Field Security in CRM is globally scoped which means that it will apply to all client types and whatever the position of the user is in business unit hierarchy.
Field Security is always enabled in any type of access to the CRM client such as Reports, Quick Find, Offline Access, Filtered Views, Auditing, SDK, etc...
Step 1 – Enabling fields for Field Security
Fields are enabled for security through the fields security form.
In order to enable a field for security we set the value on the Field Customization form to enabled.
This will place a key symbol next to the field on the CRM form as shown in the picture below.
Step 2 – Setting Field Security Profiles
The Field Security Profile defines the permissions that users and teams, also referred as Security Principals are going to have on particular fields.
There are three access right levels that can be granted on each security field: Read, Create and Update.
The field permissions on each field applies to all the security principals that are listed in the security profile. These permissions operate independently.
This means, for example, that you can grant Update permissions without Read permission.
In the Field Security Profiles section, in the Settings -> Administration area, we can create new field security profiles.
We specify the name and a description for the new security profile that we are going to create and specify the names of the users and/or teams that belong to the security profile.
Finally we specify the field permissions to specify what kind of permissions the users and teams have on that field that we require by selecting the field and clicking the Edit toolbar button:
System Administrator Field Security Profile
The System Administrator Field Security Profile is added to the system by default, with every field's permissions set to Yes for each of the security-enabled fields.
This profile cannot be deleted, and is automatically populated with any user/team that has the System Administrator Security Role.
The System Administrator Field Security Profile makes sure that there is always at least one user with permissions to modify field security.