Mon, September 21, 2009 — CIO — CRM systems have varying degrees of security and privilege management, but all the serious CRM options, whether on premises or in the cloud, have fine-grained security because the data is meaningful and must be carefully controlled. CRM users, particularly in sales, will quickly discover that they can't change things to make them look the way they want to (read: game the system) with their normal user level of data access. So they will invest a plausible reason why they need system admin privileges, and all too often they'll be granted full superuser status in the CRM system.

And this would be a good idea why?

What trouble lies ahead? Let's start with the fact that users haven't been trained in the intricacies of the CRM system (and with systems like Salesforce.com, Microsoft Dynamics, or Seibel the ante can amount to a full week's worth of classes). They have no idea what kind of damage they can do with seemingly insignificant changes. They don't understand the security model, or the object model, or the external integrations, or the workflows. Even if all they're trying to do is move a field around on the screen, doing it wrong can wreck havoc on users and business processes they didn't even know existed.

Fortunately, untrained admins are unlikely to actually destroy a lot of existing data. Of course they can, but usually when they're trying to change data it's just their own records. As long as you have audit trails turned on (such as Salesforce.com's History Tracking) it's fairly straightforward to reconstruct the crime. As I mentioned last week, regular backups of all your CRM systems' data and metadata is an absolute requirement for any serious installation.

More interesting than data damage is the risk of a superuser seeing data that's supposed to be off-limits. The more integrated your CRM system is with the rest of your IT infrastructure, the more sensitive information an administrator can see. And the more process controls they can inadvertently override. This can include the full company bookings forecast, inventories, contracts, commissions, and even employee home phone numbers. You don't have to be an attorney to shudder about the potential regulatory and legal problems here.

The right answer

Fortunately, there are clear best practices here. And let's start with "just say no." Even if there is a good reason why a manager or user needs some special privileges, the number of administrators for a CRM system should be strictly limited. I have yet to find a good reason why an organization should have more than 6 CRM administrators, and that assumes a 24x7, round-the-world operation. The administrators' roles and privileges may need to be described as part of your company's Sarbanes-Oxley Section 409 process documentation. To be an administrator means a significant amount of training both in the classroom and on the job—and it's not a temporary or part-time role except in organizations with fewer than 100 users.

The system administrator role needs to include at least one person who is a data steward  looking out for the health and cleanliness of data by controlling design and external data inputs. If your CRM system is highly integrated with the rest of your IT systems, the CRM data steward should be part of a larger configuration control board that manages the evolution of policy, process controls, and system changes. Considering how essential clean data is to CRM success, I am continually been surprised by how few clients recognize the need for a data steward.

Use your CRM system's security features to create delegated authority for administrative tasks and access. For example, many marketing users may need to have read access to a broad scope of data, and a few need to be able to use mass-importing tools. But that doesn't mean they should be superusers. Create specific profiles and delegated administrative privileges for these users, and limit the login hours/locations for them, in order to contain the risk of abuse.

If your CRM system doesn't have role-based security or enable delegated authority, this is one of the better reasons to have a serious conversation with your CRM vendor. Find out what's available as "optional extras" on their platform (including third-party add-ons), and make sure your personnel are trained to use whatever security features are available. Also look at the vendor's feature roadmap: in the long run, the best security functionality must come from the platform. If they don't have security high on the agenda it's a signal you need to start looking elsewhere.

David Taber is the author of the new Prentice Hall book, "Salesforce.com Secrets of Success" and is the CEO of SalesLogistix, a certified Salesforce.com consultancy focused on business process improvement through use of CRM systems. SalesLogistix clients are in North America, Europe, Israel, and India, and David has over 25 years experience in high tech, including 10 years at the VP level or above.

Follow everything from CIO.com on Twitter @CIOonline.