Microsoft Dynamics 365 Customer Experience Analyst : Configure security for and access to forecasts

Forecasts in Dynamics 365 Sales are a powerful feature that allow organizations to project revenue, track sales performance, and align sales teams toward common goals.

However, because forecasts involve sensitive business data (e.g., pipeline, quotas, revenue), it’s crucial to configure security properly to ensure only the right people have access—and at the right level (own, team, hierarchy).

1. Understanding Forecast Access Model

Forecast access is based on a combination of:

  • Security roles
  • Hierarchy relationships
  • Forecast configuration settings
  • User’s position in the reporting structure

2. Key Components That Control Access

a. Security Roles

To access forecasts, users must be assigned one of the following roles or have equivalent custom roles:


Note: You can customize security roles if you want to restrict or expand access.

b. Forecast Configuration – Access Mode

When you configure a forecast in D365 Sales, you define the access model:

  • “Parent and child hierarchy” (default): Managers see their own and their team’s data.
  •  “Only own”: Users see only their own forecast data.

The access mode determines whether someone higher up in the hierarchy can see the aggregated forecast for their team.

3. Hierarchy & Reporting Relationships

Forecasts use the Manager Hierarchy (from User records) to determine who reports to whom.

This is important for rollups and access.

  •  Manager field on a User record must be properly populated.
  •  If a user is a manager of other users, they will see rollup data from their team in the forecast grid (based on access mode).

Make sure the hierarchy in Settings  Security  Hierarchy Security is properly configured if you want managers to see team forecasts.

4. Record-level Forecast Access

A forecast is built on a forecast configuration which is based on:

  •  A forecast category (like pipeline, committed, etc.)
  •  A filter on opportunities (e.g., status = open)
  •  And a rollup entity (usually Opportunity)

Access to forecast data also depends on whether a user has read access to those underlying opportunity records.

If a salesperson cannot read an opportunity, it won’t show up in their forecast.

5. Forecast Configuration Settings That Affect Security

When creating or editing a forecast (in App Settings  Forecast configuration):

You select:

  • Forecast type (Org chart hierarchy / Territory hierarchy)
  • Access level (Own / Parent + Child)
  • Rollup columns & measures
  • Filters (to define which records appear)

These settings affect:

  • Who can view which data
  • Whether the data is aggregated or individual
  • Whether managers can view their subordinates’ forecasts

6. Submitting & Locking Forecasts

  • Users can enter or adjust forecast values (depending on configuration).
  • Managers can override subordinates’ forecast values.
  • Once submitted or approved, forecasts can be locked to prevent changes.

You can configure “Enable forecast protection” to prevent users from editing values outside their scope.

 Summary – Best Practices for Configuring Forecast Security

  • Assign proper security roles (Salesperson / Sales Manager).
  • Set up user manager hierarchy correctly.
  • Configure forecast access level in forecast settings.
  • Ensure users have read access to underlying records (e.g., Opportunities).
  • Use hierarchy security if needed to control access to subordinate data.
  • Test with sample users to verify visibility and access.


Useful Navigation

  • Sales Hub  App Settings  Forecast configuration – Create/manage forecasts.
  • Settings  Security  Users – Assign manager relationships.
  • Settings  Security  Security Roles – Grant required privileges.
  • Settings  Security  Hierarchy Security – Enable and configure hierarchy access.


Summary:

Forecast security in Dynamics 365 Sales is governed by security roles, user hierarchy, and forecast configuration access settings. Managers see aggregated team forecasts only when they are defined as managers in the system and when the forecast type supports parent/child access. Salespeople see only their own data when configured accordingly. Ensure underlying record-level access is also granted.

Comments

Post a Comment

Popular posts from this blog

Effective Strategies for Debugging Plugins in Dynamics CRM

Image
In a recent interview, I was asked about debugging plugins in Dynamics CRM. The interviewer specifically wanted to know my approach to plugin debugging. In response, I mentioned using the Plugin Registration Tool profiler. However, I later realized there are multiple methods to debug plugins in Dynamics CRM/Dataverse, each essential for efficient troubleshooting. Debugging plays a crucial role in development, and having a solid understanding of various debugging approaches can help streamline issue resolution in Dynamics 365. Here, I'll explore different techniques for debugging plugin code. There are below options to use in the plugin in Dynamics CRM/Dataverse ITracingService : In Dynamics CRM plugin development, ITracingService is a service provided within the plugin's execution context that logs information for tracing and debugging. It allows developers to capture real-time. Plugin Profiler : A plugin profiler in Dynamics CRM (or Dataverse) is a debugging tool in the Plugi...
Read more

Exploring the Differences: Managed vs. Unmanaged Solutions in Dynamics CRM/Dataverse

Image
In Dynamics CRM/Dataverse, solutions are central to Application Lifecycle Management (ALM) , providing a structured way to manage, package, and distribute customizations across environments. Microsoft uses solutions to transfer apps and customizations by exporting them from one Dataverse environment and importing them into another.  Each solution is authored and maintained by a publisher and includes components like Power Apps (canvas and model-driven), flows, entities, forms, connectors, web resources, and configurations—excluding business data. Solutions streamline ALM practices within Microsoft Power Platform. In Dynamics CRM/Dataverse, there are two types of solutions: Managed and Unmanaged . When planning an implementation, it’s important to understand the advantages and disadvantages of each to make an informed decision. Let’s explore both types to determine the best approach for development and deployment. In Dynamics 365 CRM, a managed solution is a fully packaged solution ...
Read more

Connecting the Dots: FetchXML and Web API Integration in Dataverse

Image
 In Dataverse, FetchXML and the Web API are two powerful mechanisms for retrieving data and interacting with entities. Here's a brief overview of each and how they can be integrated: 1.    FetchXML :      -   Definition:   FetchXML is a proprietary query language used in Microsoft Dynamics 365 and Dataverse for querying data from entities.    -   Usage:   FetchXML queries can be used to retrieve data based on complex criteria, perform aggregations, and filter records.    -   Features:   FetchXML supports various query expressions, including conditions, sorting, grouping, and aggregation functions.    -   Integration:   FetchXML queries can be executed programmatically using client-side scripting, server-side code, or through tools like the Dynamics 365 Web API. 2.    Web API :      -   Definition:  ...
Read more