I have a user without any assigned security roles, but their User Privileges report shows they do indeed have permissions.

Everyone who is anyone has always known that ever Dynamics CRM user must have at least one security role assigned to them in order for them to even access the home page. In fact, there is even a built-in system view on the System User entity that shows users without security roles.

But what if I told you that this information, starting with Dynamics CRM 2011, is not exactly correct? That’s what my friend and fellow-MVP Jerry Weinstock found at one of his customers. This lead him to publish this article:

Assigned and Inherited Security Roles

In a nutshell, it turns out that security roles inherited by a team are assigned to the user, in additional to any security roles they might have been assigned directly. All roles are merged together to produce the basic User Privileges list. So, as long as they are a member of a team that has roles assigned, they can access CRM. Remove them from that team, or remove the role from the team, and they will lose access to CRM.

And that is why the User Privileges report sometimes shows data that you would not expect it to show.