A role-based security plan for your
company’s customer relationship management software needs to fit in
with larger company guidelines dictating customer privacy, says NeoCase
Software’s Herve Pluche. He advises companies to map existing business
processes and compliance requirements, and adopt current practices as a
In a CRM database, each record has numerous fields that may include
confidential information, not just about your customers, but also about
your sales team and business operations. In the B2C world selling to
consumers, confidential customer information often includes social security
numbers, credit card details, and home addresses. While, in the B2B
world — selling business to business that is — confidential
information can include purchase histories that represent millions of
dollars in sales, as well as potentially confidential information about
your sales team, like sales commissions, sales goals, and a multitude
of other strategic details.
The benefit of gathering so much information in a single database is
that it can give a crystal-clear image of each customer’s relationship
with your company, both in terms of past behavior and potential future
But is it such a good idea to allow full access for everyone
who uses your CRM database — from sales reps and support personnel,
consultants and warehouse workers, all the way up to your C-level
executives? Certainly not.
Sometimes, it’s not good business for colleagues to see each
other’s commission information. Or, perhaps it creates a security risk
for consultants to have access to all customer data if they could also
be working for a competitor. Even in-house staffers can be a major
cause for concern. It’s not uncommon for companies to see their
customer records "transported" to another firm when a disgruntled
Ensuring that customer records have some measure of privacy
doesn’t mean shutting users out completely, though, or forcing them to
ask permission every time they use the system. Instead, creating a
role-based structure can keep privacy controls in place without
Role-based security is fairly straightforward as a concept.
Basically, an administrator blocks out or allows information viewing
based on the user’s role or function within the organization. Working
with a role-based security process involves setting permissions for
different users to ensure that each person only has access to
information that is essential or appropriate for their position.
For example, a company may decide to let only senior-level
marketing executives see specific customer data that’s tied to a recent
campaign. Or they could release sales commission notes to the vice
president of sales and no one else.
The role-based function could be deepened by limiting access
based on other factors like geography, so that reps would only see the
records within their particular region. Or, just certain fields could
be blocked, letting users view nearly all of a record without having to
ask to see the relevant data.
This type of functionality is embedded in most CRM applications,
but it’s up to each company using the software to tweak the settings so
they’re appropriate. Simply creating a block against transferring data
or emailing records falls far short of what’s needed, says Jason
McNally, spokesperson at software firm TechExcel.
"Part of the big concern here is that you have a transient
workforce that could go to a competitor," he says. "Just creating a way
to keep them from sending out records won’t work. Anything that’s on
the screen can be cut and paste into another document. They could even
take a screenshot of customer data."
How a company chooses to limit its record viewing will depend on
a number of factors, including the company culture, says Al Falcione,
director of product marketing at CRM vendor Salesforce.com.
"Some companies are very open with their systems. They have a
transparent data-sharing model, and that extends not just to employees,
but to customers as well," he says. "They just don’t mind if everyone
Those who prefer to eschew role-based security often say that
such measures would hinder collaboration. If the sales team can see
some parts of a record while the marketing department cannot, for
instance, a discussion might be hampered by the restriction.
But most companies initially tend to lean on the side of being
conservative, notes Herve Pluche, president and chief executive of
Neocase Software. It’s only later that they might loosen the
restrictions a little to allow for more collaboration. However, it
doesn’t have to be a choice between security and collaboration, Pluche
"The key here is to have clear guidelines and a configuration
that restricts information in a way that makes sense," he says. "It’s
good to be careful at first, because once you have data flowing through
a company, it’s difficult to go back and be restrictive."
Other companies might opt for role-based security simply to prevent information overload among reps.
"Sometimes, less information really does help people be more
productive," says Salesforce.com’s Al Falcione, comparing a full CRM
record to an online shopping site where a viewer might be bombarded by
product data even if they’re just looking for, say, the company address
or phone number.
"It’s easy to get distracted with more information," he says.
"So, this type of security doesn’t only help with privacy, it actually
gives people only what they need to get the job done more quickly."
Implementing role-based security isn’t much of an administration
hassle, it just involves setting up certain rules in the system.
Falcione recommends that a single administrator have ultimate authority
for management of requests and changes, rather than giving the ability
to numerous department heads.
It’s also important to make sure the system can handle the
security in a way that’s flexible, adds TechExcel’s Jason McNally. The
rules that are put in place for the CRM application should be able to
extend to other applications as well. For example, an administrator
should make sure that a user can’t circumvent security controls by
accessing the data through a digital window rather than the standard
Flexibility and security relate also to how data is being input, and
making sure that reps and other employees are entering information
properly. Quickly uploading data and then planning to slot it into the
right fields later can be a problem. That data, which would be
restricted when it’s in the correct format, would be able to be viewed
if it were simply dropped into a general field like "notes."
In general, role-based security should fit in with larger
company guidelines dictating customer privacy, says NeoCase’s Herve
Pluche. He advises companies to map existing business processes and
compliance requirements, and adopt current practices as a starting
point. From there, management is likely to see its privacy initiatives
in a new way.
"By putting in new technology with more functionality, at some
point a company will reassess its business processes as well as the
rules and guidelines associated with privacy," he notes.