Security controls in Zoho CRM: An overview
The most valuable part of your CRM isn't its features—it's your organization's actionable, context-rich customer data.
As an administrator, your job is to ensure only the right users have access to the CRM and can work with this data. Once inside, users should see only what's relevant to their roles and be able to perform only the actions they must. This helps them work faster and reduces the risk of accidental or intentional security violations.
In addition to managing access, you also need to maintain compliance with local data regulations and be able to track changes in the CRM for the purposes of audits or investigations. These responsibilities grow more complex as your organization scales from startup to enterprise.
Zoho CRM offers a range of security controls to help you manage access, maintain compliance, and build trust in your CRM system. When properly configured, they keep your data secure, your operations compliant, and your risks minimized.
Let's explore them one by one.
Controls that manage what users can see and do in Zoho CRM
Data in Zoho CRM is stored in two kinds of modules:
- Org modules that contain the data that multiple teams require to do their work (e.g., the Contacts module)
- Team modules that store data specific to individual teams (e.g., a presales demo module)
The access that any given user has to data (in org or team modules) in Zoho CRM depends on the following factors:
Teamspaces the user belongs to
Teamspaces are dedicated spaces in Zoho CRM where teams can work and collaborate. Users must be added to a teamspace to access any module (org module or team module). This serves as the first layer of control when it comes to data visibility. Each teamspace has a teamspace admin, which may be the CRM admin themselves in the case of smaller businesses. When the business grows and multiple teams are onboarded into the CRM, the CRM admin can delegate the management of teamspaces to high-ranking members or admins of individual teams. Learn more
Managing access to org module data
The profile the user is mapped to
Profiles are extremely important when it comes to controlling access to org modules, to the actions users can perform within them (viewing, creating, editing, sharing, deleting, importing, or exporting), and to CRM configurations (automation, process management, customization, and so on). Learn more
Default organization permission for each module
By default, all org modules' records are private (which means that data visibility depends on the roles/reporting hierarchy and record sharing). If needed, you can change this to "public read only," "public read/write," or "public read/write/delete." Org admins can set this in accordance with the organization's needs. For example, to let everyone view all product records, give all profiles at least view access to the Products module (to view records they have access to), and set the module's default permission to "public read-only" (to allow read-only access to all records). Learn more
The role/reporting hierarchy the user is mapped to
Your organization can use either a role hierarchy or a reporting hierarchy. This hierarchy determines the data that each user can see in org modules. For example, a sales manager will be able to access his subordinates' records, and what they can do in those records depends on their profile permissions. Learn more
Which org module records are shared with the user manually or via data-sharing rules
Zoho CRM gives you the option not only to share org module records, but also to set the level of access for these shared records. Admins don't have to worry about unauthorized data sharing; they can control this option by managing the share permission in profiles. This helps in cases of one-off or temporary data sharing.
To learn about manual sharing of records, see Record Sharing.
To learn about automating record sharing based on record owner or criteria, see Data Sharing Rules.
Groups the user belongs to
Admins can create groups based on select users, roles, territories, or other criteria. You can share records (using features mentioned above) with groups to empower easier collaboration between users in diverse roles. Learn more
Note
- The controls mentioned so far are typically controlled by org admins, but can be managed by other users via admin-level permissions (like "User Management," "Manage Teamspace," and others) in their individual profiles. Please be cautious when enabling these for other profiles.
- Access to Leads, Contacts, Accounts, and Deals modules can also be set based on territories, if territory management is enabled.
- If your sales process involves multiple contributors, you can easily share Deals module records by using team selling settings. Deal owners can set access levels for their records.
- Users can also share records by adding users to those records via user fields.
Managing access to a team module's data
The team module profile the user is mapped to for a particular team module
As mentioned before, team modules are often managed by individual teams. Each user's access to them depends on the team module profile they're mapped to for that specific team module. The same user can have different team module profiles in different team modules. Team module profiles determine both data visibility and the set of actions users can perform in a specific team module. Team module admins map users to these profiles when adding them to team modules.
Please ensure that teamspace admins have added users to the appropriate teamspaces in order to access specific team modules. Learn more
Please ensure that teamspace admins have added users to the appropriate teamspaces in order to access specific team modules. Learn more
Managing access to CRM configurations and features
For CRM features and org module-related feature configuration
Profiles are the key feature here, as they control access to most other features, including admin-level features like managing users, roles, and so on. Learn more
For team module-related feature configurations
Team module admins can configure features for their team modules, irrespective of their broader CRM profile permissions. Another point to note is that users with the right CRM profile permissions can configure features for team modules even if they're not added to them. This ensures that admins can manage team module configurations even if they aren't members of those team modules.
Controls for managing access to Zoho CRM
While the controls above determine what users can do within the CRM after logging in, administrators can manage who can log in—and how—at scale, using the following options:
Single sign-on (powered by Zoho Directory)
Single sign-on (SSO) is a custom authentication method you can set up to enable your employees to authenticate themselves through the identity provider (IdP) of your choice. Learn more
Security policies (powered by Zoho Directory)
Security policies are sets of customizable rules that govern how your users can authenticate themselves. For example, you can set a password policy to ensure that users change their passwords periodically. Learn more
Login history (powered by Zoho Directory)
Admins can view users' complete login histories, along with details like their IP address and devices. Learn more
Configure IP addresses
You can control Zoho CRM logins by allowing only specific IP addresses. Learn more
Active directory sync (powered by Zoho Directory)
Zoho Directory's Sync Tool is a secure directory synchronization tool that performs a one-way sync from your existing LDAP server to Zoho Directory. Learn more
Trusted domain
The Trusted Domain feature enables you to whitelist certain domains to which requests are made from Client Script and Queries. Learn more
Controls for compliance and monitoring
To make your CRM compliance-ready and to track changes made to it, you can make use of features like:
GDPR and HIPAA compliance settings
Stay compliant with GDPR and/or HIPAA regulations by enabling and configuring these settings to maintain the privacy of customers' sensitive information.
Learn more about GDPR
Learn more about HIPAA
Learn more about GDPR
Learn more about HIPAA
Audit log
Audit log details the actions users performed in Zoho CRM in chronological order, and are helpful in determining who made which changes and when, as well as to identify records associated with certain events. Learn more
Other security controls
Data encryption
Encryption is the process by which raw data is encoded in order to protect it from any unauthorized parties who may gain access to it. Encrypted data in Zoho CRM can only be accessed by authorized users. Learn more
Zoho Mail add-on users
Admins can back up emails sent by deactivated Zoho Mail add-on users, as well as make other configuration-related changes. Learn more
Support Access
Support Access is a secure way of allowing Zoho Support to access your Zoho CRM account for troubleshooting without a remote session. The access is restricted to Zoho's support team only. Learn more