Customer Effective Blog

A question that I get from time to time is how to be sure that certain reports are only visible for certain people.  This can be for security reasons—for example, a sales manager report that shows activity levels of employees may deal with publicly available data, but graph or aggregate it in a way that may be embarrassing to some users.  Other times it can be that an administrator wants to simplify the list of reports available to end users, and not have a bunch of reports that are not relevant for a user to wade through to get to the reports that matter to him.

I occasionally get this question from some users who have made a report that they believe to be private, only to realize later that other users can view the report. 

Making a report private requires two components:

1.  The report “Viewable by” setting:  When you select a report and click the “edit report” button and go to the “Administration” tab, you will see a radio button called “Viewable By” with the choice of Organization or Individual.  This report determines if the record should function as an organization owned record, or as a user owned record. 

The fact that the field is called “Viewable By” has frequently lead to the misconception that if I set a report to be viewable by Individual, only the owner will be able to see it.  That is not necessarily true.  It all depends on #2.

2.  The user’s Report entity Read permission:  Keep in mind that a report is a record in CRM, just like any other record, and the same rules apply for security.  A user’s read permissions for Reports in their security role determine which reports they will see.

• All users will see Organizational Viewable Reports
• All users will see User Viewable reports that are owned by them
• All users will see User Viewable reports owned by other users within the scope of their Read permissions.  For example, if a user has Business Unit read permission for Reports, they will see reports owned by other users in their business unit, even the ones set to viewable by individual, such as “junk” reports created by other users with the report wizard.

Most of the time I see users who inadvertently give other users access to private reports, it is due to the report read permission being set too high.  Some have done this because they think that a user has to have Organizational read access to read Organization Viewable reports—this is not the case.

So if you really want to have private reports, I recommend the following best practices:

1. Set all security roles except for system admin to user level read access.
2. Only give organization-level “create Report” permissions to users whom you wish to be able to deploy organization viewable reports .  Give everyone else user level create permissions.  Otherwise, users will make their private reports Organization Viewable.
3. Rather than making reports that are only needed by a handful of users organization viewable, make them user owned and use CRM’s sharing functionality to expose these reports to the other users who need them.
4. Have a user or group of system administrators who can promote user viewable reports to organization viewable.

This will keep your private reports private, and make the report menu more navigable for the majority of your users by removing the clutter.