recommend rebuilding the security role in the new environment by taking a copy of a default role like Sales Manager and then modifying it to match the exiting privileges for the business entities that are specific to the customer organization.

  2. Hello!

    Thank you for your post. I was just wondering if why I cant still enable this follow functionality(same issue above) wherein I am an admin of my CRM?

    Any thoughts? Thank you!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.